What email headers are
Every email carries a block of technical metadata above the message body. These headers record where the message came from, every server that handled it on the way to the inbox, the timestamps for each step, and the authentication checks the receiving server ran. The format is defined by RFC 5322, and most mail software hides the headers by default because they are meant for diagnostics rather than reading.
When a message lands in spam, bounces, or looks suspicious, the headers are the first place to look. They are far harder to forge than the visible From line, so they tell a more honest story about how a message actually reached you.
How to read the Received chain
Each server that touches a message stamps its own Received header at the very top, so the list reads newest first and oldest last. To follow the real journey, start at the bottom, where the originating server sits, and work upward to the final hop that delivered the message. The analyzer above reverses the order for you and numbers the hops from origin to inbox.
- From and by: each hop names the server it received the message
fromand the server that handled it next asby. Thebyof one hop should match thefromof the hop above it. - Timestamps: every hop is time stamped, so the gap between two hops shows how long that relay took. A healthy path is usually one to five hops completed in seconds.
- Delays: a gap measured in minutes or hours usually means the message sat in a queue, which points to a delivery problem rather than a routing one.
- Long paths: more than ten hops can signal a forwarding loop or relays added to obscure the true origin of a message.
What the Authentication-Results header means
The receiving server adds an Authentication-Results header, defined by RFC 8601, recording how the message scored against SPF, DKIM, and DMARC. Because this header is written by the receiver and not the sender, its verdicts cannot be edited by whoever sent the message. A typical line reads spf=pass dkim=pass dmarc=pass, and the analyzer pulls each result out into a clear pass, fail, or neutral status.
- SPF: confirms the connecting server was authorized to send for the envelope domain. A pass means the source IP is listed in the sending domain's policy.
- DKIM: verifies a cryptographic signature, proving the message was not altered in transit and was signed by the claimed domain.
- DMARC: combines the SPF and DKIM outcomes with domain alignment to decide whether the visible From domain can be trusted.
Spotting spoofing and delays
A spoofed message often fails one or more authentication checks, so a fail on SPF or DKIM is the clearest red flag. Beyond that, compare the visible From domain with the Return-Path domain that bounces are sent to. A mismatch is common for legitimate bulk senders, but combined with a failed check it is a strong sign of impersonation. Unexpected relays in the Received chain and large gaps between timestamps round out the picture.
Headers show the verdict, but fixing a failure means correcting the records behind it. Check your setup with the SPF record checker, the DKIM record checker, and the DMARC record checker to close the gap that headers reveal.