Free email tool

Email Header Analyzer

Paste raw email headers to trace the delivery path, read SPF, DKIM, and DMARC results, measure relay delays, and spot the signals that point to spoofing or misconfiguration.

Paste the full raw headers. Parsing happens entirely in your browser and nothing is sent to a server.

See it in action

Paste your own headers above, or load a sample message to see a full delivery trace.

Email headers, explained

What email headers are

Every email carries a block of technical metadata above the message body. These headers record where the message came from, every server that handled it on the way to the inbox, the timestamps for each step, and the authentication checks the receiving server ran. The format is defined by RFC 5322, and most mail software hides the headers by default because they are meant for diagnostics rather than reading.

When a message lands in spam, bounces, or looks suspicious, the headers are the first place to look. They are far harder to forge than the visible From line, so they tell a more honest story about how a message actually reached you.

How to read the Received chain

Each server that touches a message stamps its own Received header at the very top, so the list reads newest first and oldest last. To follow the real journey, start at the bottom, where the originating server sits, and work upward to the final hop that delivered the message. The analyzer above reverses the order for you and numbers the hops from origin to inbox.

  • From and by: each hop names the server it received the message from and the server that handled it next as by. The by of one hop should match the from of the hop above it.
  • Timestamps: every hop is time stamped, so the gap between two hops shows how long that relay took. A healthy path is usually one to five hops completed in seconds.
  • Delays: a gap measured in minutes or hours usually means the message sat in a queue, which points to a delivery problem rather than a routing one.
  • Long paths: more than ten hops can signal a forwarding loop or relays added to obscure the true origin of a message.

What the Authentication-Results header means

The receiving server adds an Authentication-Results header, defined by RFC 8601, recording how the message scored against SPF, DKIM, and DMARC. Because this header is written by the receiver and not the sender, its verdicts cannot be edited by whoever sent the message. A typical line reads spf=pass dkim=pass dmarc=pass, and the analyzer pulls each result out into a clear pass, fail, or neutral status.

  • SPF: confirms the connecting server was authorized to send for the envelope domain. A pass means the source IP is listed in the sending domain's policy.
  • DKIM: verifies a cryptographic signature, proving the message was not altered in transit and was signed by the claimed domain.
  • DMARC: combines the SPF and DKIM outcomes with domain alignment to decide whether the visible From domain can be trusted.

Spotting spoofing and delays

A spoofed message often fails one or more authentication checks, so a fail on SPF or DKIM is the clearest red flag. Beyond that, compare the visible From domain with the Return-Path domain that bounces are sent to. A mismatch is common for legitimate bulk senders, but combined with a failed check it is a strong sign of impersonation. Unexpected relays in the Received chain and large gaps between timestamps round out the picture.

Headers show the verdict, but fixing a failure means correcting the records behind it. Check your setup with the SPF record checker, the DKIM record checker, and the DMARC record checker to close the gap that headers reveal.

Frequently asked

Email header questions

What is an email header?
An email header is the block of technical metadata attached to every message, defined by RFC 5322. It records the sender, the recipient, the subject, the chain of mail servers the message passed through, the timestamps for each step, and the results of authentication checks such as SPF, DKIM, and DMARC. Headers are normally hidden because they are meant for diagnostics, not everyday reading, but they are essential for tracing delivery problems and verifying that a message is genuine.
How do I view email headers in Gmail, Outlook, or Apple Mail?
In Gmail, open the message, use the menu icon, and choose Show original to see the full raw source. In Outlook on the desktop, open the message and go to File then Properties, where the headers appear in the Internet headers box. In Outlook on the web, open the message menu and choose View message source. In Apple Mail, open the message, go to the View menu, then Message, then All Headers. Copy the full block and paste it into the analyzer above.
How do I read the Received chain?
The Received headers are added in reverse order, so the newest sits at the top and the oldest at the bottom. Read from the bottom up to follow the message from its origin to the inbox. Each hop names the server it came from and the server that handled it next, and the server names should link together down the chain. The analyzer reverses this for you and numbers the hops from one upward so the path reads in plain order.
What does the Authentication-Results header mean?
The Authentication-Results header, defined by RFC 8601, is written by the receiving server to record how the message scored against SPF, DKIM, and DMARC. A value of pass means the check verified successfully, while fail means it did not. Because the receiver adds this header rather than the sender, the verdicts cannot be edited by whoever sent the message, which makes it the most reliable single line for judging authenticity.
How can I tell if an email is spoofed?
Start with the authentication results: a fail on SPF or DKIM is the clearest warning sign. Next, compare the visible From domain with the Return-Path domain and any Reply-To address, since a mismatch can indicate impersonation. Finally, check the Received chain for unfamiliar relays or a sending server that does not belong to the claimed domain. Several of these signals together strongly suggest a spoofed or phishing message.
What is the Return-Path header?
The Return-Path, also called the bounce address or envelope sender, is where delivery failure notices are sent if the message cannot be delivered. SPF is evaluated against the domain in the Return-Path, not the visible From address. For DMARC to pass through SPF, the Return-Path domain must align with the From domain, so a comparison of the two is a useful authenticity check.
Can email headers be faked?
The visible From line and Reply-To can be forged by whoever sends a message, which is exactly why spoofing works. The Received headers added by each intermediate server are far harder to fake, and the authentication results are written by the receiving server, so they cannot be edited by the sender. Reading the full header chain together is what lets you separate a genuine message from a forged one.
Why is my email going to spam, and can header analysis help?
Header analysis shows the exact authentication verdicts the receiving server applied, so you can see which protocol is failing and why a message was filtered. The headers also reveal queueing delays, missing fields, and any spam scoring lines the receiver added. Once you know which check is failing, you can correct the SPF, DKIM, or DMARC record behind it and improve placement.
Can I find the real IP address of the sender from email headers?
Sometimes. Headers from corporate mail servers and some providers include the originating IP, which you can trace to an approximate network and location. But major webmail providers like Gmail, Outlook, and Yahoo strip the personal IP of the sender for privacy, so you usually see only their sending infrastructure rather than the individual. You can still trace the full server-to-server delivery path in every case.
What is the difference between the From, Return-Path, and Reply-To headers?
The From header is the address recipients see, and it is cosmetic and easy to forge. The Return-Path, also called the envelope sender, is where bounces go and is what SPF actually checks, so it reveals the real sending infrastructure. Reply-To sets where replies are directed, which phishing sometimes abuses to route answers to an attacker even when the From line looks legitimate. A mismatch between From and Return-Path is common for bulk mail, but combined with a failed authentication check it is a strong spoofing signal.
What does ESMTPS mean in a Received header?
In the Received chain, the protocol field tells you how each hop was carried. ESMTPS means the connection was encrypted with TLS, while plain ESMTP or SMTP means it was not. Seeing encryption across the path is a good sign, and a legitimate modern sender almost always uses TLS. It is one more detail the analyzer surfaces so you can judge how a message actually traveled.