HomeEmail ToolsEmail Header Analyzer
Email Tool

Email Header Analyzer

Paste raw email headers to inspect delivery path, SPF/DKIM/DMARC alignment, and threat indicators.

What it parses
SPF · DKIM · DMARC · Routing
Auth results and delivery hops from raw header text.
Input
Paste raw headers
From Gmail "Show original", Outlook Properties, or Apple Mail Raw Source.
Email Header Analyzer — Start Here
Waiting for input
Enter input and press Check
How to Use

Use Email Header Analyzer in 4 Steps

01
Open the raw message
In Gmail: three-dot menu → Show original. In Outlook: File → Properties → Internet headers. In Apple Mail: View → Message → Raw Source.
02
Copy the headers
Copy all lines above the first blank line (before the email body). Include every line from the top through the last header field.
03
Paste and analyse
Paste the raw headers into the tool. It parses authentication results, routing hops, and timestamps instantly.
04
Trace and fix
Read Received headers bottom-up to trace the delivery path. Check Authentication-Results for SPF/DKIM/DMARC pass or fail.

What is an Email Header Analyzer?

Every email carries a set of invisible metadata fields called headers. These headers record the full routing path the message took from the sender's mail server to your inbox, the authentication results for SPF, DKIM, and DMARC, the sending client and IP address, and timestamps at each hop.

An email header analyzer parses this raw text and presents it in a human-readable format so you can quickly identify delivery delays, authentication failures, spam signals, and routing anomalies — without manually parsing dozens of cryptic lines.

This tool is commonly used during deliverability incidents (why did this message land in spam?), security investigations (is this a phishing email?), and infrastructure migrations (are outgoing messages authenticating correctly after switching providers?).

How to Copy Email Headers

The steps differ by client. Below are instructions for the three most common mail clients:

Gmail
  1. 1. Open the message
  2. 2. Click ⋮ (three-dot menu)
  3. 3. Select Show original
  4. 4. Click Copy to clipboard
Outlook
  1. 1. Open the message
  2. 2. Go to File → Properties
  3. 3. Find Internet headers box
  4. 4. Select all text and copy
Apple Mail
  1. 1. Open the message
  2. 2. Go to View → Message
  3. 3. Select Raw Source
  4. 4. Copy all text above the blank line

Key Email Header Fields Reference

The table below covers the headers you should inspect first when diagnosing a delivery or authentication issue:

HeaderWhat it showsWhy it matters
Authentication-ResultsSPF, DKIM, DMARC pass/fail per hopFirst place to check for auth failures
Received-SPFSPF result from the receiving serverIndicates whether the sending IP is authorised
DKIM-SignatureCryptographic signature added by sender's serverShows which domain signed and which selector was used
ReceivedEach server that relayed the message + timestampRead bottom-up to trace delivery path and delays
Return-PathEnvelope sender address (where bounces go)Should match sending domain for SPF alignment
X-Spam-StatusSpam score assigned by the receiving MTAExplains why a message was flagged or blocked
Message-IDUnique identifier assigned by the sending serverUse to correlate with provider logs
X-Originating-IPClient IP address that submitted the messageHelps identify webmail vs desktop submission

How to Read Authentication-Results

The Authentication-Results header is the most important header for deliverability diagnostics. It is added by the receiving mail server and summarises all authentication checks in one place.

# Example Authentication-Results header (fully passing)
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of sender@example.com
designates 198.51.100.10 as permitted sender)
smtp.mailfrom=sender@example.com;
dkim=pass header.i=@example.com header.s=google;
dmarc=pass (p=QUARANTINE sp=NONE dis=NONE)
header.from=example.com

If any of the three checks shows fail or softfail, that is your starting point for debugging. Use the SPF Checker, DKIM Checker, or DMARC Checker tools to diagnose the root cause.

How to Trace Delivery Hops

Received headers are stacked in reverse chronological order — each server prepends its own line at the top. To read the delivery path in forward order, start from the bottom Received header (the originating submission server) and work upward.

  • Each hop adds one Received line with the sending and receiving server names and a timestamp.
  • Time difference between hops shows queue or processing delay at that server.
  • Large gaps (30+ minutes) usually indicate greylisting, rate limiting, or a delivery retry after a temporary failure.
  • Unexpected hops (unfamiliar hostnames) may indicate a relay you did not intend or a compromised outbound path.

Common Authentication Issues Found in Headers

Symptom in headersLikely causeFix
spf=failSending IP not in SPF recordAdd the IP or include: entry to the SPF record
dkim=failSignature mismatch or missing DKIM key in DNSRe-publish DKIM record or re-configure signing key
dmarc=failNeither SPF nor DKIM align to From: domainFix SPF/DKIM alignment; check DMARC policy
spf=softfail~all qualifier — IP not listed but not hard-failingAdd missing senders, then change to -all when ready
dkim=permerrorMalformed DKIM signature or missing p= keyCheck DKIM record syntax with DKIM Checker

Frequently Asked Questions

What are email headers and what do they contain?
Email headers are lines of metadata prepended to every message before the body. They record the routing path (each mail server that handled the message), timestamps, the sending client, authentication results (SPF, DKIM, DMARC), and message identifiers. Headers are written by each server as the message passes through and are never visible to end users by default.
How do I copy email headers in Gmail?
Open the message in Gmail, click the three-dot menu in the top-right of the email, and select "Show original". A new tab opens with the full raw message including all headers. Copy everything above the first blank line (before the message body). You can also click "Copy to clipboard" on that page.
How do I copy email headers in Outlook?
Open the message in Outlook, go to File → Properties. The "Internet headers" box at the bottom shows all raw headers. Select all text in that box and copy it. In Outlook on the web, open the message, click the three-dot menu, select "View → View message source" or "Message source" depending on version.
How do I copy email headers in Apple Mail?
Open the message in Apple Mail, then go to View → Message → All Headers (or press Shift+Command+H). All header fields become visible. To copy the raw headers, use View → Message → Raw Source, which opens the complete unrendered message source.
What does the Authentication-Results header tell me?
The Authentication-Results header is added by the receiving mail server and summarises the outcome of SPF, DKIM, and DMARC checks. Look for spf=pass, dkim=pass, and dmarc=pass for a fully authenticated message. A dkim=fail or spf=softfail indicates a potential misconfiguration or a forwarded message that broke authentication.
What does "Received-SPF: fail" in headers mean?
Received-SPF: fail means the sending IP address is not authorised by the domain's SPF record. This can indicate a spoofed message, a sending service that has not been added to the SPF record, or a misconfigured mail relay. Use the SPF Checker to inspect the sender's SPF record and confirm whether the IP should be authorised.
Why do some headers show different timestamps?
Each Received header is stamped by a different mail server as the message travels from sender to recipient. Time differences between hops are normal and represent queueing and processing time. A large gap (hours) at a specific hop usually points to a slow or overloaded relay, greylisting, or a delivery retry.
How can I trace the routing path of an email?
Read the Received headers from the bottom up — the earliest hop is at the bottom, the most recent is at the top. Each Received line shows the server that handed off the message and the one that received it, along with a timestamp. This path lets you identify exactly which server in the chain introduced a delay or authentication failure.
Auth Results Quick Read
spf=passSending IP authorised
dkim=passSignature verified
dmarc=passAlignment confirmed
Any failInvestigate immediately
Reading Order
• Check Authentication-Results first
• Read Received headers bottom-up
• Note timestamps between hops
• Verify Return-Path matches From
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.