Most of the emails I received have 4 and more Received: fields in their headers. I am not sure which one contains the sender's IP address.
Each SMTP server adds a Received: field to the top of each incoming message, giving details of how it received the message, most importantly the sender's IP address:
Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [220.127.116.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)
In the example above the Received: field lets us know about the email transaction between alpha.bieberdorf.edu and mail.bieberdorf.edu. The sending machine called itself alpha.bieberdorf.edu, and its IP address is 18.104.22.168.
This scenario is a little bit oversimplified. We assumed that the mail servers of the two organizations involved had free access to one another. This was almost always true in the early days of the Internet, and it's still sometimes the case today, but as security has become a greater concern, and as organizations and networks have gotten bigger, sometimes requiring many separate mail servers, it becomes more and more unusual.
Here are some possible headers from a message that had a very different "life cycle":
Received: from turmeric.com ([22.214.171.124]) by unwilling.intermediary.com (8.6.5/8.5) with SMTP id LAA12741; Wed, Jul 30 1997 19:36:28 -0500 (EST)
From: Anonymous Spammer <email@example.com>
To: (recipient list suppressed)
X-Mailer: Massive Annoyance
Subject: WANT TO MAKE ALOT OF MONEY???
The history of the message can be reconstructed by reading the Received: headers from bottom to top. This message originates from turmeric.com which IP address is 126.96.36.199. It passed from there to unwilling.intermediary.com, and from there to its final destination at mail.bieberdorf.edu. But how did unwilling.intermediary.com get there, since it has nothing to do with either the sender or the recipient?
UUnderstanding the answer requires some knowledge of SMTP. In essence, turmeric.com simply connected to the SMTP port at unwilling.intermediary.com and told it "Send this message to firstname.lastname@example.org". It did this, probably, in the most direct manner imaginable, by saying RCPT TO: email@example.com. At that point, unwilling.intermediary.com took over processing the message; since it had been told to send it to a user at some other domain (bieberdorf.edu), it went out and found the mail server for that domain and handed off its mail in the usual manner. This process is known as mail relaying.