Email Header Analyzer
Paste raw email headers to inspect delivery path, SPF/DKIM/DMARC alignment, and threat indicators.
Use Email Header Analyzer in 4 Steps
What is an Email Header Analyzer?
Every email carries a set of invisible metadata fields called headers. These headers record the full routing path the message took from the sender's mail server to your inbox, the authentication results for SPF, DKIM, and DMARC, the sending client and IP address, and timestamps at each hop.
An email header analyzer parses this raw text and presents it in a human-readable format so you can quickly identify delivery delays, authentication failures, spam signals, and routing anomalies — without manually parsing dozens of cryptic lines.
This tool is commonly used during deliverability incidents (why did this message land in spam?), security investigations (is this a phishing email?), and infrastructure migrations (are outgoing messages authenticating correctly after switching providers?).
How to Copy Email Headers
The steps differ by client. Below are instructions for the three most common mail clients:
- 1. Open the message
- 2. Click ⋮ (three-dot menu)
- 3. Select Show original
- 4. Click Copy to clipboard
- 1. Open the message
- 2. Go to File → Properties
- 3. Find Internet headers box
- 4. Select all text and copy
- 1. Open the message
- 2. Go to View → Message
- 3. Select Raw Source
- 4. Copy all text above the blank line
Key Email Header Fields Reference
The table below covers the headers you should inspect first when diagnosing a delivery or authentication issue:
| Header | What it shows | Why it matters |
|---|---|---|
| Authentication-Results | SPF, DKIM, DMARC pass/fail per hop | First place to check for auth failures |
| Received-SPF | SPF result from the receiving server | Indicates whether the sending IP is authorised |
| DKIM-Signature | Cryptographic signature added by sender's server | Shows which domain signed and which selector was used |
| Received | Each server that relayed the message + timestamp | Read bottom-up to trace delivery path and delays |
| Return-Path | Envelope sender address (where bounces go) | Should match sending domain for SPF alignment |
| X-Spam-Status | Spam score assigned by the receiving MTA | Explains why a message was flagged or blocked |
| Message-ID | Unique identifier assigned by the sending server | Use to correlate with provider logs |
| X-Originating-IP | Client IP address that submitted the message | Helps identify webmail vs desktop submission |
How to Read Authentication-Results
The Authentication-Results header is the most important header for deliverability diagnostics. It is added by the receiving mail server and summarises all authentication checks in one place.
If any of the three checks shows fail or softfail, that is your starting point for debugging. Use the SPF Checker, DKIM Checker, or DMARC Checker tools to diagnose the root cause.
How to Trace Delivery Hops
Received headers are stacked in reverse chronological order — each server prepends its own line at the top. To read the delivery path in forward order, start from the bottom Received header (the originating submission server) and work upward.
- Each hop adds one Received line with the sending and receiving server names and a timestamp.
- Time difference between hops shows queue or processing delay at that server.
- Large gaps (30+ minutes) usually indicate greylisting, rate limiting, or a delivery retry after a temporary failure.
- Unexpected hops (unfamiliar hostnames) may indicate a relay you did not intend or a compromised outbound path.
Common Authentication Issues Found in Headers
| Symptom in headers | Likely cause | Fix |
|---|---|---|
spf=fail | Sending IP not in SPF record | Add the IP or include: entry to the SPF record |
dkim=fail | Signature mismatch or missing DKIM key in DNS | Re-publish DKIM record or re-configure signing key |
dmarc=fail | Neither SPF nor DKIM align to From: domain | Fix SPF/DKIM alignment; check DMARC policy |
spf=softfail | ~all qualifier — IP not listed but not hard-failing | Add missing senders, then change to -all when ready |
dkim=permerror | Malformed DKIM signature or missing p= key | Check DKIM record syntax with DKIM Checker |
Frequently Asked Questions
Get guides like this by email
DNS, email auth, and security playbooks delivered when they publish. No spam.