Skip to content

Email Header Analyzer

Parse and analyze raw email headers to trace delivery path, authentication results, and metadata

That Suspicious Email Isn’t What It Looks Like

You got an email from your “CEO” asking you to wire $50,000 to a new vendor. The display name says “John Smith” and the From address looks legit. But is it?

The email headers tell the whole story. They’re hidden behind “Show original” in Gmail or “View message source” in Outlook, and they contain every server that touched the message, SPF/DKIM/DMARC authentication results, and the real originating IP address. A spoofed email almost always fails authentication checks — the headers just make it obvious.

This tool parses that wall of raw header text into organized sections you can actually read. Everything runs in your browser.

What the Headers Reveal

Received headers trace the delivery path backwards. The bottom Received header is where the email started. Each hop adds its own header on top. By reading them in order, you can follow the email from the sender’s server through every relay to your inbox. If the email claims to be from company.com but the originating server is sketchy-server.ru, that’s your answer.

SPF results tell you whether the sending server’s IP is authorized to send mail for that domain. A “fail” means the server isn’t on the domain’s published list. Legitimate email from major providers almost never fails SPF.

DKIM results verify a cryptographic signature embedded in the email. If the message was altered in transit — even a single character changed — DKIM fails. A pass means the content is exactly what the sending server signed.

DMARC ties SPF and DKIM together and tells receiving servers what to do when checks fail (quarantine, reject, or do nothing). If DMARC fails, the email is almost certainly spoofed or misconfigured.

Getting the Headers

Gmail: Open the email, click the three-dot menu in the top right, select “Show original.” The headers are at the top of that page.

Outlook desktop: Open the email, go to File > Properties, and the “Internet headers” box has everything.

Outlook web: Three-dot menu > “View message source.”

Apple Mail: View > Message > All Headers.

Paste the whole block into the tool and hit Analyze.

Debugging Delivery Issues

Your marketing emails are landing in spam. You’ve checked your content, removed spammy phrases, but they’re still getting filtered. The headers tell you why.

Check the SPF result first. If it’s failing, your mail server’s IP isn’t listed in your domain’s SPF TXT record. Then check DKIM — if you recently migrated email providers, your DKIM keys might not be set up on the new platform yet. A failing DMARC policy with p=quarantine or p=reject will actively push your emails to spam.

Timestamp analysis helps with delay issues too. Each Received header has a timestamp. If there’s a 45-minute gap between two hops, that relay is the bottleneck.

X-Headers and Spam Scores

Email servers often add custom headers that start with X-. These aren’t standardized, but they’re incredibly useful:

  • X-Spam-Score shows how the spam filter rated the message
  • X-Originating-IP reveals the sender’s actual IP address
  • X-Mailer identifies the software that sent the email
  • X-Google-DKIM-Signature is Google’s additional signature layer

All parsing stays client-side. Headers can contain internal server names and IP addresses, so keeping that data in your browser matters. For decoding Base64-encoded content that sometimes shows up in headers, the Base64 Encode / Decode tool handles that.

email headers spf dkim dmarc security analysis

Related Tools

More in Security Tools