In today’s digital world, spam emails have become increasingly sophisticated, making them harder to identify at first glance. Fortunately, Gmail provides a powerful tool called “Show Original” that can help you investigate suspicious messages and identify telltale signs of spam. In this post, I’ll walk you through how to use this feature and what red flags to look for, using a real-world example.

What is “Show Original” in Gmail?

The “Show Original” feature allows you to view the complete email header and raw content of any message. This includes technical information about the email’s journey from sender to recipient, authentication results, and other metadata that’s normally hidden from view.

How to Access “Show Original”

1. Open the email in Gmail
2. Click the three dots (⋮) in the top-right corner of the email
3. Select “Show original” from the dropdown menu

Key Red Flags to Look For

Let’s examine a real spam email offering investment opportunities in student housing, and identify the warning signs visible in the “Show Original” view.

1. Failed Authentication Checks

One of the most reliable indicators of spam is failed authentication checks. In our example:

SPF: FAIL with IP 185.125.188.73
DKIM: 'FAIL' with domain realestateintouktr.co.uk

SPF (Sender Policy Framework) verifies that the sending server is authorized to send email for that domain. A failure means the email is likely spoofed.

DKIM (DomainKeys Identified Mail) verifies that the email content hasn’t been tampered with during transit. A failure indicates potential manipulation.

2. Mismatched Sender Information

Alignment: The From header Investment <invest@realestateintouktr.co.uk> does not match the SPF domain realestateintouktr.co.uk. 

This warning explicitly states that the sender’s address doesn’t align with the domain that should be sending the email – a classic sign of spoofing.

3. Suspicious Domain Names

The domain “realestateintouktr.co.uk” has several red flags:

• Unnecessarily long and complex
• Combines multiple concepts (“real estate”, “UK”, “into”)
• Lacks credibility markers of established businesses

Legitimate companies typically use straightforward, brand-focused domain names.

4. Unusual Routing Information

Looking at the email headers, we can see some suspicious routing patterns:

Received: from realestateintouktr.co.uk (realestateintouktr.co.uk [93.113.206.153]) by smtp-mx-ubuntu-1.canonical.com (Postfix) with SMTP id D5CAA13CE27 for <faizul@ubuntu.com>;

The email appears to have been routed through multiple servers, including one at Canonical (Ubuntu), which is unusual for a legitimate investment company.

5. Misleading Subject Lines and Content

The subject line “Earn 10% NET Returns with Fully-Managed Student Studios – From Just £79,999!” uses classic spam tactics:

• Promises unrealistically high returns (10% NET)
• Creates false urgency
• Mentions specific amounts to appear legitimate

6. Tracking Pixels and Hidden Elements

At the bottom of the HTML content, we find:

<img src="http://www.realestateintouktr.co.uk/email/open.php?M=1301046&L=138&N=3396&F=H&image=.jpg" height="1" width="10">

This is a tracking pixel that reports back to the sender when you open the email. While tracking pixels are used in legitimate marketing too, in combination with other red flags, they support the spam classification.

Other Technical Indicators

Weak Encryption Keys

dkim=policy (weak key) header.i=@realestateintouktr.co.uk

The email uses weak encryption keys, which legitimate businesses typically avoid.

Delivery Delays

Created at: Mon, Mar 17, 2025 at 3:00 PM (Delivered after 3726 seconds)

The email was delayed by over an hour (3726 seconds) before delivery, which can indicate it was held for additional spam checking.

Conclusion

By using Gmail’s “Show Original” feature, you can look beyond the surface-level content of suspicious emails and examine the technical details that reveal their true nature. The next time you receive a message that seems too good to be true or slightly off, take a moment to check these technical indicators.

Remember these key warning signs:

• Failed authentication checks (SPF, DKIM)
• Mismatched sender information
• Suspicious domain names
• Unusual routing information
• Unrealistic promises or urgency in content
• Hidden tracking elements

Stay vigilant and use these tools to protect yourself from phishing attempts and scams. Your digital security is worth the extra few seconds it takes to verify suspicious messages.

The post How to Recognize Spam Emails Using Gmail’s Show Original Feature appeared on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.