How to verify an email's sender identity?
Not definitively. It's too easy to forge the information in the headers.
Use traditional methods to verify the company. Get the number of the company from 411 information and call them. Ask about the job title in question. If the job title checks out, ask to speak to the person responsible for the job opening.
Note: If money was mentioned in any way in the email, it's probably a fake. You can check it out by Googling a unique phrase in the email. Often such emails turn up on Snopes.com and similar sites.
Most reputable companies do not solicit employees this way, so unless you were referred by a colleague, it's probably fake.
Not all of the email headers can be faked. Once the email message is received by a trusted server which provides your email service, the Received: headers are reliable.
Consider this string of Received: headers:
Received: by 10.142.214.19 with SMTP id m19cs274738wfg;
Thu, 17 Dec 2009 03:20:12 -0800 (PST)
Received: by 10.115.67.30 with SMTP id u30mr1589591wak.119.1261048811650;
Thu, 17 Dec 2009 03:20:11 -0800 (PST)
Received: from mail1.stackoverflow.com (mail1.stackoverflow.com [69.59.196.214])
by mx.google.com with ESMTP id 31si4514829pzk.62.2009.12.17.03.20.11;
Thu, 17 Dec 2009 03:20:11 -0800 (PST)
Received: from superuser.com (unknown [10.0.0.4])
by mail1.stackoverflow.com (Postfix) with ESMTP id 67A7F1E08A;
Thu, 17 Dec 2009 03:20:11 -0800 (PST)
The bottom-most Received: header is followed by the body of the message, which includes To: and From: headers, which can be forged. But let's follow the Received: headers:
The first header indicates that a server on IP address 10.0.0.4 named superuser.com sent a message to the server mail1.stackoverflow.com. Knowing that both of these names are to be expected in this case, the Received: header indicates an internal forward within the superuser complex of mail servers.
The next Received: header indicates that mail1.stackoverflow.com at address 69.59.196.214 forwarded the message to mx.google.com. We can confirm that the public IP address of mail1.stackoverflow.com is 69.59.196.214 and since google is my email provider, I would expect the mail-exchanger (mx) at google.com to be receiving my message. This is the first contact with my mail domain (google) and cannot be faked. Of course, there could be a load of faked Received: headers below this header, so finding the first reliable Received: header can be tricky.
The last two Received: headers show net 10 addresses, so these are forwards within the google domain. This is also not unexpected.
An evil mail server could insert many fake Received: headers into the stream, but there is always one that comes from a trusted source, in this case mx.google.com. This first trusted Received: header indicates the public IP address that actually forwarded the email. If this IP address is suspect, or does not match the reported domain name, then you must suspect the entire contents of the message.
You can read Received: headers in most email clients using a "view source" command. It takes a bit of skill to read bottom-up and find the first reliable Received: header, but once you find it, verifying it is quick and helpful.
One thing that no one has mentioned is that you can fake all of the headers BUT if you look at the reply-to address that should be a good way to tell if it is a scam. Ie if it is like this:
To:
youremail@blabla
From:
reply to:
It is unlikely to be a scam. Even if your responded with your credit card number, home address and the name of your fav book, there is nothing the spammer could do because your reply would be sent to stevejobs.
If the message looks like this:
To:
youremail@blabla
From:
reply to:
stevejobs@ otherapple.com
This should set off red flags. This email will not go to the sender. It will go to someoen else. Remember in order for the spam to work it has to get back to the spammer.
Note: under certain circumstances this could still be spam but this is an extremely easy check.
Call them up and ask to speak to him/her. If the response is "we have no-one of that name here", it's probably fake.
It's hard sometimes to work out even whether an email was sent by a human or by an automated script, and it's even harder to verify the identity of a sender.
One day, maybe, we'll all have personal certificates that we can routinely use in emails and other communiciations to verify each other's identity, but until then it'll require scepticism and lateral thinking.