Email Header Analyzer
Paste raw email headers to trace every hop, check SPF, DKIM, and DMARC results, and spot spoofed senders — free, right in your browser.
100% private: parsing happens locally in your browser. Headers are never uploaded, logged, or stored.
What is an email header analyzer?
An email header analyzer decodes the hidden metadata attached to every email: the chain of servers it passed through, the timestamps and delays at each hop, and the SPF, DKIM, and DMARC verdicts recorded by the receiving server. Raw headers are hard to read — folded lines, reversed order, and cryptic tags — so the analyzer turns them into a hop-by-hop delivery table, an authentication summary, and a sender alignment check. Use it to trace where a slow email got stuck, verify whether a message really came from the domain it claims, and gather evidence when you suspect phishing or spoofing.
Email authentication knowledge base
The header fields you’ll meet in every raw email, explained.
- Received
- The delivery trail. Every mail server that handles the message prepends its own Received line, so reading them bottom-up traces the path from the origin server to your inbox — including hostnames, IPs, and timestamps for each hop.
- Authentication-Results
- Added by the receiving mail server to record its SPF, DKIM, and DMARC verdicts (RFC 8601). This is the header an analyzer reads to tell you whether the message passed authentication and for which domains.
- From
- The visible sender shown in your mail client. It’s trivial to forge, which is exactly why DMARC exists: DMARC checks that the domains SPF and DKIM validated align with this From domain.
- Return-Path
- The envelope sender (RFC5321.MailFrom) where bounces are sent, stamped by the receiving server. SPF is evaluated against this domain — if it doesn’t align with the From domain, an SPF pass won’t help the message pass DMARC.
- Reply-To
- Where replies go when it differs from the From address. Legitimate for shared inboxes and newsletters, but a Reply-To pointing at an unrelated domain is a classic phishing tell.
- Message-ID
- A globally unique identifier assigned when the message is created, usually ending in the sending domain. Missing, duplicate, or mismatched Message-IDs are a spam and spoofing signal.
- DKIM-Signature
- The cryptographic signature the sending domain attaches to the message. It names the signing domain (d=) and selector (s=) used to fetch the public key from DNS, letting receivers verify the message wasn’t altered in transit.
- Received-SPF
- An older per-hop record of the SPF check result, including the client IP that was evaluated. Useful as a fallback when there’s no Authentication-Results header.
- ARC-Seal
- Part of ARC (Authenticated Received Chain). Forwarders and mailing lists use ARC headers to preserve the original authentication results, so a receiver can still trust a message whose SPF/DKIM broke in forwarding.
- X-Mailer
- The software that composed the message (e.g. Outlook, a CRM, a bulk sender). Optional and easily faked, but handy for spotting mail that claims to be personal yet was sent by automation.
- List-Unsubscribe
- The machine-readable unsubscribe method (mailto: and/or URL) that powers the one-click unsubscribe button. Gmail and Yahoo require it for bulk senders.