Email Header Analyzer
Trace email origin instantly! Analyze email headers to verify authentication (SPF, DKIM, DMARC), trace delivery path, and detect spoofing attempts.
Analyze Email Headers
How to find email headers:
- Gmail: Open email → 3 dots → Show original
- Outlook: Open email → File → Properties → Internet headers
- Apple Mail: View → Message → All Headers
- Yahoo: Actions → View Full Header
Understanding Email Headers
Email headers contain metadata about the message, including where it came from, which servers processed it, and authentication results. This information is normally hidden but essential for troubleshooting.
Headers are added by each server that handles the email, with newer headers at the top. Reading from bottom to top shows the email's journey.
Email Authentication
SPF (Sender Policy Framework)
Verifies the sending server is authorized to send for the domain
DKIM (DomainKeys Identified Mail)
Cryptographically verifies the email wasn't modified in transit
DMARC (Domain-based Message Authentication)
Combines SPF and DKIM with policy for handling failures
Email Header Examples & Analysis
✅ Good Authentication Example
Authentication-Results: mx.example.com;
spf=pass smtp.mailfrom=sender.com;
dkim=pass header.d=sender.com;
dmarc=pass header.from=sender.com
Received-SPF: pass
DKIM-Signature: v=1; a=rsa-sha256;
d=sender.com; s=default;This email passes all authentication checks (SPF, DKIM, DMARC), indicating it's likely legitimate and sent from an authorized server.
❌ Suspicious Email Example
Authentication-Results: mx.example.com;
spf=fail smtp.mailfrom=phisher.com;
dkim=fail header.d=legitimate.com;
dmarc=fail header.from=legitimate.com
X-Originating-IP: [192.0.2.1]
Received: from unknown-server.suspicious.netThis email fails authentication checks and shows mismatched domains, suggesting it may be a phishing attempt or unauthorized email.
🔍 Reading Email Path (Received Headers)
Received: by mail.recipient.com (Postfix)
for [email protected]; Mon, 01 Jan 2024 12:00:00 +0000
Received: from relay.isp.com (relay.isp.com [198.51.100.2])
by mail.recipient.com; Mon, 01 Jan 2024 11:59:58 +0000
Received: from mail.sender.com (mail.sender.com [203.0.113.1])
by relay.isp.com; Mon, 01 Jan 2024 11:59:55 +0000Reading bottom to top: Email originated from mail.sender.com (203.0.113.1), went through relay.isp.com (198.51.100.2), and arrived at mail.recipient.com. Each hop added a timestamp showing the email's journey.
🔗 Complete Email Analysis Workflow
For comprehensive email investigation, combine our header analyzer with other network tools:
Frequently Asked Questions
How do I find email headers?
In Gmail: Open the email, click the three dots (⋮), select "Show original". In Outlook: Open the email, go to File → Properties. In Apple Mail: View → Message → All Headers.
What do SPF, DKIM, and DMARC mean?
SPF verifies the sending server is authorized. DKIM verifies the email wasn't altered in transit using digital signatures. DMARC combines both and tells receivers how to handle failures. "Pass" means the check succeeded.
What are email hops?
Each "hop" represents a server that processed the email on its journey from sender to recipient. The Received headers document this path, with the most recent hop at the top.
Can I trace where an email really came from?
Yes, the Received headers show the servers that handled the email. The originating IP can help identify the true source, though sophisticated spammers may forge headers.