Last updated: March 16, 2026

Email forwarding is a legitimate feature that millions of users rely on daily. However, it can also be exploited maliciously to silently redirect your correspondence to an unauthorized third party. Whether you’re a developer managing corporate email or a privacy-conscious user, knowing how to detect unauthorized forwarding is essential for maintaining email security.

This guide provides practical methods to identify if your emails are being forwarded without your knowledge, with code examples and tools suitable for technical users.

Prerequisites

Before you begin, make sure you have the following ready:

Step 1 - Understand Email Forwarding Mechanics

When an email is forwarded, the original message traverses multiple servers before reaching its destination. Each server adds diagnostic headers to the message, creating a trail that reveals the forwarding path. These headers become your primary investigative tool.

Email forwarding occurs in several forms:

Malicious forwarding typically happens through compromised accounts, unauthorized inbox rules, or compromised credentials. Attackers configure forwarding rules to exfiltrate sensitive communications without alerting the account owner.

Step 2 - Examining Email Headers

The most reliable method to detect forwarding involves analyzing raw email headers. Every email contains metadata that documents its journey through the mail system.

Finding Email Headers

Most email clients hide headers by default. Here’s how to access them:

Gmail - Open an email, click the three dots, select “Show original”

Apple Mail - View → Message → All Headers

Thunderbird - View → Headers → All

Programmatic access (Python):

import email
from email import policy
from email.parser import BytesParser

def extract_headers(raw_email):
    msg = BytesParser(policy=policy.default).parsebytes(raw_email)

    # Extract all received headers (these trace the email's path)
    received = msg.get_all('Received')

    # Check for forwarding indicators
    for header in ['X-Forwarded-For', 'X-Originating-IP', 'Received-SPF']:
        if header in msg:
            print(f"{header}: {msg[header]}")

    return received

Key Headers That Reveal Forwarding

Several headers indicate forwarding activity:

Compare the “From” address against “Delivered-To” and “Return-Path” to identify discrepancies that suggest forwarding.

Step 3 - Detecting Unauthorized Forwarding Rules

Email providers offer various ways to view active forwarding rules. Checking these regularly helps catch unauthorized configurations.

Gmail

Access forwarding settings at Settings → Forwarding and POP/IMAP. You’ll see all configured forwarding addresses here. For programmatic access, use the Gmail API:

from google.oauth2.credentials import Credentials
from googleapiclient.discovery import build

def check_gmail_forwarding(credentials):
    service = build('gmail', 'v1', credentials=credentials)

    # Get forwarding settings
    settings = service.users().settings().getForwardingAddress(
        userId='me'
    ).execute()

    for forward in settings.get('forwardingEmailAddresses', []):
        print(f"Forwarding to: {forward['forwardingEmail']}")

Microsoft 365 / Outlook

Use the Exchange Online PowerShell module:

Check forwarding rules
Get-InboxRule -Mailbox "user@domain.com" |
  Where-Object { $_.ForwardTo -or $_.RedirectTo } |
  Select-Object Name, ForwardTo, RedirectTo, Enabled

Check mailbox forwarding settings
Get-Mailbox user@domain.com |
  Select-Object ForwardingSmtpAddress, DeliverToMailboxAndForward

Apple iCloud

iCloud doesn’t provide a web interface for viewing rules. Use AppleScript to check:

tell application "Mail"
    set forwardRules to forwarding rules of account "iCloud"
    repeat with r in forwardRules
        log (name of r & ": " & (forwarding address of r as string))
    end repeat
end tell

Step 4 - Server-Side Detection for Administrators

If you administer your own mail server, several methods help detect forwarding anomalies.

Postfix Logging

Check /var/log/mail.log for forwarding patterns:

Find emails forwarded to external domains
grep -E "to=<.*@gmail\.com|to=<.*@yahoo\.com" /var/log/mail.log | \
  grep -E "from=<.*@yourdomain\.com"

Monitor for new forwarding aliases
grep "forward" /var/log/mail.log | tail -100

Checking DMARC and SPF Failures

Forwarded emails often trigger authentication failures. Monitor these:

Check for SPF/DKIM failures indicating forwarding
grep -E "spf=fail|dkim=fail" /var/log/mail.log | \
  awk '{print $NF}' | sort | uniq -c | sort -rn

Step 5 - Practical Detection Workflow

Implement a systematic detection process:

  1. Baseline your headers: Save headers from emails you know weren’t forwarded
  2. Compare new emails: Look for new “Received” chain entries or unexpected “X-Forwarded-For” values
  3. Verify forwarding rules: Check your provider’s forwarding settings weekly
  4. Monitor sent folder: Attackers forwarding your emails may use your account
  5. Set up alerts: Configure notifications for new forwarding rules

Automated Monitoring Script

Here’s a Python script that checks Gmail for suspicious forwarding:

import os
from datetime import datetime, timedelta
from google.oauth2.credentials import Credentials
from googleapiclient.discovery import build

def monitor_forwarding(credentials_path='token.json'):
    credentials = Credentials.from_authorized_user_file(credentials_path)
    service = build('gmail', 'v1', credentials=credentials)

    # Check for recent forwarding rule changes
    history = service.users().history().list(
        userId='me',
        startHistoryId=os.environ.get('LAST_HISTORY_ID', '1'),
        historyTypes=['label']
    ).execute()

    # Get current forwarding addresses
    forwarding = service.users().settings().getForwardingAddresses(
        userId='me'
    ).execute()

    known_forwarders = ['your-personal@email.com']

    for addr in forwarding.get('forwardingEmailAddresses', []):
        if addr['forwardingEmail'] not in known_forwarders:
            print(f"ALERT: Unknown forwarding address: {addr['forwardingEmail']}")

    return history.get('historyId')

if __name__ == '__main__':
    alert_history_id = monitor_forwarding()
    print(f"Monitoring from history: {alert_history_id}")

Step 6 - What To Do If You Detect Unauthorized Forwarding

If you discover unauthorized forwarding:

  1. Immediately remove the rule: Access your email settings and delete suspicious forwarding addresses
  2. Change your password: Assume your account may be compromised
  3. Enable two-factor authentication: Add an extra layer of security
  4. Check for other rules: Look for additional malicious rules like email deletion or marking as read
  5. Review recent account activity: Check login history for unfamiliar locations
  6. Notify contacts: Inform people who emailed you recently that your account may have been compromised

Prevention Best Practices

Detecting unauthorized email forwarding requires vigilance and understanding of email metadata. By regularly examining headers, monitoring forwarding rules, and implementing automated checks, you can protect your communications from silent exfiltration.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

How long does it take to check if your email is being forwarded?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Can I adapt this for a different tech stack?

Yes, the underlying concepts transfer to other stacks, though the specific implementation details will differ. Look for equivalent libraries and patterns in your target stack. The architecture and workflow design remain similar even when the syntax changes.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles