Email Header Analyzer

Paste raw email headers and trace the full delivery path. The tool unfolds folded headers, reverses the Received: chain to show hops in chronological order with per-hop delays, parses Authentication-Results for SPF, DKIM, and DMARC verdicts, and surfaces the most useful headers — From, Subject, Return-Path, and Message-ID — in a summary block. Nothing leaves your browser.

How to use the Email Header Analyzer

To get the raw headers:

  • Gmail — open the email, click the three-dot menu, choose "Show original" — copy everything above the blank line.
  • Outlook — open the email, go to File → Properties — copy the "Internet headers" box.
  • Apple Mail — View → Message → All Headers, then copy.

Paste into the textarea and click Analyze. The output shows:

  1. Summary — From, To, Subject, Date, Return-Path, Message-ID in a quick-reference block.
  2. Delivery path — Received headers reversed into chronological order (oldest hop first). Each row shows the sending host (from), receiving host (by), protocol (with), the timestamp, and the delay from the previous hop. Large delays pinpoint slow relays.
  3. Authentication results — SPF, DKIM, and DMARC verdicts colour-coded pass/fail, with the domain and selector where available.

About Email Headers

Every email carries a set of headers describing its origin, route, and authentication status. When you send a message, your mail client adds headers like From:, To:, and Date:. Each mail transfer agent (MTA) that handles the message prepends a Received: header recording its own identity, the host it received the message from, the protocol used, and a timestamp. Because each hop prepends its header, the chain is stored newest-first — the first Received: you see was added by the final delivery server; the last one was added by the sender's outbound relay.

The three email authentication headers tell you whether the message was legitimately sent:

  • SPF (Sender Policy Framework) — the receiving server checked whether the sending IP is listed in the v=spf1 DNS record of the envelope sender domain. A pass means the IP is authorized; a fail means it is not, which is a strong indicator of spoofing.
  • DKIM (DomainKeys Identified Mail) — the message body and selected headers were signed with a private key. The receiver retrieved the public key via DNS and verified the signature. A pass means the message wasn't tampered with in transit.
  • DMARC — checks that the domain in the From header aligns with whichever of SPF or DKIM passed. A DMARC pass means the visible sender is authenticated, closing the loophole where SPF/DKIM can pass on an unrelated domain while the From: header shows a spoofed address.

Analyzing headers is essential for diagnosing spam classification, understanding routing delays, detecting forged sender addresses, and verifying that your domain's email authentication is working end-to-end.

Common use cases

  • Spam investigation — determine whether a suspicious message actually came from the domain it claims, by checking SPF, DKIM, and DMARC results and tracing the originating IP.
  • Delivery delay diagnosis — identify which hop in the relay chain added unexpected latency by comparing per-hop timestamps.
  • Email authentication audit — confirm that your outbound mail passes SPF and DKIM at the recipient's server, closing any authentication gaps before they cause deliverability issues.
  • Phishing analysis — compare the From: display name against the Return-Path and the DKIM d= domain to spot header spoofing techniques used in phishing campaigns.
  • Support escalation — when a user reports a missing or delayed email, analyzing headers quickly shows whether the message was rejected, queued, or delivered, and where the breakdown occurred.

Frequently asked questions

Why are the Received headers in reverse order?
Each mail relay prepends its own Received: header, so the newest relay appears first in the raw headers. This analyzer reverses them to show the delivery path in chronological order — the first hop is the sender's outbound server, and the last is the final delivery server.

What does "SPF pass" mean if I still got spam?
SPF only checks whether the sending IP is authorized by the envelope sender's domain — not the From: header domain you see. A spammer can pass SPF using their own domain in the envelope while spoofing your domain in the From: header. DMARC alignment closes this gap by requiring the From: domain to match the SPF/DKIM authenticated domain.

Why does DKIM sometimes fail on forwarded email?
DKIM signs specific headers and the message body. When a mailing list or forwarding service modifies the body (adding footers) or changes headers (like Subject or From), the signature breaks. Some lists use ARC (Authenticated Received Chain) to preserve the original authentication result through forwarding.

What is the Return-Path and how does it differ from From:?
Return-Path (also called the envelope sender or MAIL FROM) is the address used by mail servers for bounce messages. It can differ from the visible From: header. SPF checks Return-Path's domain; DMARC requires alignment between From: and the SPF/DKIM domain. A mismatch between From: and Return-Path is common in marketing email.

Is the content of the email sent to your server for analysis?
No. This tool runs entirely in your browser using JavaScript. The headers you paste never leave your machine — there is no server-side processing.