Note on a .eml file simple analysis :
1.check on the Received: sequence, we may know if the email is forged or not.
2.some spam the Date: and the Received: is totally different.
3. "Received:" headers should be read from the bottom upwards, since they are added to the top of the message by each MTA that the message passed through. They should be analysed from the top down, in case there are any fakes in there.
4. Some Intermediate email gateway will add in X-Spam-Status, X-Spam-Level and X-Spam-Flag to the email header. Example of the intermediate is SpamAssasin
5. normal email header spam header