Current Volume 9
Abstract
Email communication remains the dominant vector for advanced cyber-attacks, including phishing, spoofing, and Business Email Compromise (BEC). Conventional email security mechanisms rely predominantly on content-based analysis encompassing Natural Language Processing (NLP), keyword filtering, and signature-based detection which are increasingly inadequate against modern adversarial techniques such as clean-text phishing, image-based payloads, and AI-generated deceptive messages. This paper presents a novel forensic-aware, machine learning-driven framework that shifts the analytical focus from email body content to Simple Mail Transfer Protocol (SMTP) header metadata. Email headers encode verifiable forensic information relay paths (Received fields), originating IP addresses, timestamp sequences, and authentication outcomes (SPF, DKIM, DMARC) that collectively represent a tamper-resistant record of an email's transmission behavior. Unlike body content, header metadata is structurally constrained and considerably more difficult for attackers to consistently manipulate across multiple relay nodes. The proposed framework introduces a comprehensive feature engineering pipeline that extracts temporal, network, topological, and authentication-level attributes from SMTP headers. These features are processed through an ensemble of machine learning models Random Forest (RF), Isolation Forest, and XGBoost enabling both supervised classification of known attack patterns and unsupervised detection of novel anomalies. A critical contribution of this research is the integration of forensic traceability with automated detection: the system reconstructs email transmission paths and preserves evidentiary artifacts suitable for digital forensic investigation and legal proceedings. Experimental evaluations on datasets derived from SpamAssassin and PhishTank repositories demonstrate that the proposed ensemble model achieves an F1-score of approximately 0.969 and an AUC-ROC of 0.983, representing a 5–8% improvement over content-only baseline models. False positive rates are simultaneously reduced from 11.2% to 3.1%, ensuring operational reliability in enterprise environments. This research establishes a scalable, intelligent, and forensically defensible paradigm for combating sophisticated email-based cyber-threats.
Keywords
Anomaly Detection, Digital Forensics, Email Spoofing, Ensemble Learning, Feature Engineering, Graph-Based Topology, SMTP Header Analysis, Digital Forensics, Phishing Detection
Citations
IRE Journals:
Deepa B, Dr. Balamurugan S "Email Header Analysis for Digital Forensics Using Machine Learning" Iconic Research And Engineering Journals Volume 9 Issue 11 2026 Page 2589-2599 https://doi.org/10.64388/IREV9I11-1717944
IEEE:
Deepa B, Dr. Balamurugan S
"Email Header Analysis for Digital Forensics Using Machine Learning" Iconic Research And Engineering Journals, 9(11) https://doi.org/10.64388/IREV9I11-1717944
About IRE Journals
IRE Journals is an open access online journals established with an aim to publish high quality of research work in various diciplines. We have more than 6 years in publications. Over 2500+ papers already published.
Important Links
For Authors
Volume 8:
Issue 1, Issue 2, Issue 3, Issue 4, Issue 5, Issue 6, Issue 7, Issue 8, Issue 9, Issue 10, Issue 11, Issue 12Volume 7:
Issue 1, Issue 2, Issue 3, Issue 4, Issue 5, Issue 6, Issue 7, Issue 8, Issue 9, Issue 10, Issue 11, Issue 12Volume 6:
Issue 1, Issue 2, Issue 3, Issue 4, Issue 5, Issue 6, Issue 7, Issue 8, Issue 9, Issue 10, Issue 11, Issue 12Volume 5:
Issue 1, Issue 2, Issue 3, Issue 4, Issue 5, Issue 6, Issue 7, Issue 8, Issue 9, Issue 10, Issue 11, Issue 12Volume 4:
Issue 1, Issue 2, Issue 3, Issue 4, Issue 5, Issue 6, Issue 7, Issue 8, Issue 9, Issue 10, Issue 11, Issue 12Volume 3:
Issue 1, Issue 2, Issue 3, Issue 4, Issue 5, Issue 6, Issue 7, Issue 8, Issue 9, Issue 10, Issue 11, Issue 12