Email Header Analyzer
Analyze raw email headers to verify SPF, DKIM, and DMARC authenticity and trace sender origins.
What Is Email Header Analysis?
Every email contains hidden metadata in its headers — a chronological record of every server the message passed through, timestamps at each hop, and authentication results. Email header analysis is the process of reading and interpreting this data to verify authenticity, trace origin, diagnose delivery problems, and detect spoofed or phishing emails.
The three pillars of email authentication — SPF, DKIM, and DMARC — work together to prevent domain spoofing. Our analyzer parses raw email headers and presents authentication results in a clear, actionable format, highlighting any failures that indicate suspicious or forged messages.
Email Authentication Framework
DNS TXT record listing authorized sending mail servers for a domain. Prevents unauthorized servers from sending as your domain.
Cryptographic signature in email headers verified against a public key in DNS. Ensures message integrity and sender authenticity.
Policy layer on top of SPF/DKIM that defines enforcement actions (none/quarantine/reject) and enables failure reporting.
Frequently Asked Questions
What are email headers and what do they contain?
Email headers are metadata fields attached to every email message, recording the routing path from sender to recipient. They contain: sending server IP addresses, timestamps at each hop, authentication results (SPF, DKIM, DMARC), message IDs, subject and sender/recipient addresses, and X-header custom fields. Headers are prepended at each mail server the message passes through.
What is SPF and why does it matter?
SPF (Sender Policy Framework) is a DNS-based email authentication mechanism that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email, it checks the SPF TXT record for the sending domain. If the sending server isn't listed, the email fails SPF — helping prevent email spoofing and phishing.
What is DKIM email authentication?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to email headers, allowing receiving servers to verify the email genuinely originated from the claimed domain and wasn't modified in transit. The public key is published as a DNS TXT record. DKIM is a critical component of modern email authentication alongside SPF and DMARC.
What is DMARC and how does it work?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to define what happens when email authentication fails. A DMARC policy can instruct receiving servers to: accept the email (none), quarantine it (spam folder), or reject it. DMARC also enables reporting so domain owners can see authentication failures.
How do I get the raw email headers in Gmail, Outlook, or Apple Mail?
Gmail: Open the email → Three dots menu → 'Show original'. Outlook: Open email → File → Properties → Internet headers. Apple Mail: Open email → View menu → Message → Raw Source. Copy the entire header block and paste it into our analyzer. The headers appear before the email body, starting with 'Received:' lines.
How can I tell if an email is spoofed?
Signs of a spoofed email: SPF or DKIM authentication failures in headers, mismatch between 'From' address and 'Return-Path', suspicious sending IP (use our IP lookup to investigate), multiple 'Received from' hops through unexpected servers, and DMARC failures. Our analyzer highlights these red flags automatically.
Related Tools & Resources
Check SPF, DKIM, and DMARC TXT records for any domain.
Verify domain ownership and registrar details.
Geolocate email sender IP addresses and identify their ISP.
Check if an IP is associated with a VPN or proxy service.
Understand DNS and how SPF/DKIM records are stored.
Test for DNS and WebRTC leaks in your network.