Review the Email Header

In Outlook,  select "View message details" to see the raw email.   In Gmail, select "Show original" to see the raw email.  

Review the header to make sure it follows the rules below, if it breaks one or more of these rules the message could be a phishing message.

Rule 1: If the domains in the fields below do not match, it could be a phish.

  • smtp.mailfrom
  • Return-Path
  • From:
  • Reply-to/Bounces-to

Rule 2: If the email travel path is less than 2 it could be a phish.  An email should travel through at least two email servers the "sending" server and the "receiving" server. See the "Received" items in the header to review the email server travel path.  The "Received" item should be consistent with the origin country of the message.  If you see China or Russia in the originating "Received" item it could be a phish.

Rule 3: If the email does not pass the DKIM or SPF check, it could be a phish.  The email header should show the following:

  • spf=pass
  • dkim=pass

Review the Attachments

Rule 4: If the attachment has one of the following extensions, it could be a phish.   Please use an email security scanning tool or private cloud sandbox to scan the attachment.  Do not download the file onto your machine locally.

  • .html
  • .zip
  • .bat
  • .exe
  • .xls
  • .doc
  • .rtf
  • .pdf
  • .img
  • .iso

Rule 5: Hover over the link.  If the displayed link does not match the linked URL, it could be a phish.   If the linked URL does not match the context of the email, it could be a phish.

Final Thought

These are the five basic rules for analyzing phishing emails that are sent via the  HacWare Reporter Tool.  We highly recommend investing in an email security tool and gateway that will quarantine suspicious emails and attachments.  Or hire an expert managed service provider (MSP) to manage your information security needs.  If you have any questions or need a recommendation for an MSP please reach out to us at

‌Learn more about HacWare at If you are a Managed Security Service provider (MSSP) or IT professional, we would love to automate your security education services, click here to learn more about our partner program.