Email Deliverability · · 4 min read

How to Trace an IP Address from an Email Header

Learn how to trace an IP address from email headers in Gmail, Outlook, and Yahoo. Step-by-step guide to reading Received headers and X-Originating-IP fields.

email ip

How to Trace an IP Address from an Email Header

Every email that arrives in your inbox carries metadata that describes the path it took from sender to recipient. Buried in that metadata are IP addresses belonging to the mail servers -- and sometimes the sender's device -- that handled the message. Extracting those addresses is useful for investigating spam, phishing, spoofing, and deliverability problems.

This guide walks through the process for Gmail, Outlook, and Yahoo Mail, explains which header fields matter, and highlights the limitations you will encounter with modern webmail providers.

Why Email Headers Contain IP Addresses

When a message is transmitted via SMTP (RFC 5321), each Mail Transfer Agent (MTA) along the route prepends a Received header. That header includes the IP address of the server that handed the message off, along with a timestamp. The result is a chain of Received headers that reads bottom-to-top, oldest to newest. Parsing that chain lets you trace the message back toward its origin.

Step 1: Access the Raw Headers

Gmail

  1. Open the message.
  2. Click the three-dot menu in the upper-right corner of the message pane.
  3. Select Show original.
  4. Gmail displays the full headers along with a summary of SPF, DKIM, and DMARC results.
  5. Copy the header text or use it directly for analysis.

Outlook (Outlook.com / Outlook Desktop)

Outlook on the web:

  1. Open the message.
  2. Click the three-dot menu and select View > View message source.

Outlook desktop (classic):

  1. Open the message in its own window.
  2. Go to File > Properties.
  3. The headers appear in the Internet Headers box at the bottom.

Yahoo Mail

  1. Open the message.
  2. Click the three-dot menu (More) next to the Reply button.
  3. Select View raw message.
  4. The full headers and body load in a new tab.

Once you have the raw headers, paste them into the InboxTooling Header Analyzer to get a parsed, human-readable breakdown automatically.

Step 2: Read the Received Headers

Look for lines that begin with Received:. Each one follows a general pattern:

Received: from sending-server (IP) by receiving-server (IP); timestamp

Start from the bottom of the header block and work upward. The bottommost Received header is the first hop -- the server that initially accepted the message. Each subsequent header represents the next relay in the chain.

The IP address you care about most is typically in the first or second Received header from the bottom. That is closest to the originating sender.

Step 3: Look for X-Originating-IP

Some mail systems insert a proprietary header called X-Originating-IP that records the IP address of the device that submitted the message. Outlook.com historically included this header, making it straightforward to identify a sender's IP. Not all providers include it, and its presence has become less common as privacy practices evolve.

Other headers to watch for:

  • X-Sender-IP -- used by some providers.
  • X-Forwarded-For -- occasionally present when proxies are involved.
  • Authentication-Results -- while not an IP header, it tells you whether the sending IP passed SPF checks, which ties back to the originating server.

Step 4: Investigate the IP Address

Once you have an IP address, run it through the InboxTooling IP Reputation tool to check:

  • Whether the IP appears on public blocklists (DNSBLs).
  • Reverse DNS (PTR) records for the IP.
  • The ASN and network owner.
  • Geolocation data (country, region).

This information helps you determine whether the sending infrastructure is legitimate, belongs to a known email service provider, or is associated with spam operations.

Limitations with Webmail Providers

Modern webmail services like Gmail, Yahoo, and Outlook.com do not expose the sender's real client IP address in headers when the message is composed through their web interface or mobile app. Instead, the first Received header will show the IP of the provider's internal submission server -- a Google, Microsoft, or Yahoo data center address.

This means:

  • Gmail: The sender's device IP is not included. You will see Google infrastructure IPs only.
  • Outlook.com: Microsoft removed X-Originating-IP from consumer Outlook.com in recent years. The sender's IP is hidden.
  • Yahoo: Similar to Gmail -- internal Yahoo server IPs are what appear.

You can still trace IP addresses reliably when the sender uses a standalone mail client connected to a third-party SMTP server, a self-hosted mail server, or an enterprise system that preserves originating IPs.

Practical Uses for IP Tracing

  • Spam investigation: Identify the sending server and check its reputation.
  • Phishing analysis: Determine whether a message truly came from the claimed domain by cross-referencing the IP with SPF records.
  • Deliverability debugging: Confirm which server in the relay chain introduced a delay or modification.
  • Abuse reporting: Provide the originating IP to the relevant abuse contact or ISP.

Automate the Process

Manually parsing headers is tedious and error-prone, especially with long relay chains. The InboxTooling Header Analyzer parses the full header block, extracts every IP address, maps the relay hops, and flags authentication results -- all in seconds. Pair it with the IP Reputation checker to get blocklist and reverse DNS data for any address that stands out.

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.

Related articles

Email Deliverability · 7 min read

Why Are My Emails Going to Spam? 7 Causes and How to Fix Each One

Diagnose why your emails land in spam. Covers authentication failures, IP reputation, content triggers, list hygiene, and sending patterns with specific fixes.
Email Deliverability · 5 min read

Email Bounce Backs Explained: Types, Causes, and Solutions | InboxTooling

Understand email bounces: hard vs soft bounces, SMTP error codes (550, 450), NDR format, common causes, and how to reduce your bounce rate.
Email Deliverability · 4 min read

Why You Should Use a Domain Email for Business | InboxTooling

Learn why a custom domain email address is critical for credibility, deliverability, and brand trust. Covers SPF, DKIM, DMARC benefits for business email.