The Email Detective: How to Spot a Phish

Incoming transmission

Every email you receive has two layers. The one your client shows you — the name, the subject, the body. And the one it hides — the headers. The headers record where the email actually came from, which servers touched it, whether it passed authentication, and a dozen other details the attacker is hoping you never think to check.

In 2026 AI writes phishing emails. They are grammatically perfect, professionally toned, and personalized to you. Typos are gone. Focus on who actually sent it and where the links actually go — not how it reads.

Franklin clicked the link. The email looked right. The sender name matched. The subject was plausible. What he didn't check was the Return-Path pointing to a bulk mail host in Eastern Europe, the SPF fail, the DKIM absence, and the Reply-To address pointing to a Protonmail inbox the attacker controlled. All of that was there. It's always there. You just have to know where to look.

Seven chapters. We start with what headers are and how to find them. Then the Received chain — how email actually travels and how to trace it. Then the three authentication protocols that make spoofing harder: SPF, DKIM, and DMARC. Then the full spectrum of spoofing and lookalike techniques. Then — critically — what headers can't catch: compromised accounts, thread hijacking, and Business Email Compromise. Then the free tools that make investigation fast. Then three complete case files you work through yourself.

This manual is useful whether you're a first-time email user who just wants to stop getting fooled, or a security analyst who needs to reviews suspicious emails every day. The chapters build on each other — read it once for the overview, come back when you have a suspicious email in front of you.

— Commander Shepard