Sender Identity & Email Routing Module
Sender Identity & Email Routing Module
Embedded Files
Forged senders, mismatched addresses, & suspicious routing paths
Forged senders, mismatched addresses, & suspicious routing paths
The address shown in the From field of an email is not always who actually sent it. Forensic-Email examines the name displayed to you, the actual sending address, where replies would go, and the full routing path the message took.
Display Name Spoofing
The sender name shown in your inbox suggests a well-known brand, but the email was sent from a free email provider such as Gmail or Yahoo.Address Local-Part Spoofing
The part of the email address before the @ sign contains a brand name, but the domain is a free email provider. For example, paypal.support@gmail.com looks official at a glance but has no connection to PayPal.Display Name Formatted as Email Address
The sender's display name is formatted to look like an email address, but it differs from the actual sending address. Mail clients that show only the display name would present a misleading identity, making this a simple but effective spoofing technique.Reply-To Mismatch
The From address and the Reply-To address belong to different organizations. If you reply to this email, your message will go to a different party than the one who appears to have sent it.Sender Header Mismatch
The Sender header — which identifies who actually submitted the message to the mail system — belongs to a different organization than the From address. This can be a normal characteristic of email sent through third-party services, but it is also a routing anomaly worth reviewing.Return-Path Mismatch
The bounce address (Return-Path) belongs to a different organization than the From domain. Delivery failures and some automated replies will go to a different party than the apparent sender.Recipient Address Mismatch
This email was addressed to one address in the To field but was actually delivered to a different address. Phishing campaigns often place a decoy address in the To field while sending the same message to thousands of hidden targets.BCC Recipient
Your address appears in this email's Bcc field rather than in To or Cc. This is normal for messages where the sender intentionally hid the recipient list and is flagged at low severity for transparency.Undisclosed Recipients
This email was sent to an undisclosed recipient list — your address does not appear in the To field. Hiding the recipient list is a hallmark of mass phishing campaigns.Forwarded via Free Email Provider
This email passed through a free email account before reaching you. Phishing campaigns sometimes chain messages through free accounts to obscure the true origin of the mail.Mass Multi-Domain Recipient List
This email was sent to a large number of recipients spread across many different organizations. This pattern is characteristic of bulk phishing campaigns that blast identical messages to harvested contact lists.Mass Marketing
This email was submitted through a commercial email marketing platform. This is common in legitimate marketing email, and is
flagged at low severity so you can make your own judgment.Opaque Marketing Platform Sender
The From address uses the domain of a commercial email marketing platform rather than the actual organization's domain. This makes it difficult to identify who really sent the email.Machine-Generated Sender Address
The sender address contains a long hexadecimal token, indicating it was auto-generated by a CRM or email platform rather than assigned to a person. The actual sender identity cannot be determined from this address alone.
Page updated
Report abuse