Analyze email headers, trace route, check authentication, and verify email security
Email headers contain crucial metadata about an email message, including its origin, route, authentication results, and security information. They're like a detailed travel log showing everywhere the email has been.
Email headers are fields at the top of an email message that contain technical information invisible to most users. Key components:
Analyzing email headers helps you:
SPF (Sender Policy Framework): Verifies the sending mail server is authorized to send email for the domain. Helps prevent email spoofing.
DKIM (DomainKeys Identified Mail): Adds a digital signature to verify the email hasn't been modified in transit and comes from the claimed domain.
DMARC (Domain-based Message Authentication): Builds on SPF and DKIM to provide a policy for handling emails that fail authentication checks.
Received: Shows each mail server that handled the email. Read from bottom to top for chronological order. Each hop includes server name, IP address, protocol, and timestamp.
Return-Path: Where bounce messages are sent. Should match From address for legitimate emails.
Authentication-Results: Summary of SPF, DKIM, and DMARC checks performed by receiving server.
X-Spam-Status: Spam filtering results and score from spam filters.
Content-Type: Email format (text/plain, text/html, multipart).
Gmail: Open email → Click three dots (⋮) → "Show original" → Copy headers
Outlook Desktop: Open email → File → Properties → Copy "Internet headers"
Outlook Web: Open email → ⋯ → View → View message source
Yahoo Mail: Open email → More → View raw message
Apple Mail: Open email → View → Message → Raw Source
The "Received" headers show the email's journey. Read from bottom to top:
Each hop includes timestamp - delays between hops may indicate issues.
Email headers reveal technical information but typically don't expose sensitive content. Our analyzer:
Verify SPF, DKIM, and DMARC authentication results
Track the complete route your email traveled
Identify spam indicators and suspicious patterns
Email headers are metadata fields in an email that contain technical information about the message, including sender, recipient, mail servers used, timestamps, and authentication results. They're like an envelope that shows the email's journey from sender to recipient. Headers are normally hidden from view but contain crucial information for verifying email authenticity and troubleshooting delivery issues.
To view headers in Gmail: (1) Open the email, (2) Click the three dots (⋮) in the top right, (3) Select "Show original" from the dropdown, (4) A new window opens with full headers. You can copy the entire content or click "Copy to clipboard" button. The headers show all technical details including the complete route the email traveled.
SPF (Sender Policy Framework): Verifies the sending mail server is authorized to send email for the domain. DKIM (DomainKeys Identified Mail): Adds a digital signature that verifies the email content hasn't been tampered with. DMARC: Combines SPF and DKIM to create a policy for handling emails that fail authentication. Together, these prevent email spoofing and phishing. When all three pass, it's strong evidence the email is legitimate.
Yes! Email headers contain several indicators: (1) SPF/DKIM/DMARC failures suggest spoofed email, (2) Mismatched Return-Path and From addresses indicate possible forgery, (3) Suspicious originating IPs or unusual routing patterns, (4) X-Spam-Status scores from spam filters, (5) Missing or malformed headers in legitimate-looking emails. However, headers are just one tool - always be cautious with unexpected emails, especially those requesting sensitive information or urgent action.
The "Received" headers show each mail server that handled your email. Important: Read from bottom to top for chronological order. The bottom-most "Received" header is where the email originated. Each subsequent header shows the next server in the chain. The top-most "Received" is your email server. Each hop includes: server name, IP address, protocol used, and timestamp. Large time gaps between hops may indicate delays or issues.
SPF or DKIM failures may indicate: (1) Email spoofing: Someone forged the sender address, (2) Forwarding issues: Legitimate forwarded emails often fail SPF, (3) Configuration errors: The sending domain's DNS records are misconfigured, (4) Mailing list: Some lists modify messages, breaking DKIM. A single failure doesn't always mean spam, but multiple authentication failures (SPF + DKIM + DMARC all failing) are a strong warning sign. Be cautious with such emails.
Email headers contain technical routing information but generally don't include sensitive content from the email body. Headers may reveal: sender/recipient addresses, IP addresses of mail servers, timestamps, and authentication results. Our analyzer only processes what you paste and doesn't store your data. However, be cautious when sharing headers publicly as they may contain: your IP address (if sent from personal mail client), email addresses, and server infrastructure details.
Return-Path (envelope sender) and From address (header sender) may legitimately differ in cases like: (1) Mailing lists that set their own Return-Path, (2) Email forwarding services, (3) Marketing platforms sending on behalf of companies, (4) Transactional emails from services. However, if they differ on a suspicious email with failed authentication, it's a strong phishing indicator. Legitimate services usually pass authentication even with different Return-Paths.
Check timestamps in the "Received" headers from bottom to top. Calculate time difference between consecutive hops. Normal delivery: Under 1 minute per hop. Moderate delay: Several minutes per hop. Significant delay: Hours or days between hops. Delays can occur due to: server issues, spam filtering queues, greylisting (intentional delay to catch spam), or network problems. The "Date" header shows when the sender created the email, which you can compare to delivery time.