Find sending mail server's IP address from e-mail header

Question

I want to perform an SPF authorization check. In order to do that, I need to get the IP address of the sending mail server. Although the rule is (in the case of multiple Received fields) that you should look at the last Received, after testing with some online tools, I concluded that they don't always look at the last one. Then I came across a post where it was explained that " to find the real sender of your email, you must find the earliest trusted gateway — last when reading the headers from top ", so I queried MX records, but this is where I got confused.

For example, in the email header, I have 3 Received records.

    Received: by 2002:a05:6358:5292:b0:b2:cdb1:e2f7 with SMTP id g18csp109750rwa;
            Wed, 7 Sep 2022 23:51:25 -0700 (PDT)
    Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
            by mx.google.com with SMTPS id g29-20020a50d0dd000000b0044e7ab672f9sor5845875edf.52.2022.09.07.23.51.24
            for <pericapero1@gmail.com>
            (Google Transport Security);
            Wed, 07 Sep 2022 23:51:25 -0700 (PDT)
    Received: from v6928srv01.domain ([213.208.147.53])
            by smtp.gmail.com with ESMTPSA id d3-20020a17090694c300b0073dc4385d3bsm825021ejy.105.2022.09.07.23.51.23
            for <pericapero1@gmail.com>
            (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
            Wed, 07 Sep 2022 23:51:23 -0700 (PDT)

And the return path is:

Return-Path: <info@jadranmoon.com>

When I query MX records for jadranmoon.com , i get this:

 nslookup -type=MX jadranmoon.com
    Server:  UnKnown
    Address:  192.168.100.1
   
    Non-authoritative answer:
    jadranmoon.com  MX preference = 1, mail exchanger = aspmx.l.google.com
    jadranmoon.com  MX preference = 10, mail exchanger = alt4.aspmx.l.google.com
    jadranmoon.com  MX preference = 5, mail exchanger = alt2.aspmx.l.google.com
    jadranmoon.com  MX preference = 5, mail exchanger = alt1.aspmx.l.google.com
    jadranmoon.com  MX preference = 10, mail exchanger = alt3.aspmx.l.google.com
   
    jadranmoon.com  nameserver = ns4.domaintechnik.at
    jadranmoon.com  nameserver = ns1.domaintechnik.at
    jadranmoon.com  nameserver = ns2.domaintechnik.at
    jadranmoon.com  nameserver = ns3.domaintechnik.at

I do not understand what those records mean to me. I expected to find something like mx.google.com, so I'd say the last trusted gateway is the second from the bottom (because it contains by mx.google.com ), and I'd run an SPF check for domain: jadranmoon.com and IP address: 209.85.220.41. But what should I do when I get MX records like those?

Answer 1

If you have control over the gateway server that receives emails from the Internet, you can analyze the Received header added by it (the topmost one in the email headers). Since it is a server under your control, you can be pretty sure that the format of the header won't change in a way that will break your code.

Better yet, for easier parsing you could configure the mail transport agent (MTA) on the server to explicitly add a custom header with the connecting server address. Something like X-Connection-IP: 10.9.11.8 .

(Those are valid solutions, but I wonder why you would use them to do SPF checks yourself, since you could configure the MTA to do that in the first place.)

Other than that, there's no reliable way to get the initial sender IP from the headers. A malicious attacker could have injected fake Received header after the last hop under your control, and you would never know which one to trust.