You need to read email header from bottom to top.
Received:
field(s) will show you path how email went to the final destination, all intermediate servers that email by passed. Actual submitter of email is in the first (from the bottom) Received:
field.
Field From:
not always can be trusted because it possible to forge it on some badly configured sending servers, so to reveal what was really used in communication protocol in place of
MAIL FROM:
one can investigate header's field: Received-SPF:
that will disclose real sender's email in sub-field: envelope-from=
(Of course this field would be available only if receiving server care to check SPF, that preventing email forging).
This field Received-SPF:
also indicate status of SPF checking if it pass verification, that confirm email was sent really from email server that domain owner authorized to send emails.
If a sender's server care about its users, there also could be DKIM:
field that is the digital sign and integrity mechanism that guarantee that email was truly sent via authorized email server and message itself wasn't forged. (It works kind of like HTTPS, but only used to protect only integrity of original email, so if some middle man would try to change something in email, than public key cryptography will trigger error)
Those fields above are most useful to identify real sender as well to be make sure that email wasn't forged.
1can you check the senders IP in the mail headers ? – alfred – 2018-08-11T17:56:25.047
Possibly. [edit] the question to include the full mail headers. – DavidPostill – 2018-08-11T18:03:09.613
1Do not post any actual IP – alfred – 2018-08-11T19:16:09.893
You need to read email header from bottom to top,
Received
field(s) will show you path how it went to the final destination. Actual submitter is in the first (from the bottom)Received
field.Received-SPF
field will disclose what was used in realFrom
when servers talked to each other. – Alex – 2018-08-11T19:44:26.667Comments actually not a good place to answer a question, so I expanded it and moved to the answer section. – Alex – 2018-08-11T23:28:37.063