I pretty frequently get requests for help from someone who has been impersonated—or whose child has been impersonated—via email. Even when you know how to "view headers" or "view source" in your email client, the spew of diagnostic wharrgarbl can be pretty overwhelming if you don't know what you're looking at. Today, we're going to step through a real-world set of (anonymized) e-mail headers and describe the process of figuring out what's what.
Before we get started with the actual headers, though, we're going to take a quick detour through overview of what the overall path of an email message looks like in the first place. (More experienced sysadmin types who already know what stuff like "MTA" and "SPF" stand for can skip a bit ahead to the fun part!)
From MUA to MTA, and back to MUA again
The basic components involved in sending and receiving email are the Mail User Agent, and Mail Transfer Agent. In the briefest possible terms, an MUA is the program you use to read and send mail from your own personal computer (like Thunderbird, or Mail.app, or even a webmail interface like Gmail or Outlook) and MTAs are programs that accept messages from senders and route them along to their final recipients.