I'm probably more savvy about reading HTML and headers and stuff than most, so caveat emptor.

I open (off-line) the entire message, headers and all. If it's in HTML or XML or similar I live with it. Going through everything I especially look at the links -- in HTML or XML they can be "covered" just as the links can be with the blickifier in Mudcat ("Make a link("blue clicky") at the bottom of the response box).

Once I have the address (e.g., max@mudcat.org) I go to Internic's whois service and look up the domain (e.g., mudcat.org). That will give me the registrar and/or the IP addresses (e.g., 255.255.255.1 in what's called IPv4). Once I have that I can possibly find out to whom the IP address is registered to (if necessary) at ARIN by putting the IP address in the whois box in the upper right corner.

It might refer me to Europe, Asia, the Pacific, or somewhere else on the globe. Note that it will tell you which "look-up" database to use.

I once traced a fake message purporting to come from Boise, Idaho to an ISP outside of Cairo, Egypt this way. I continued the search after I knew the message was fake just to see where it would take me.

If you're suspicious, don't open it. If if you delete it and it's legit they'll email it again.