Email Header Analyzer - Decode & Understand Headers
Paste email headers to trace the complete delivery path, verify SPF/DKIM/DMARC authentication, identify the originating IP, and detect potential spoofing.
How to Find Email Headers in Different Email Clients
Email headers contain important information about the path an email took to reach you and can help identify potential issues. Here's how to access them in popular email clients:
Gmail
- Open the email you want to analyze
- Click on the three dots (⋮) in the top-right corner of the email
- Select "Show original"
- A new tab will open with the complete email headers and content
- Click the "Copy to clipboard" button to copy all the headers
- Paste into the analyzer text area
Outlook.com / Microsoft 365
- Open the email message
- Click on the three dots (⋯) in the top-right corner
- Select "View message details" or "View > Message details"
- A popup window will appear with the headers
- Select all the text (Ctrl+A) and copy (Ctrl+C)
- Paste into the analyzer text area
Outlook Desktop App
- Open the email message
- From the Message tab, click "File" (or sometimes Actions > Other Actions)
- Select "Properties" or "Message Options"
- Look for the "Internet headers" section at the bottom of the dialog
- Select all the text and copy it
- Paste into the analyzer text area
Apple Mail
- Open the email message
- Select "View" from the menu bar
- Click "Message" and then "All Headers"
- The headers will appear at the top of the message
- Select all headers (they appear above the message body) and copy
- Paste into the analyzer text area
Yahoo Mail
- Open the email message
- Click on the three dots (⋯) in the top-right corner
- Select "View Raw Message"
- A new window will open with the full headers and message
- Select all (Ctrl+A) and copy (Ctrl+C)
- Paste into the analyzer text area
Mozilla Thunderbird
- Open the email message
- Click "View" from the menu bar
- Select "Headers" and then "All"
- Right-click in the header section and choose "Select All"
- Copy the selected text
- Paste into the analyzer text area
Example Headers
Here's what email headers typically look like:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53])
by mx.example.com (Postfix) with ESMTPS id 8DBCF21478
for <[email protected]>; Wed, 21 Jul 2021 14:22:01 -0700 (PDT)
Authentication-Results: example.com;
dkim=pass [email protected];
spf=pass (example.com: domain of [email protected] designates 209.85.221.53 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=20210112;
h=from:to:subject:date:message-id:mime-version;
bh=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=;
b=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X-Received: by 2002:adf:f6d3:: with SMTP id b12mr112233pfl.240.1626901321009;
Wed, 21 Jul 2021 14:22:01 -0700 (PDT)
From: "Sender Name" <[email protected]>
To: "Recipient Name" <[email protected]>
Subject: Example Email with Headers
Date: Wed, 21 Jul 2021 14:22:00 -0700
Message-ID: <[email protected]>
Understanding Email Headers
Email headers are like the digital envelope of an email, containing crucial metadata about its journey from sender to recipient. They are not usually visible in standard email clients but can be accessed via "Show Original" or "View Source" options.
Key Information in Headers:
- From/To/Cc/Bcc: Sender and recipient addresses.
- Subject: The email's subject line.
- Date: When the email was sent.
- Message-ID: A unique identifier for the email message.
- Received: A series of entries tracing the path the email took through various mail servers. Each "Received" header is added by a server that handled the email. Analyzing these can help identify the origin and route.
- Return-Path: The address where bounce messages are sent.
- Authentication-Results: Contains results of security checks like SPF, DKIM, and DMARC, which help verify the sender's authenticity and prevent spoofing.
- MIME-Version & Content-Type: Define the email's format (e.g., HTML, plain text) and character encoding.
Email Authentication Explained
SPF (Sender Policy Framework)
SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. When an email is received, the receiving server checks if the sending server's IP address is listed in the domain's SPF record.
- Pass: The email came from an authorized server
- SoftFail: The domain suggests the host is not authorized but isn't asserting it strongly
- Fail: The email came from an unauthorized server - likely spoofed
- Neutral/None: No policy or no assertion made
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature linked to a domain name to each outgoing email message. Receiving servers can verify this signature to ensure the email was not altered in transit.
- Pass: The DKIM signature is valid - content wasn't modified in transit
- Fail: The signature couldn't be verified - message may have been tampered with
- None: No DKIM signature present
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC builds on SPF and DKIM to help email senders and receivers work together to combat email spoofing and phishing.
- Pass: The message passed either SPF or DKIM and the identifiers are aligned
- Fail: The message failed both SPF and DKIM or the identifiers aren't aligned
- None: No DMARC policy published or applicable
Why Analyze Email Headers?
- Troubleshooting Delivery Issues: Identify where an email got delayed or rejected.
- Detecting Phishing & Spoofing: Uncover forged sender information or suspicious routing by scrutinizing authentication results and the received path.
- Spam Investigation: Determine the true origin of spam emails.
- Learning Email Flow: Understand the technical journey of an email.
Common Issues Identified Through Header Analysis
- Sender Spoofing: Mismatch between the "From" address and actual sending server
- Missing or Failed Authentication: Emails without SPF, DKIM or with failed validation
- Suspicious Routing: Email taking unusual paths through unexpected or known-problematic servers
- Time Anomalies: Unusual delays between server hops that may indicate issues
- X-Headers Anomalies: Custom headers sometimes reveal information about spam filtering or other processing
Related Tools
Frequently Asked Questions
What information is in email headers?
Email headers contain: sender/recipient addresses, routing path (servers that handled the email), timestamps, SPF/DKIM/DMARC authentication results, message ID, and client software details.
How can I tell if an email is spoofed?
Check: SPF/DKIM/DMARC authentication (should pass), 'Received' headers for suspicious servers, Return-Path vs From address, and whether routing makes geographic sense.
What do the 'Received' headers mean?
Each 'Received' header represents a mail server that processed the email. Read bottom-to-top to see the path from sender to recipient. Unexpected servers may indicate relay abuse.
What are SPF, DKIM, and DMARC?
SPF verifies sender IP is authorized. DKIM cryptographically signs messages proving they weren't altered. DMARC builds on both, specifying what to do with authentication failures.
Can I trust the From address?
No, From addresses can be easily spoofed. Check authentication results (SPF/DKIM/DMARC pass), Return-Path, and Received headers. Don't trust display names - check actual email addresses.
Why does email show a different time than it was sent?
Timestamps in headers use the sending server's timezone. Your email client converts to your local time. Time discrepancies can also indicate spoofing or compromised servers.
Last reviewed:
How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.