Email Header Analyzer

What Are Email Headers?

Every email you receive contains hidden metadata called headers. These headers record the full journey of the message, from the moment it leaves the sender's mail server to the moment it arrives in your inbox. Email headers include routing information, timestamps, sender and recipient addresses, the subject line, and authentication results. Understanding headers is essential for IT administrators, security analysts, and anyone who wants to verify whether an email is genuine or forged. Headers are not visible in the normal email view, but every email client provides a way to access them.

How to Find Email Headers

Gmail: Open the email, click the three-dot menu in the top right, and select "Show original." The full headers appear in a new tab. You can copy and paste them directly into the analyzer above.

Microsoft Outlook (Web): Open the message, click the three-dot menu, and choose "View message source" or go to Message Details and select "View message source." In the desktop app, open the message, go to File > Properties, and the headers appear in the "Internet headers" box at the bottom.

Apple Mail: Open the email, then go to View > Message > All Headers (or press Shift+Command+H). You can also select View > Message > Raw Source to see the complete raw message including headers.

Once you have the raw headers, paste them into the text area above and click Analyze. The tool will parse every header and display the results in a structured format.

Understanding SPF, DKIM, and DMARC

SPF (Sender Policy Framework) checks whether the sending mail server's IP address is authorized by the domain's DNS records. When SPF passes, it means the email was sent from an approved server. A fail result suggests the email may be spoofed or sent from an unauthorized source.

DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that the email body and headers have not been altered in transit. The sending server signs the message with a private key, and the receiving server verifies it against the public key published in DNS. A DKIM pass confirms message integrity.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy published by the domain owner. DMARC tells receiving servers what to do when SPF or DKIM fails: accept, quarantine, or reject the message. A DMARC pass means both alignment and authentication succeeded.

How to Detect Phishing Emails Using Headers

Phishing emails often fail authentication checks. Look for SPF fail, DKIM fail, or DMARC fail in the Authentication-Results header. Check the Return-Path and compare it with the From address. If they use different domains, this is a red flag. Examine the Received headers from bottom to top. The bottom-most Received header shows the original sending server. If the IP address or hostname does not match the claimed sender domain, the email may be forged. Also check for unusual X-Mailer values and unexpected relay servers in the routing path.

Email Deliverability and Authentication

If you manage email for your organization, authentication directly affects whether your messages reach the inbox or land in spam. Properly configured SPF, DKIM, and DMARC records improve deliverability and protect your domain from being used in phishing attacks. Many large providers like Google and Microsoft now require DMARC alignment for bulk senders. Use this analyzer to verify that outbound email from your domain passes all three checks. Compare the results with your DNS records to identify misconfigurations. Regular header analysis is a practical step in maintaining strong email security and ensuring your messages are trusted by recipients.