Email Header Analyzer
Paste raw email headers to analyze SPF, DKIM, and DMARC authentication, detect spoofing risk, and trace the mail delivery path.
Paste email headers to analyze:
- SPF authentication
- DKIM signatures
- DMARC results
- Mail routing path
- Spoofing indicators
- Spam likelihood
How to get email headers
→ Show original
→ Internet Headers
→ View message details
→ All Headers
What are email headers?
Every email message has two parts: the body (what you read) and the headers (metadata about how the message was created, authenticated, and delivered). Headers are invisible in most email clients by default, but they contain the full forensic trail of a message — from the sending server to the receiving inbox.
Headers are written as key-value pairs separated by colons, one per line. Long values can be wrapped across multiple lines (called "folding"). The most important headers for security are added by mail servers during delivery, not by the sender's email client, which makes them significantly harder to forge.
Header ordering: Received headers are added from the bottom up — the first hop is at the bottom and the final delivery is at the top. Reading the Received chain from bottom to top traces the message's journey from origin to inbox.
How SPF, DKIM, and DMARC appear in headers
Authentication-Results
The Authentication-Results
header is added by the receiving mail server and contains the results of all
authentication checks. A typical value looks like:
spf=pass [email protected];
dkim=pass [email protected];
dmarc=pass header.from=example.com
Received-SPF
Some servers also add a
Received-SPF
header that records the SPF result independently. Example:
DKIM-Signature
The
DKIM-Signature
header contains the cryptographic signature added by the sending server. The
d= tag is the
signing domain, s=
is the selector, and b=
is the signature value itself.
How to detect spoofing from email headers
High-risk indicators
- DMARC fail — the From: domain does not align with SPF or DKIM; the domain's policy was violated
- SPF fail — the sending server is explicitly rejected by the domain's SPF record
- DKIM fail — the signature is invalid, suggesting message tampering or forgery
- Reply-To domain mismatch — replies go to a different domain than the visible sender
Warning indicators
- No DMARC result — the receiving server did not check DMARC, or the domain has no DMARC record
- Return-Path domain mismatch — bounce replies go to a different domain than the visible sender
- SPF softfail — sender is not explicitly authorised but not explicitly denied
- DKIM signing domain mismatch — the message was signed by a different domain than the From: address
- Missing Message-ID — legitimate servers always generate a Message-ID header
How to get the full email headers
Gmail
- Open the email in Gmail on desktop (not mobile).
- Click the three-dot menu ⋮ in the top-right of the message.
- Select Show original.
- A new tab opens showing the full raw source.
- Copy all the lines from the top down to the blank line before the message body.
Alternatively, click Copy to clipboard in the Show original tab and paste everything — this tool will extract only the header section automatically.
Outlook
- Open the email in its own window by double-clicking it.
- Go to File → Properties (Windows desktop app).
- The Internet Headers field at the bottom shows the raw headers.
- Select all the text in that field and copy it.
In Outlook on the web (OWA): open the email, click the three-dot menu, and select View message source.
Limitations of email header analysis
Header analysis is a powerful first step, but it has important limitations:
- Headers before the first trusted server (those added by the sending client) can be forged. The
Receivedheaders added by your receiving server are trustworthy; those added by earlier hops are only as trustworthy as those servers. - A sophisticated attacker who controls a domain with valid SPF, DKIM, and DMARC can pass all authentication checks. The email would appear legitimate from a header perspective even if the content is malicious.
- This tool cannot analyze the message body. Phishing links, malicious attachments, and social engineering are only visible in the body, not the headers.
- IP geolocation is not performed in V1. The sending IP address is identified but not looked up against reputation databases.
- Some mail servers strip or modify headers before delivery. If you are analyzing headers from a forwarded message, authentication results may reflect the forwarder's servers rather than the original sender.
Frequently asked questions
What are email headers?
Email headers are lines of metadata at the top of every email message. They record how the message was created, authenticated, and routed from sender to recipient. Headers include the From, To, Subject, and Date fields you see in your inbox, plus technical fields added by mail servers: authentication results (SPF, DKIM, DMARC), Received routing records, and spam scores. Most email clients hide them, but they are always present.
How do I get the full headers from Gmail?
Open the email on desktop Gmail. Click the three-dot menu (⋮) at the top-right of the message body. Select Show original. A new tab opens with the full raw source. Copy the content from the top of the page down to the blank line before the message body starts, then paste it into this tool.
How do I get the full headers from Outlook?
In Outlook desktop: open the email in its own window, then go to File → Properties. The Internet Headers box at the bottom contains the raw headers. In Outlook on the web: open the email, click the three-dot menu, and select View message source or View email source.
What does SPF pass mean?
SPF pass means the server that sent the email is listed in the SPF DNS record for the envelope sender's domain. The receiving server checked the sending IP against the domain's authorised list and found a match. SPF fail means the opposite — the server is not authorised, which is a strong spoofing indicator.
What is a Reply-To mismatch?
A Reply-To mismatch means the Reply-To header contains a different domain than the From header. When you click Reply, your response goes to the Reply-To address instead of the visible sender. Phishing emails frequently use this to make messages appear to come from a trusted source while routing replies to an attacker-controlled inbox.
Does this tool store or transmit my email headers?
No. All analysis is performed locally in your browser using JavaScript. Your headers are never sent to any server, never logged, and never stored. You can verify this by watching your browser's Network tab in developer tools while using the tool — no requests are made after the page initially loads.
Can spoofing always be detected from headers alone?
No. A sophisticated attacker who controls a domain with properly configured SPF, DKIM, and DMARC can pass all authentication checks while still sending a phishing email. Header analysis is a strong first filter, but body content, sender reputation databases, and machine learning are also required for comprehensive protection. This tool identifies authentication failures and mismatches — but a clean header report does not guarantee the email is safe.
What is the Received header chain?
Every time an email passes through a mail server, that server prepends a Received header recording where it came from and where it is going. The chain is built from the bottom up — the oldest Received header (from the sending server) is at the bottom and the newest (added by your mail server) is at the top. Reading them bottom-to-top traces the full delivery path.