Unfortunately you can only trust the header(s) that your systems have added, which should include the IP address of the previous system. At that point, you have to verify that this IP address corresponds to the appropriate Received: header of the previous system. If it does, you can go and ask the admin of that system if the Received: header is genuine. And so on up the chain.

You simply cannot assume that the first header is the originating system, nor that the Received headers present correspond to anything like the path that the message actually took, without verify each one in the chain... Although this is normally true, it is often not in the case of spam, viruses, dn malicious email...