I've explained this in my answer here.
Basically, you look at the headers (there should be some option "view original" in your email provider. For GMail it's "show original message" below the reply arrow). Specifically, the Received:
headers of the type Received: from abc.com (IP address) by def.com (IP)
. These headers are written by the by
server, when they get your email from the from
server.
Let's assume you use GMail1. The bottommost Received:
headers are of the form from something.google.com (IP) by somethingelse.google.com (IP)
. These will be correct If you want to be certain, do a reverse DNS lookup on the IPs and ensure that they match with the given domain.
Alright. Now, at one point, while going up the header list, you will find a header of the form from abc.com (IP) by something.google.com
. You can trust this header as well. Now, check if the from
of this header matches the by
of the one above it (verify the reverse DNSs as well). Also, check if you really trust the server in the from
of this header. If the server is something like nigerianprince.x123.cscabgvj.ng
(basically the second-level domain name isn't trusted), it's probably untrustworthy and the rest of the headers above it may have been spoofed by it. If not, the move up one header and repeat till you reach the last one. If you manage to reach the last one without trust issues, the email comes from where it claims to.
1 Note that for most major email providers, GMail can tell if the email is spoofed, and will show a "From billgates@microsoft.com via apple.com" or something when the email doesn't come from where it claims to do so. Note that this has legitimate uses in mailing list, so don't automatically distrust all emails with a via in them. (Distrust them if you distrust the "via" domain)