How to Find the IP Address of an Email Sender

Every email carries hidden information about its journey from sender to recipient. This information, stored in email headers, includes IP addresses that can reveal where an email actually came from. Knowing how to find and interpret these IP addresses helps you investigate suspicious emails, troubleshoot delivery problems, and verify sender authenticity.

Why Find an Email's IP Address?

There are several legitimate reasons to look up an email's originating IP:

Investigating suspicious emails: When you receive a potentially fraudulent email, the IP address can reveal whether it actually came from the claimed sender or from somewhere else entirely.

Troubleshooting delivery issues: If your emails aren't reaching recipients, checking the sending IP helps identify whether it's blacklisted or has reputation problems.

Verifying sender location: The IP address can give you a general idea of the sender's geographic location, though this isn't always precise.

Security analysis: IT teams analyze email IPs when investigating phishing attempts or security incidents.

Checking your own sending IP: Before launching email campaigns, verify which IP addresses your emails originate from.

Understanding Email Headers

Email headers are lines of text at the top of every email message (usually hidden by default) that record the email's path through the internet. Each mail server the email passes through adds information to the headers.

Key headers to look for:

Received: The most important header for finding IP addresses. Each server that handles the email adds a Received line, creating a chain from origin to destination.

X-Originating-IP: Some email providers include this header showing the sender's IP address directly.

X-Sender-IP: Another variation that may contain IP information.

Authentication-Results: Shows the results of SPF, DKIM, and DMARC checks, often including IP addresses.

How to View Email Headers

Gmail

1. Open the email
2. Click the three dots (More) next to Reply
3. Select "Show original"
4. The headers appear at the top of the new window

Outlook (Web)

1. Open the email
2. Click the three dots (More actions)
3. Select "View" → "View message source" or "View message details"

Outlook (Desktop)

1. Open the email
2. Go to File → Properties
3. Headers appear in the "Internet headers" box

Apple Mail

1. Open the email
2. Go to View → Message → All Headers
3. Or press Shift+Command+H

Yahoo Mail

1. Open the email
2. Click the three dots (More)
3. Select "View raw message"

Finding the IP Address in Headers

Once you have the headers, look for the originating IP. Here's how to read them:

Method 1: Look for X-Originating-IP

Some providers make it easy. Search the headers for:

X-Originating-IP: [192.0.2.1]

This directly shows the sender's IP (or at least the IP they connected from).

Method 2: Trace the Received Headers

Received headers form a chain. Read them from bottom to top—the bottom-most Received header is the oldest and often closest to the original sender.

Example header chain:

Received: from mail.recipient.com (192.0.2.50)
    by final-server.example.com; Mon, 28 Jan 2026 10:00:00 -0500
Received: from outgoing.sender-isp.com (192.0.2.25)
    by mail.recipient.com; Mon, 28 Jan 2026 09:59:58 -0500
Received: from [192.0.2.1] (unknown [192.0.2.1])
    by outgoing.sender-isp.com; Mon, 28 Jan 2026 09:59:55 -0500

Reading from bottom to top:

• 192.0.2.1 is likely the original sender's IP
• 192.0.2.25 is the sender's ISP mail server
• 192.0.2.50 is the recipient's mail server

Method 3: Check Authentication Results

The Authentication-Results header often includes the IP that was checked:

Authentication-Results: mx.recipient.com;
    spf=pass (sender IP is 192.0.2.1) smtp.mailfrom=sender.com

What to Do With the IP Address

Once you've found the IP, you can:

Check if It's Blacklisted

Use the IP to check blacklist status. A blacklisted sending IP explains delivery problems.

Look Up IP Reputation

Beyond blacklists, check the IP's overall reputation using services like:

• AbuseIPDB
• Cisco Talos Intelligence
• IPVoid
• VirusTotal

Geolocate the IP

IP geolocation services can tell you approximately where the IP is located. This can reveal:

• Whether the claimed sender location matches the actual location
• If the email came from an unexpected country
• General information about the network (ISP, organization)

Note: Geolocation is approximate and can be inaccurate, especially for VPNs, cloud services, or mobile networks.

Perform a Reverse DNS Lookup

Reverse DNS reveals the hostname associated with an IP:

192.0.2.1 → mail.example.com

Legitimate mail servers usually have reverse DNS configured. Missing or suspicious reverse DNS can indicate spam sources.

Check IP Ownership

WHOIS lookups reveal who owns an IP address block. This can confirm whether the IP belongs to the organization it claims to come from.

Limitations and Caveats

Finding email IPs has important limitations:

Webmail Hides Sender IPs

Major webmail providers (Gmail, Outlook.com, Yahoo, iCloud) don't include the original sender's IP address. They only show their own server IPs. This protects user privacy but limits investigation capabilities.

VPNs and Proxies Mask Location

Senders using VPNs or proxy servers won't reveal their actual IP. You'll see the VPN or proxy IP instead.

Shared IPs Are Ambiguous

Many legitimate emails come from shared hosting or email services. The IP tells you about the service, not the individual sender.

Headers Can Be Partially Forged

While servers add their own Received headers (which are hard to forge), the original sender can fabricate initial headers before their ISP's server takes over. Be skeptical of headers below the first legitimate server.

Mobile Networks Use Dynamic IPs

Emails sent from mobile devices may show carrier IPs that change frequently and don't meaningfully identify the sender.

Practical Examples

Example 1: Verifying a Legitimate Business Email

You receive an email claiming to be from your bank. Checking headers:

• X-Originating-IP shows an IP belonging to the bank's email provider
• SPF authentication passes for the bank's domain
• Reverse DNS shows a server name matching the bank's infrastructure

This email is likely legitimate.

Example 2: Identifying a Phishing Attempt

You receive an email claiming to be from a major retailer:

• The sending IP belongs to a residential ISP in another country
• SPF fails for the retailer's domain
• Reverse DNS shows no hostname or a suspicious one

This email is likely fraudulent.

Example 3: Troubleshooting Your Own Delivery

Your marketing emails are bouncing. You check a test email's headers:

• The sending IP is different from what you configured
• That IP is blacklisted
• Your email provider is using a shared IP pool with reputation issues

Solution: Contact your provider about dedicated IPs or switch providers.

Tools for Email IP Analysis

Several tools automate header analysis:

MXToolbox Header Analyzer: Paste headers for automatic parsing and IP identification.

Google Admin Toolbox: Analyzes headers and highlights potential issues.

WhatIsMyIPAddress Email Header Analyzer: Simple header parsing with IP extraction.

Email Header Analyzer apps: Various browser extensions and apps parse headers automatically.

These tools extract IPs and present them clearly without manual header reading.

For Senders: Know Your Sending IP

If you send email (especially marketing or transactional email), know which IPs your email originates from:

1. Send yourself a test email
2. Check the headers to identify your sending IP
3. Monitor that IP for blacklist status
4. Ensure reverse DNS is properly configured
5. Verify authentication (SPF/DKIM/DMARC) includes your sending IP

Understanding your own sending infrastructure helps you maintain deliverability and troubleshoot issues proactively.

Monitor Your Blacklist Status

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite checks major blacklists daily and alerts you if your domain or IP gets listed.