What Is an Email Header?
An email header is a block of structured text that precedes the message body. Per RFC 5322 §2.1, every Internet mail message consists of a header section and an optional body, separated by a blank line. The header contains fields — name-colon-value pairs — that record the message's origin, routing path, recipient addresses, authentication results, and delivery timestamps.
Email clients hide this block by default because it is not intended for human reading in its raw form. A typical header runs 30–80 lines for a simple transactional message and over 100 lines for a message that passed through multiple security gateways. The information is machine-written as the message transits each mail server; by the time it arrives in an inbox, the header is a complete audit trail of exactly what happened to that message.
Two rules apply before you read any header:
- Headers accumulate from bottom to top. The sending server writes the first
Received:line. Every subsequent server prepends its ownReceived:entry. To follow the message path from origin to destination, read theReceived:lines starting from the bottom of the header and working upward. - The
From:address users see is not the same as the envelope sender. The displayFrom:field (defined in RFC 5322 §3.6.2) can contain any text — it is what your email client displays as the sender name. The actual SMTP envelope sender used during mail delivery is recorded in theReturn-Path:field, and that is what SPF validates against. These two values can be completely different domains.
ℹ️ Note: Phishing emails exploit the gap between the display
From:and the actualReturn-Path:. An email header analyzer surfaces this mismatch immediately, which is why it is the first tool security teams reach for when investigating a suspicious message.
Email Header Fields: Every Field Explained
The table below covers every significant field you will encounter in a standard header. Authentication-related fields are defined by their governing RFCs.
| Field | RFC / Source | What It Contains |
|---|---|---|
From: | RFC 5322 §3.6.2 | Display sender address — what the user sees. Can be forged. |
To: | RFC 5322 §3.6.3 | Primary recipient address(es). |
Subject: | RFC 5322 §3.6.5 | Message subject line. |
Date: | RFC 5322 §3.6.1 | Timestamp set by the sending client. Not verified by receivers. |
Message-ID: | RFC 5322 §3.6.4 | Globally unique identifier for this message, in the form <id@domain>. |
Received: | RFC 5321 §4.4 | One entry per server hop, prepended by each MTA. Read bottom-to-top. |
Return-Path: | RFC 5321 §4.4 | Envelope sender (MAIL FROM address). Used by SPF for domain verification. |
DKIM-Signature: | RFC 6376 | Cryptographic signature added by the sending server. Verified against the public key published in the sender's DNS. |
Authentication-Results: | RFC 8601 | SPF, DKIM, and DMARC verdicts stamped by the receiving server. |
Received-SPF: | RFC 7208 §9.1 | SPF check result with the evaluated IP address and domain. |
X-Spam-Status: | MTA-specific | Spam filter verdict (Yes/No) and score. Format varies by mail server software. |
X-Originating-IP: | Non-standard | The client IP that connected to the sending MTA, when the server includes it. |
The single most diagnostic field is Authentication-Results:. It is added by the receiving mail server — not by the sender — so it cannot be forged. It records the definitive SPF, DKIM, and DMARC verdicts for the message as the receiving infrastructure evaluated them.
How to Copy Email Headers from Gmail, Outlook, and Apple Mail
This is the step where most users get stuck. Email clients bury the raw header behind non-obvious menus. The exact steps below are current as of 2026.
Gmail
-
Open the message you want to inspect.
-
Click the three-dot menu (⋮) at the top-right corner of the message pane — to the right of the reply arrow, not the top-of-page toolbar.
-
Select "Show original." Gmail opens a new browser tab showing the full, unprocessed message source including all headers and the body.
-
Click "Copy to clipboard" at the top of that tab. Gmail copies the complete raw text.
💡 Tip: The "Show original" tab in Gmail shows a summary row at the top that lists SPF, DKIM, and DMARC results directly. If all three show "PASS," the message is authenticated. You can then narrow your investigation to spam scoring or content issues rather than authentication.
Outlook — Desktop Application (Windows)
-
Double-click the message to open it in its own window. The reading pane does not expose the header option — the separate window is required.
-
Click File in the ribbon, then click Properties.
-
The "Internet headers" box at the bottom of the Properties dialog contains the complete raw header text.
-
Click inside the box, press Ctrl+A to select all, then Ctrl+C to copy.
Outlook — Web (OWA / Microsoft 365)
-
Open the message. Click the three-dot menu (⋯) at the top-right of the reading pane.
-
Select "View message details." A dialog opens with the full header block.
-
Copy the entire contents of the text area.
Apple Mail (macOS)
-
Click to select the message in your inbox (do not open it in a separate window).
-
From the menu bar, choose View → Message → All Headers.
-
The raw header block appears above the message body in the reading pane. Select all and copy.
ℹ️ Note: Mobile email clients — iOS Mail, Gmail for Android — do not expose raw headers through their standard UI. To inspect a message received on mobile, forward it to yourself and view it via a desktop client, or open Gmail in a full desktop browser session.
How to Use the Email Header Analyzer
With the raw header copied, the analysis itself takes under 30 seconds.
-
Open the Email Header Analyzer. No account or login is required.
-
Paste the complete header text into the input field. Include everything from the first
Received:line through theSubject:andMessage-ID:fields. Do not paste the message body — only the header block. -
Click Analyze. The tool parses the header according to RFC 5322 and RFC 8601 and returns structured results in under a second.
-
Review the results panel. The analyzer surfaces:
- Authentication results — SPF, DKIM, and DMARC pass/fail for this specific message, extracted from the
Authentication-Results:field. - Originating IP address — pulled from the bottom-most
Received:line, which is stamped by the first receiving server and cannot be forged. - Hop trace — every mail server the message passed through, listed in chronological order with timestamps.
- Total delivery time — calculated from the earliest to latest timestamp in the
Received:chain. - Spam verdict — extracted from
X-Spam-Status:or equivalent if present in the header.
- Authentication results — SPF, DKIM, and DMARC pass/fail for this specific message, extracted from the
The tool flags anomalies inline: authentication failures display in red, large hop delays are highlighted, and missing mandatory fields are called out explicitly.
What Your Results Mean: Diagnosing Common Problems
Authentication Failures (SPF, DKIM, DMARC)
The Authentication-Results: field records a result keyword for each check. Per RFC 7208 §2.6 for SPF and RFC 6376 §3.5 for DKIM, the result values and their meanings are:
| Result | SPF meaning | DKIM meaning |
|---|---|---|
pass | Sending IP is authorized by the domain's SPF record | Signature is valid; message content is unchanged |
fail | Sending IP is explicitly not authorized | Signature is invalid or the public key was not found in DNS |
softfail | IP is not authorized but the domain has not declared hard enforcement | Not applicable — DKIM has no softfail result |
neutral | Domain makes no assertion about the sending IP | Not applicable |
none | No SPF record found for the claimed domain | No DKIM-Signature header present |
permerror | SPF record has a syntax error or exceeded the 10 DNS-lookup limit | Configuration error in the DKIM record or signature |
temperror | Transient DNS lookup failure during the check | Transient DNS failure |
A DMARC result of fail means the message did not pass either an aligned SPF check or an aligned DKIM check, as required by RFC 7489 §4.2. Receiving servers enforcing p=reject will silently discard these messages. Use the SPF Checker to verify your domain's SPF record syntax, and the DMARC Checker to confirm policy configuration.
⚠️ Warning:
spf=passin theAuthentication-Results:header does not mean the displayFrom:address is legitimate. SPF only validates theReturn-Path:domain. A spoofed message can pass SPF while displaying a completely differentFrom:address. DMARC alignment is the check that ties these two identities together — do not rely on SPF alone to determine sender legitimacy.
Delivery Delays
Each Received: hop includes a timestamp. To identify where a message was delayed, compare the timestamp of each hop against the one immediately below it. The gap between two consecutive entries is the time the message spent at the first server in that pair before the next hop accepted it.
Received: from smtp.sender.com by mx1.receiver.com; Mon, 30 Jun 2026 10:00:05 +0000
Received: from mx1.receiver.com by mx2.receiver.com; Mon, 30 Jun 2026 10:07:42 +0000
In this example, the 7-minute gap between smtp.sender.com → mx1.receiver.com and mx1.receiver.com → mx2.receiver.com points to mx1.receiver.com as the bottleneck. The most common causes of multi-minute gaps between hops:
- Greylisting — the receiving server temporarily rejected the first delivery attempt (code 451), expecting legitimate senders to retry. Standard retry happens in 5–15 minutes.
- Content scanning — antivirus or data-loss-prevention (DLP) scanning introduces latency at a specific gateway before the message is passed to the next hop.
- DNS resolution failure — the receiving server could not resolve the sending domain's reverse DNS or encountered a timeout, triggering a retry cycle.
- Sending queue backlog — the originating MTA had a delivery backlog and did not attempt the next hop immediately after composition.
Spoofing Indicators
A spoofed or phishing message typically shows one or more of the following patterns in the raw header:
From:domain ≠Return-Path:domain — the displayed sender address and the envelope sender are on different domains, which is the most reliable single indicator of a forged sender.dmarc=failinAuthentication-Results:— the message cleared neither SPF+alignment nor DKIM+alignment, meaning the receiving server already determined it does not originate from the claimed domain.- Originating IP not in the sending domain's MX infrastructure — the bottom-most
Received:line shows an IP that does not belong to the mail servers the claimedFrom:domain is known to use. Cross-reference the IP against the sender's MX records using the MX Lookup tool. DKIM-Signature:d=tag domain ≠From:domain — the DKIM signature was applied by a different domain than the display sender, indicating the message was relayed through infrastructure theFrom:domain does not control.
# Spoofed header pattern (anonymized example):
From: billing@legitimate-bank.com
Return-Path: <noreply@unrelated-domain.ru>
Authentication-Results: mx.google.com;
spf=pass (sender IP authorized for unrelated-domain.ru);
dkim=fail (key not found in DNS);
dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=legitimate-bank.com
In this pattern, SPF passes because unrelated-domain.ru has a valid SPF record authorizing its sending IP. DMARC fails because unrelated-domain.ru does not align with legitimate-bank.com. The receiving server enforcing p=REJECT would discard this message.
Reading Headers Manually with the Command Line
When you want to inspect headers without a browser tool, parse a downloaded .eml file directly from the command line:
# Print only the header section of a saved .eml file
# The blank line between header and body acts as the delimiter
sed '/^$/q' message.eml
# Count the total number of server hops
grep -c "^Received:" message.eml
# Extract all timestamps from Received: headers for manual delay analysis
grep "^Received:" message.eml | grep -oE '[A-Z][a-z]{2}, [0-9]+ [A-Z][a-z]{2} [0-9]{4} [0-9:]{8} [+-][0-9]{4}'
# Check SPF/DKIM/DMARC results from the Authentication-Results: header
grep -A5 "^Authentication-Results:" message.eml
For real-time testing of your own outbound mail, send a test message to a Gmail address, then use Gmail's "Show original" → header summary table to verify the three authentication results. For platform-independent analysis, paste the raw header into the Email Header Analyzer.
Frequently Asked Questions
Q: What is an email header analyzer?
An email header analyzer is a tool that parses the raw metadata block attached to every email message and presents it in structured, human-readable form. It extracts the originating IP address, SPF/DKIM/DMARC authentication results, the hop-by-hop routing trace, and delivery timestamps from the Authentication-Results:, Received:, and DKIM-Signature: fields defined in RFC 5322, RFC 6376, and RFC 8601.
Q: How do I get the full email headers in Gmail?
Open the message, click the three-dot menu (⋮) next to the Reply button, and select "Show original." In the new tab that opens, click "Copy to clipboard." This copies the complete raw header text, which you paste directly into the Email Header Analyzer. Gmail also displays a quick summary of SPF, DKIM, and DMARC results at the top of that page.
Q: Why does my email fail DMARC even though SPF passes?
SPF validates the Return-Path: domain (the envelope sender), not the From: domain that users see. DMARC requires that the domain used in the passing SPF or DKIM check aligns with the From: domain, as defined in RFC 7489 §3.1. If your ESP sends mail with a Return-Path: from their own domain rather than yours, SPF passes for their domain but DMARC fails against your From: domain. The fix is to enable DKIM signing with d=yourdomain.com, which gives DMARC a second alignment path that passes.
Q: What does a large time gap between Received: hops mean?
It means the message was held in a queue or delayed at the server identified in that hop. Common causes include greylisting (a 5–15 minute deliberate temporary rejection that legitimate senders retry automatically), antivirus scanning latency at a gateway, or DNS lookup failures causing the sending MTA to retry. To find the bottleneck, read the Received: timestamps from bottom to top and identify the pair with the largest time difference.
Q: Can I use an email header analyzer to trace a phishing email?
Yes. The bottom-most Received: line contains the originating IP address added by the first receiving server — the sender cannot forge this entry because it is written by the receiver. That IP identifies the actual sending infrastructure regardless of what the display From: says. Combine this with a From:/Return-Path: mismatch and a dmarc=fail result and you have a near-certain phishing identification. Use the MX Lookup tool to verify whether the originating IP belongs to the sending domain's declared mail servers.
Q: Is it safe to paste email headers into an online analyzer?
Email headers do not contain the message body, attachments, or credentials — only routing metadata. The information exposed includes your email address, the sender's IP address, and internal mail server hostnames used by your organization. For most troubleshooting scenarios this is acceptable. If you are analyzing internal mail or a message from a sensitive source, consider stripping the To: field and internal Received: hostnames before pasting headers into a public tool.
Next Steps
To verify that your own outbound messages pass authentication before checking headers, run your sending domain through the SPF Checker and confirm your DMARC policy with the DMARC Checker.
If your headers show SPF failures on mail you send, see the SPF Record Explained guide for record syntax and mechanism reference. For deploying a DMARC policy from p=none through to p=reject, see the DMARC Policy Enforcement guide.
For a complete pre-send checklist covering SPF, DKIM, DMARC, MX records, and blacklist status in one pass, see the Email Deliverability Triage Checklist.
Browse all email guides on DNSnexus.