What can an email header analyzer tell you?

It helps you inspect email authentication, trace delivery hops, compare visible sender fields with routing fields, and spot clues related to phishing, forwarding, or deliverability problems.

Why do Reply-To and Return-Path matter?

Reply-To controls where responses go, while Return-Path is usually the bounce address. If those differ from the visible From domain, it can be legitimate infrastructure or a signal worth checking more carefully.

Do I need the full original headers?

Yes. Partial snippets often omit Authentication-Results or Received lines, which makes trust and routing analysis much weaker.

Free Email Header Analyzer

Analyze raw message headers to inspect SPF, DKIM, DMARC, sender identity mismatches, routing hops, and common trust or deliverability clues in one clean report.

Paste raw message headers

Analyze SPF, DKIM, DMARC, routing hops, and identity mismatches

Copy the original message source or full email headers from Gmail, Outlook, Apple Mail, or another mailbox. The analyzer unfolds header lines, reads authentication results, inspects Received chains, and highlights common trust signals.

Email headers

Delivered-To: you@example.com
Received: by 2002:a05:620a:1234:b0:789:abcd:1234 with SMTP id r20csp104500qkj;
        Tue, 01 Apr 2026 08:42:10 -0700 (PDT)
Received: from mail-io1-f50.google.com (mail-io1-f50.google.com. [209.85.166.50])
        by mx.google.com with ESMTPS id f12si1234567qko.444.2026.04.01.08.42.09
        for <you@example.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 01 Apr 2026 08:42:10 -0700 (PDT)
Authentication-Results: mx.google.com;
       dkim=pass header.i=@openai.com header.s=google;
       spf=pass (google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=noreply@openai.com;
       dmarc=pass (p=reject sp=reject dis=none) header.from=openai.com
Return-Path: <noreply@openai.com>
Received-SPF: pass (google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) client-ip=209.85.166.50;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openai.com; s=google;
From: OpenAI Updates <noreply@openai.com>
To: you@example.com
Subject: Product update
Date: Tue, 1 Apr 2026 15:42:08 +0000
Message-ID: <CAL1234567890@mail.gmail.com>
Reply-To: OpenAI Team <hello@openai.com>
List-Unsubscribe: <https://openai.com/unsubscribe>, <mailto:unsubscribe@openai.com>
X-Google-DKIM-Signature: v=1; a=rsa-sha256; d=1e100.net; s=20230601;

Headers

Received hops

Auth summary

Strong alignment

From domain

openai.com

Originating IP

209.85.166.50

Findings

Authentication

SPF, DKIM, and DMARC verdicts

Composite verdict: Strong alignment

SPF

pass

SPF reported pass(google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=noreply@openai.com

DKIM

pass

DKIM reported passheader.i=@openai.com header.s=google

DMARC

pass

DMARC reported pass(p=reject sp=reject dis=none) header.from=openai.com

Identity and envelope

Who the message says it is from

From

OpenAI Updates <noreply@openai.com>

you@example.com

Subject

Product update

Date

Tue, 1 Apr 2026 15:42:08 +0000

Reply-To

OpenAI Team <hello@openai.com>

Return-Path

<noreply@openai.com>

Message-ID

<CAL1234567890@mail.gmail.com>

List-Unsubscribe

<https://openai.com/unsubscribe>, <mailto:unsubscribe@openai.com>

From domain

openai.com

Reply-To domain

openai.com

Return-Path domain

openai.com

Signed-by domain

1e100.net

Routing chain

Received headers in delivery order

Hop 1

From

Not parsed

2002:a05:620a:1234:b0:789:abcd:1234

With

SMTP

For

Not present

r20csp104500qkj

Date

Tue, 01 Apr 2026 08:42:10 -0700 (PDT)

Hop 2209.85.166.5004.01.08.42

From

mail-io1-f50.google.com (mail-io1-f50.google.com. [209.85.166.50])

mx.google.com

With

ESMTPS

For

<you@example.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256)

f12si1234567qko.444.2026.04.01.08.42.09

Date

Tue, 01 Apr 2026 08:42:10 -0700 (PDT)

Findings

No obvious red flags were detected from the pasted headers.

Recommendations

The headers look structurally healthy. If you are still debugging mail flow, compare these results with the sending platform’s logs.

Parsed headers

Unfolded header list

Header	Value
Delivered-To	you@example.com
Received	by 2002:a05:620a:1234:b0:789:abcd:1234 with SMTP id r20csp104500qkj; Tue, 01 Apr 2026 08:42:10 -0700 (PDT)
Received	from mail-io1-f50.google.com (mail-io1-f50.google.com. [209.85.166.50]) by mx.google.com with ESMTPS id f12si1234567qko.444.2026.04.01.08.42.09 for <you@example.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Apr 2026 08:42:10 -0700 (PDT)
Authentication-Results	mx.google.com; dkim=pass header.i=@openai.com header.s=google; spf=pass (google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=noreply@openai.com; dmarc=pass (p=reject sp=reject dis=none) header.from=openai.com
Return-Path	<noreply@openai.com>
Received-SPF	pass (google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) client-ip=209.85.166.50;
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=openai.com; s=google;
From	OpenAI Updates <noreply@openai.com>
To	you@example.com
Subject	Product update
Date	Tue, 1 Apr 2026 15:42:08 +0000
Message-ID	<CAL1234567890@mail.gmail.com>
Reply-To	OpenAI Team <hello@openai.com>
List-Unsubscribe	<https://openai.com/unsubscribe>, <mailto:unsubscribe@openai.com>
X-Google-DKIM-Signature	v=1; a=rsa-sha256; d=1e100.net; s=20230601;

More Intel & Email Infrastructure Tools

MX Lookup Tool

Inspect inbound mail routing and provider hints

HTTP Header Analyzer

Inspect live response headers

Proxy Checker

Check proxy reachability and latency

Tech Stack Analysis

Detect what a site is built with

Third-Party Script Auditor

Audit external vendors on live pages

AI Skills Directory

Browse GitHub-discovered agent workflows

AI Token Counter

Measure prompt size before model calls

cURL Command Generator

Build copy-ready API requests

What an email header analyzer does

An email header analyzer turns raw message headers into something a human can actually read. Instead of staring at long blocks of Received, Authentication-Results, Return-Path, and DKIM-Signature lines, you can quickly see who sent the message, which domains were involved, how the message moved between servers, and whether SPF, DKIM, and DMARC passed or failed. That makes the tool useful for security reviews, phishing checks, deliverability debugging, support investigations, and general mailbox admin work.

Why raw headers matter

The visible sender name in an email client does not tell the whole story. A message can say it is from one domain while replying to another, bouncing through a third, and failing authentication in the background. Raw headers expose those relationships. Looking at the From domain, Reply-To, Return-Path, and Authentication-Results together is often the fastest way to tell whether a message is routine marketing infrastructure, a messy forwarding chain, or something that deserves more skepticism.

How to use this analyzer well

Export the full original headers from your mail client instead of copying a partial snippet. Gmail, Outlook, Apple Mail, and most hosted inboxes let you view the original source. Paste that into the analyzer and start with the summary cards. They give you the big picture quickly: number of headers, routing hops, authentication status, visible sender domain, originating IP, and number of findings. Then review the authentication section for SPF, DKIM, and DMARC, because those checks are some of the strongest trust signals in modern email.

Next, inspect the identity section. If the Reply-To domain differs from the visible sender, that is not automatically malicious, but it is worth understanding. The same goes for Return-Path. Many legitimate senders use separate bounce or sending infrastructure, especially marketing and transactional platforms, but those differences should still make sense. Finally, look at the routing chain to understand how many servers the message passed through and whether the path looks expected for the sender and your mailbox provider.

What makes the tool robust

A basic email header viewer might only show you the raw lines. A robust analyzer helps interpret them. This one unfolds wrapped header lines, groups repeated headers likeReceived, surfaces authentication verdicts, extracts important sender and envelope domains, flags mismatch patterns, and preserves a full parsed header table for deeper inspection. That balance matters because sometimes you want a quick trust decision, and other times you need the full evidence trail for a support or security conversation.

When to use it

Use an email header analyzer when a message looks suspicious, when someone reports that an email was delayed or bounced, when you are testing a new sending platform, or when you need to validate whether authentication was aligned properly. It is also useful for internal operations teams that need a fast explanation of why a message landed in spam, why replies are going to a different address, or why a customer says an email came from one domain but the infrastructure tells a different story.