Hiding inside of every email is a header, showing each step of the email's journey from point A to point Z and every pass through in between. The steps to view an email header vary between mail clients.

A word of caution. Like the envelope From address, email headers can themselves be forged. So while the headers can reveal the true sender in some - or even most - cases, there are instances where it just will not be possible.

In this example, the email was supposedly sent "From" admin@internet.com, but in reality, that's an address forged by the Sobig.F worm, stolen for the purpose of masking the real infected party.

Received: by sphinx (mbox mlande) (with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Aug 20 19:41:38 2003)
X-From_: admin@internet.com Wed Aug 20 19:40:22 2003
Return-Path: <admin@internet.com>
Received: from psmtp.com (exprod5mx37.postini.com [12.158.34.194]) by sphinx.got.net (8.12.3/8.12.3/Debian-6.3) with SMTP id for <mary@indefense.com>; Wed, 20 Aug 2003 19:40:05 -0700
Message-Id: <200308210240.h7L2e5A0016623@sphinx.got.net>
Received: from source ([69.9.251.177]) by exprod5mx37.postini.com ([12.158.34.245]) with SMTP; Wed, 20 Aug 2003 21:40:05 CDT
From: <admin@internet.com>

Email headers should be read from the bottom up, for that is the order in which they pass through the mail system to their ultimate destination.