Sometimes you need to check to see where a message really came from. The 'From:' email address is easily forged, so that cannot be relied upon.

The first thing you have to do is to get the full message headers. These may look daunting, but are very useful for problem diagnosis.

The most important headers are those beginning with Received. Each mail server which handles the message will add its own Received trace header to the start of the message. So, to see the passage of the message through time you have to find the lowest Received line in the headers, and work upwards.

This is an example of some full headers

Return-Path: <a.user@example.com>
Received: from mail.example.com ([127.221.14.44]) by lmail.pscs.co.uk ([217.155.61.13] running VPOP3) with ESMTP for <support@pscs.co.uk>; Thu, 20 Oct 2011 09:36:35 +0100
Received: from [192.168.1.101] ([127.31.11.95]) by example.com (Postfix) with ESMTP id 891688127.17872.3016 for <support@pscs.co.uk>; Thu, 20 Oct 2011 04:36:25 -0400
Message-ID: <4E9FDD90.3080001@example.com>
Date: Thu, 20 Oct 2011 04:36:32 -0400
From: Alex User <a.user@example.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Paul Smith <support@pscs.co.uk>
Subject: Re: This is a message
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-VPOP3-ORIGRCPT: paul@pscs.co.uk

This passed through

If the message came from your local VPOP3 and you use SMTP authentication, you can also check the X-Authenticated-Sender header line, which shows which user logged in to send the message. (Note that if the passwords are weak, someone may have guessed their password and be using their account without their knowledge)