How to Find the IP Address of an Email Sender

Identifying the origin of email messages

Email icon with cursor on it
Gregor Schuster / Getty Images

Internet emails are designed to carry the IP address of the computer from which the email was sent. This IP address is stored in an email header delivered to the recipient along with the message. Email headers can be thought of like envelopes for postal mail. They contain the electronic equivalent of addressing and postmarks that reflect the routing of mail from source to destination.

Finding IP Addresses in Email Headers

Many people have never seen an email header because modern email clients often hide the headers from view. However, headers are always delivered along with the message contents. Most email clients provide an option to enable the display of these headers if desired.

Internet email headers contain several lines of text. Some lines start with the words Received: from. Following these words is an IP address, such as in the following fictitious example:

Received: from (
by with SMTP; 30 Jun 2003 02:27:02 -0000

These lines of text are automatically inserted by email servers that route the message. If only one Received: from line appears in the header, a person can be confident this is the actual IP address of the sender.

Understanding Multiple 'Received: from' Lines

In some situations, however, multiple Received: from lines appear in an email header. This happens when the message passes through multiple email servers. Alternatively, some email spammers will insert additional fake Received: from lines into the headers themselves in an attempt to confuse recipients.

To identify the correct IP address when multiple Received: from lines are involved requires a small bit of detective work. If no faked information was inserted, the correct IP address is contained in the last Received: from line of the header. This is a good simple rule to follow when looking at mail from friends or family.

Understanding Faked Email Headers

If faked header information was inserted by a spammer, different rules must be applied to identify a sender's IP address. The correct IP address will be normally not be contained in the last Received: from line, because information faked by a sender always appears at the bottom of an email header.

To find the correct address, in this case, start from the last Received: from line and trace the path taken by the message by traveling up through the header. The by (sending) location listed in each Received header should match with the from (receiving) location listed in the next Received header below. Disregard any entries that contain domain names or IP addresses not matching with the rest of the header chain. The last Received: from line containing valid information is the one that contains the sender's true address.

Many spammers send their emails directly rather than through internet email servers. In these cases, all Received: from header lines except the first one will be faked. The first Received: from header line, then, will contain the sender's true IP address in this scenario.

Internet Email Services and IP Addresses

Finally, the popular Internet-based email services differ greatly in their use of IP addresses in email headers. Use these tips to identify IP addresses in such emails.

  • Google's Gmail service omits the sender IP address information from all headers. Instead, only the IP address of Gmail's mail server is shown in Received: from. This means it is impossible to find a sender's true IP address in a received Gmail.
  • Microsoft's service provides the IP address usually in the first Received: from.
  • Emails from Yahoo! contain the sender's IP address in the last Received: entry.