Someone sends you a threatening email. A phishing message lands in your inbox. A client swears they emailed you but you never received it. In all of these situations, finding the sender's IP address can tell you something useful — where the email actually originated, which mail server sent it, and whether the sender is who they claim to be.

Every email carries a trail of IP addresses baked into its headers. The trick is knowing where to look, what those entries actually mean, and — critically — when the trail has been deliberately hidden.

How Email Headers Work

When you send an email, it doesn't travel directly from your device to the recipient's inbox. It passes through a chain of mail servers, and each one stamps the message with a Received: header — its IP address, timestamp, and a note about where it received the message from.

Reading these headers from bottom to top reconstructs the actual path the email took. The bottom entry is the origin; each one above it is the next hop in the chain.

Command 
Received: from mail.example.com (203.0.113.42) by mx.google.com
Received: from [192.168.1.5] (helo=laptop) by mail.example.com

In this example, the email was sent from 192.168.1.5 (a private address, so on a local network), went through mail.example.com (203.0.113.42 — this is the one worth looking up), and was finally received by Google.

How to View Full Email Headers

Gmail

  1. Open the email
  2. Click the three-dot menu (⋮) in the top-right corner of the message
  3. Select Show original
  4. A new tab opens with the raw message headers

Outlook (Web)

  1. Open the email
  2. Click the three-dot menu → ViewView message source

Or in the desktop app: File → Properties → the "Internet headers" box at the bottom.

Yahoo Mail

  1. Open the email
  2. Click the three-dot menu → View raw message

Apple Mail

  1. Open the email
  2. Menu bar: ViewMessageAll Headers (or press Shift + Cmd + H)

Finding the Sender's IP in the Headers

Once you have the raw headers, look for the chain of Received: lines. You want the lowest (earliest) Received: entry that contains an IP address you don't recognize as internal infrastructure.

Look for patterns like this:

Command 
Received: from [203.0.113.42] (unknown [203.0.113.42])
        by mx1.example.com (Postfix) with ESMTP id A1B2C

The IP in brackets is what you want. Copy it, then use a tool like IP Lookup to find out which country, ISP, and organization it belongs to.

You might also see an X-Originating-IP header in some mail systems — this is a convenience header that explicitly names the sender's IP, so check for that too.

The Gmail Problem (And the Outlook Problem)

Here's what most guides skip: Gmail has hidden sender IPs since 2012.

When someone sends you an email using Gmail (or Google Workspace), Google strips the sender's real IP address from the headers before delivery. What you see instead is a Google server IP — usually something in the 209.85.x.x range. You can look that up all you like; it'll just tell you it's a Google server in a Google data center.

The same applies to:

  • Outlook / Hotmail / Microsoft 365 — Microsoft strips sender IPs
  • Apple iCloud Mail — Apple strips sender IPs
  • ProtonMail — by design, for privacy

What you can still tell from a Gmail header:

  • That the email was sent via Gmail (the server stamps confirm this)
  • The approximate send time
  • Whether it came from Gmail web, a mobile app, or a third-party client (sometimes)

What you cannot tell: the sender's real IP, location, or ISP.

When Email Tracing Actually Works

Email IP tracing gives you real information when the sender is using:

  • Corporate or self-hosted mail servers — these almost always include the originating IP
  • Yahoo Mail — Yahoo does include sender IPs in headers (at least as of writing)
  • ProtonMail to non-ProtonMail recipients — ProtonMail adds X-Originating-IP in some configurations for external delivery
  • Smaller email providers — many budget hosts and ISP-provided email accounts still expose sender IPs
  • Spam and phishing emails — ironically, spam often has the richest headers because it's not sent from major providers

What to Do With the IP You Find

Once you have an IP address from the email headers, you have a few useful next steps:

Look up the geolocation. Use the IP Lookup tool to see the country, city (approximate), ISP, and organization associated with the address. For a phishing email, finding out it came from a known bulletproof hosting provider is useful information.

Check if it's on a blacklist. Run the IP through the IP Blacklist Checker to see if the sending server is already flagged for spam or malicious activity.

Run a WHOIS lookup. The WHOIS tool can give you more context on who owns the IP block — useful for reporting abuse.

Check the PTR record. A Reverse DNS lookup on the IP will show you what hostname it resolves to. Legitimate mail servers usually have a PTR record matching their domain. An IP that reverse-resolves to something like dynamic-pool-37.isp.net is a residential IP — someone likely sent that from a home connection.

Reading the Timestamp Evidence

Even when you can't get a usable IP, the timestamps in email headers can still tell a story. Each Received: hop has a timestamp with a timezone offset. Compare the timezone in the Date: header (set by the sender's mail client) to the server processing timestamps.

If someone claims they emailed you from London but the Date: header shows +0530 (India Standard Time), that's a signal worth noting.

Reporting Abusive Emails

If you've traced an IP and want to report abuse, most ISPs have an abuse contact. The WHOIS record for the IP usually includes an abuse@ email address. For spam, services like SpamCop can automate reporting across multiple networks.

For anything involving threats or illegal activity, preserve the full raw headers and contact the relevant authorities — the headers are evidence.

The Bottom Line

Email IP tracing works well for emails sent through corporate mail servers, Yahoo, and smaller providers. For Gmail, Outlook, and Apple Mail, the sender's IP is gone — you'll only see server infrastructure from those companies.

When you do find an IP:

  1. Look it up with IP Lookup for geolocation and ISP
  2. Check if it's blacklisted for reputation context
  3. Run a Reverse DNS lookup to see the hostname
  4. WHOIS the IP to find the abuse contact

The raw headers are the only reliable forensic artifact in an email — learn to read them and you'll know more than 99% of people about where a message actually came from.