[ak267]

Where do I find that?

[thoughtomator]

Look up the SMTP headers (should be a menu item while you’re reading the email).

If the original sending server is one of Twitter’s, then it’s real.

[proxy_user]

Here is a sample set of headers from a typical spam email:

From - Fri Jan 19 07:51:05 2018
X-Account-Key: account2
X-UIDL: 11e7-fd16-2c6e89ca-b115-002128110b90
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Status: U
Return-Path:
Received: from mx-pinchot.atl.sa.earthlink.net ([207.69.195.25]) by mdl-journey.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1ECvZP5R13Nl3700; Fri, 19 Jan 2018 07:42:13 -0500 (EST)
Received: from cloudwebx8.newtekwebhosting.com ([75.103.66.10]) by mx-pinchot.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1ECvZO3zT3Nl34d0 for ; Fri, 19 Jan 2018 07:42:12 -0500 (EST)
Content-Transfer-Encoding: 7bit
Subject: You have delayed emails on eBay
From: eBay Support
MIME-Version: 1.0
Vines-Improvisation: pools
X-Priority: 1
Content-Type: text/html; charset=UTF-8
To: "xxxxxx@earthlink.net"
Date: Fri, 19 Jan 2018 05:42:14 -0700
Aerators-Circumspectly-Gorges: 3CCB4D485FCB25
Message-ID: <617f98.a8b67c2c.12e4e@avalonbay.com>
Ameliorating-Accomplishments: 12813
X-Authentication-Results: dkim="none"; (2:DKIM_STAT_NOSIG: no signature available); dmarc="none"; (1); dwl="miss"; den="not exempt"
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=0b; sbw=000;

Look at the Received headers. The first header, the one at the bottom, is written by the sending server and cannot be faked. The sending IP in this one is 75.103.66.10, a rented server on the cloud that anyone with a credit card can buy.