What are email headers?

Email headers are metadata lines at the top of every email that record the complete delivery journey: every mail server the message passed through (Received headers), who sent it (From), who to reply to (Reply-To), authentication results (SPF, DKIM, DMARC), and timestamps. They're hidden from normal email view but can be accessed via 'Show Original' or 'View Source' in most email clients.

Are my email headers sent to your servers?

No. Email header analysis runs entirely in your browser using JavaScript. Your pasted headers never leave your device. The tool parses and displays results locally — no data is sent to our servers.

How do I get email headers in Gmail?

In Gmail: open the email, click the three-dot menu (⋮) in the top right, select 'Show original', then click 'Copy to clipboard'. Paste the result into this tool.

What does SPF pass/fail mean?

SPF (Sender Policy Framework) verifies that the sending mail server IP is authorised by the domain's DNS records. SPF pass means the server was authorised. SPF fail or softfail means the email may be spoofed or sent through an unauthorised server. SPF fail alone is not proof of spoofing — it can also mean a misconfigured mail server.

> EMAIL HEADER ANALYZER_

[ Trace delivery path | SPF/DKIM/DMARC | Detect spoofing | Runs in browser ]

Paste Raw Email Headers

// All processing happens locally in your browser. Headers are never sent to our servers.

// How to Get Email Headers

Gmail: Open email → click ⋮ (three dots) → "Show original" → "Copy to clipboard"

Outlook Web: Open email → click ⋯ → "View message source" → copy all text

Apple Mail: View menu → Message → All Headers — then select all text

Thunderbird: View → Headers → All — or press Ctrl+U for full source

Frequently Asked Questions

What is the "originating IP" in email headers?

The originating IP is the address of the mail server or device that first submitted the email into the delivery chain. In legitimate email, this is typically your email provider's outgoing mail server. For spoofed or phishing email, you may see a suspicious IP that doesn't match the sender's claimed domain. Cross-reference the originating IP against the domain's SPF record — if the IP is not listed, the email was sent from an unauthorised server.

What does "SPF softfail" mean?

SPF softfail (~all) means the sending IP is not listed in the domain's SPF record, but the domain owner used a lenient policy that says "accept but mark it." This is weaker than hardfail (-all) which tells receivers to reject the message outright. A softfail may indicate: a legitimate but misconfigured mail server (e.g., a forgotten mail relay), a forwarded email, or a spoofed message. Email receivers typically accept softfails but may apply a spam score penalty.

Can email headers be forged?

Yes — the From:, Reply-To:, and even some Received: headers can be forged by a sender. The most reliable headers are those added by your receiving mail server (your inbox provider), which appear at the top of the Received chain. These cannot be forged because they are written by a server you trust. DKIM signatures also provide cryptographic verification of the sending domain — if DKIM passes, the email content and From domain are authentic.

What is DKIM and why does it matter?

DKIM (DomainKeys Identified Mail) is a cryptographic authentication method. The sending mail server signs the email with a private key, and the receiving server verifies the signature using a public key published in the sender's DNS records. A DKIM pass means the email content and the From domain have not been tampered with in transit. A DKIM fail or missing signature doesn't always mean phishing, but combined with SPF failures and suspicious originating IPs, it strongly suggests spoofing.

What do the delays in the delivery chain mean?

Each Received: header includes a timestamp. The difference between consecutive timestamps is the delay at that hop. A 1–5 second delay is normal server processing. Delays of minutes or hours at a specific hop usually indicate: a greylisting policy (deliberate delay for unknown senders), a congested or overloaded mail server, DNS lookup failures, or deliberate throttling by a spam filter. Unusually high delays early in the chain (at the sender's server) can indicate a misconfigured or low-reputation sending server.

How do I get my email headers in Gmail, Outlook, and Apple Mail?

Gmail: Open the email, click the three-dot menu (⋮), select "Show original" — copy the full source. Outlook (web): Open the email, click the three-dot menu, select "View > View message source". Outlook (desktop): Open the email, go to File > Properties — the headers appear in the "Internet headers" box. Apple Mail: Open the email, go to View > Message > All Headers. Thunderbird: View > Headers > All, or press Ctrl+U for full source.

Understanding Email Headers

Every email you receive contains a set of metadata lines called headers. While the email body is what you see in your inbox, headers record the complete technical story of how the message traveled from the sender's device to your inbox — including every mail server it passed through, timestamps, authentication checks, and information about the sender's mail software.

Headers are written in reverse chronological order: the most recent hop (your inbox server) is at the top, and the oldest hop (the sender's mail server) is at the bottom. This can be confusing at first, but it's the standard format across all email systems.

Key Email Header Fields

Received Headers (The Delivery Chain)

Each mail server that handles your email adds a "Received" header. By reading them from bottom to top, you can trace the exact path the email took. Each Received header contains:

from — the hostname/IP of the previous server passing the email
by — the receiving server that added this header
with — the protocol used (SMTP, ESMTP, ESMTPS etc.)
for — the recipient address (sometimes omitted for privacy)
timestamp — when the server received the message

The time difference between consecutive Received headers tells you how long each server took to process the email. Delays over 5 minutes may indicate spam filtering, greylisting, or a congested server.

From vs. Return-Path vs. Reply-To

These three fields often confuse users — they serve distinct purposes:

From: The display name and address shown to recipients. This can be easily forged in phishing attacks.
Return-Path: The "envelope sender" address — where bounce messages go. This is harder to forge and is what SPF checks against.
Reply-To: Where your reply goes if you click Reply. Often different from From in marketing emails and phishing attempts.

Message-ID

A globally unique identifier assigned by the sending mail server. Format: <random-string@sending-domain.com>. The domain in the Message-ID should match the sending domain. A mismatch is a minor red flag, though not definitive proof of spoofing.

Email Authentication: SPF, DKIM, and DMARC

SPF (Sender Policy Framework)

SPF lets a domain specify which IP addresses are authorised to send email on its behalf. The receiving server looks up the sender domain's SPF DNS record and checks whether the sending server IP is listed.

    Received-SPF: pass (google.com: domain of support@example.com

      designates 198.51.100.42 as permitted sender)

      client-ip=198.51.100.42;

    // "pass" = authorized | "fail" = not authorized | "softfail" = ~all used

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to the email. The sending server signs the email with a private key; the receiving server retrieves the public key from the sender's DNS and verifies the signature. A valid DKIM signature proves the email body and headers haven't been tampered with in transit.

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

      d=example.com; s=google; h=from:to:subject:date...

      bh=base64hash=; b=signature...

    // d= is the signing domain | s= is the selector for DNS lookup

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC builds on top of SPF and DKIM. It tells receiving servers what to do when SPF and/or DKIM fail (none/quarantine/reject) and provides a mechanism for the sending domain to receive abuse reports. DMARC also enforces "alignment" — the From domain must match the SPF/DKIM signing domain.

    Authentication-Results: mx.google.com;

      dkim=pass header.i=@example.com;

      spf=pass smtp.mailfrom=example.com;

      dmarc=pass (p=REJECT) header.from=example.com

    // All three pass = legitimate email from example.com

Spotting Phishing & Spoofed Emails

Email header analysis is one of the most reliable ways to detect phishing. Look for these red flags:

From domain doesn't match Reply-To domain — Common phishing technique to get replies to an attacker-controlled address
SPF fail + legitimate-looking From address — Sending server IP not in SPF, but display name looks trusted
DKIM absent on all large domains — Gmail, Outlook, major companies all sign with DKIM. Missing DKIM from these senders is suspicious
Unusual routing path — Email from "amazon.com" passing through Russian or Eastern European mail servers
Message-ID domain doesn't match From domain — e.g., From: support@amazon.com but Message-ID: @mailout123.info
X-Originating-IP in unexpected geography — Sender claims to be a US company but originating IP geolocates to another country