What can an email header analyzer tell you?

It helps you inspect email authentication, trace delivery hops, compare visible sender fields with routing fields, and spot clues related to phishing, forwarding, or deliverability problems.

Why do Reply-To and Return-Path matter?

Reply-To controls where responses go, while Return-Path is usually the bounce address. If those differ from the visible From domain, it can be legitimate infrastructure or a signal worth checking more carefully.

Do I need the full original headers?

Yes. Partial snippets often omit Authentication-Results or Received lines, which makes trust and routing analysis much weaker.

Free Email Header Analyzer

Analyze raw message headers to inspect SPF, DKIM, DMARC, sender identity mismatches, routing hops, and common trust or deliverability clues in one clean report.

Paste raw message headers

Analyze SPF, DKIM, DMARC, routing hops, and identity mismatches

Copy the original message source or full email headers from Gmail, Outlook, Apple Mail, or another mailbox. The analyzer unfolds header lines, reads authentication results, inspects Received chains, and highlights common trust signals.

Email headers

Delivered-To: you@example.com
Received: by 2002:a05:620a:1234:b0:789:abcd:1234 with SMTP id r20csp104500qkj;
        Tue, 01 Apr 2026 08:42:10 -0700 (PDT)
Received: from mail-io1-f50.google.com (mail-io1-f50.google.com. [209.85.166.50])
        by mx.google.com with ESMTPS id f12si1234567qko.444.2026.04.01.08.42.09
        for <you@example.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 01 Apr 2026 08:42:10 -0700 (PDT)
Authentication-Results: mx.google.com;
       dkim=pass header.i=@openai.com header.s=google;
       spf=pass (google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=noreply@openai.com;
       dmarc=pass (p=reject sp=reject dis=none) header.from=openai.com
Return-Path: <noreply@openai.com>
Received-SPF: pass (google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) client-ip=209.85.166.50;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openai.com; s=google;
From: OpenAI Updates <noreply@openai.com>
To: you@example.com
Subject: Product update
Date: Tue, 1 Apr 2026 15:42:08 +0000
Message-ID: <CAL1234567890@mail.gmail.com>
Reply-To: OpenAI Team <hello@openai.com>
List-Unsubscribe: <https://openai.com/unsubscribe>, <mailto:unsubscribe@openai.com>
X-Google-DKIM-Signature: v=1; a=rsa-sha256; d=1e100.net; s=20230601;

Headers

Received hops

Auth summary

Strong alignment

From domain

openai.com

Originating IP

209.85.166.50

Findings

Authentication

SPF, DKIM, and DMARC verdicts

Composite verdict: Strong alignment

SPF

pass

SPF reported pass(google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=noreply@openai.com

DKIM

pass

DKIM reported passheader.i=@openai.com header.s=google

DMARC

pass

DMARC reported pass(p=reject sp=reject dis=none) header.from=openai.com

Identity and envelope

Who the message says it is from

From

OpenAI Updates <noreply@openai.com>

you@example.com

Subject

Product update

Date

Tue, 1 Apr 2026 15:42:08 +0000

Reply-To

OpenAI Team <hello@openai.com>

Return-Path

<noreply@openai.com>

Message-ID

<CAL1234567890@mail.gmail.com>

List-Unsubscribe

<https://openai.com/unsubscribe>, <mailto:unsubscribe@openai.com>

From domain

openai.com

Reply-To domain

openai.com

Return-Path domain

openai.com

Signed-by domain

1e100.net

Routing chain

Received headers in delivery order

Hop 1

From

Not parsed

2002:a05:620a:1234:b0:789:abcd:1234

With

SMTP

For

Not present

r20csp104500qkj

Date

Tue, 01 Apr 2026 08:42:10 -0700 (PDT)

Hop 2209.85.166.5004.01.08.42

From

mail-io1-f50.google.com (mail-io1-f50.google.com. [209.85.166.50])

mx.google.com

With

ESMTPS

For

<you@example.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256)

f12si1234567qko.444.2026.04.01.08.42.09

Date

Tue, 01 Apr 2026 08:42:10 -0700 (PDT)

Findings

No obvious red flags were detected from the pasted headers.

Recommendations

The headers look structurally healthy. If you are still debugging mail flow, compare these results with the sending platform’s logs.

Parsed headers

Unfolded header list

Header	Value
Delivered-To	you@example.com
Received	by 2002:a05:620a:1234:b0:789:abcd:1234 with SMTP id r20csp104500qkj; Tue, 01 Apr 2026 08:42:10 -0700 (PDT)
Received	from mail-io1-f50.google.com (mail-io1-f50.google.com. [209.85.166.50]) by mx.google.com with ESMTPS id f12si1234567qko.444.2026.04.01.08.42.09 for <you@example.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Apr 2026 08:42:10 -0700 (PDT)
Authentication-Results	mx.google.com; dkim=pass header.i=@openai.com header.s=google; spf=pass (google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=noreply@openai.com; dmarc=pass (p=reject sp=reject dis=none) header.from=openai.com
Return-Path	<noreply@openai.com>
Received-SPF	pass (google.com: domain of noreply@openai.com designates 209.85.166.50 as permitted sender) client-ip=209.85.166.50;
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=openai.com; s=google;
From	OpenAI Updates <noreply@openai.com>
To	you@example.com
Subject	Product update
Date	Tue, 1 Apr 2026 15:42:08 +0000
Message-ID	<CAL1234567890@mail.gmail.com>
Reply-To	OpenAI Team <hello@openai.com>
List-Unsubscribe	<https://openai.com/unsubscribe>, <mailto:unsubscribe@openai.com>
X-Google-DKIM-Signature	v=1; a=rsa-sha256; d=1e100.net; s=20230601;

More Intel & Email Infrastructure Tools

MX Lookup Tool

Inspect inbound mail routing and provider hints

HTTP Header Analyzer

Inspect live response headers

Proxy Checker

Check proxy reachability and latency

Tech Stack Analysis

Detect what a site is built with

Third-Party Script Auditor

Audit external vendors on live pages

AI Skills Directory

Browse GitHub-discovered agent workflows

AI Token Counter

Measure prompt size before model calls

cURL Command Generator

Build copy-ready API requests

What is an Email Header Analyzer?

An email header analyzer is a message header analyzer tool that makes email headers human readable by parsing them according to RFC 822 and related standards. Every email you receive carries hidden technical details — the message source — packed with information about the sender, routing path, authentication results, and delivery time.

Our email header analyzer tool extracts that metadata and presents it in an easy to read, structured report so you can instantly understand what happened between the sending server and your inbox — without touching raw header data manually.

SPF · PASS

DKIM · FAIL

DMARC · QUARANTINE

Origin: 203.0.113.45 · 4 server hops

Why Use Our Email Header Analyzer?

Use our email header analyzer to go from raw headers to actionable insight in seconds

Instant Decoding

Parse raw email headers and get a clear, human-readable breakdown of every field — no manual lookup required.

Threat Detection

Spot forged senders, mismatched authentication, and suspicious relay behavior that signals phishing or spoof attempts.

Deliverability Insights

See SPF, DKIM, and DMARC passed or failed details that directly affect whether an email lands in the inbox or spam folder.

Forensic Detail

Trace sending IPs, timestamps, and hop-by-hop routing for incident response and email analysis workflows.

Privacy-First

Email headers are analyzed in-memory and not stored unless you choose to save results. Your header data stays yours.

Key Features

Everything you need to analyze email headers and protect your domain

Automatic Header Parsing

The tool automatically extracts and groups message headers — From, Return-Path, Received, Message-ID, Content-Type, ARC-Seal, ARC-Authentication-Results, and MIME fields — unfolding wrapped lines and surfacing what matters most in every email message.

Authentication Checks

Check SPF record lookup and evaluation, DKIM signature verification with selector and identity checks, and DMARC authentication policy alignment — all in one pass.

IP & Geo Lookup

Map the email's originating IP address, reveal sending networks and ASNs, surface geolocation data, and check whether an IP appears on a known blacklist.

Relay Path Visualization

A clear timeline and hop list shows server hops, delays, loops, and any suspicious relay behavior between mail servers — with date and time stamps per hop.

Threat Scoring

Combined heuristics score each message to highlight phishing, spam, or spoof risk — helping you quickly decide whether the email was sent legitimately.

Exportable Reports

Download JSON or PDF reports for incident logs, compliance records, or to forward findings to your security or IT team. Every piece of IP information and email authentication detail is included.

How to Use an Email Header Analyzer

Analyze email headers in four straightforward steps

Copy the Full Header

Export the full header from your email client — Gmail, Outlook, Apple Mail, or your mail server. Use the "Show original" or "View message source" option to get the complete, untruncated full header.

Paste the Header in the Tool

Copy and paste the raw message headers directly into the input area and click "Analyze." You can also upload an email file (.eml) if your client supports export.

The Tool Analyzes Email Headers

The header analyzer tool decodes and parse every field, runs SPF, DKIM, and DMARC checks, performs an IP address lookup, and scores the message for risk — all within the email system automatically.

Review and Export

Review the structured report, follow recommended remediation steps, or export the full email analysis for your records, compliance requirements, or DNS configuration review.

Benefits for Teams

A message header analyzer tool built for every role that touches email security

Security Teams

Rapid incident triage for phishing attacks, BEC attempts, and malicious emails. Use the sender's IP, authentication results, and threat score to detect phishing fast and protect your domain.

IT Admins

Troubleshoot email delivery issues, anti-spam misconfiguration, and problematic mail servers. Understand the sender's routing path and whether the email was sent through expected infrastructure.

Developers & DevOps

Validate email authentication during deployments and CI checks. Confirm that sending IPs, DKIM selectors, and DMARC policies are correctly configured before you ship.

Help Desks

Provide clear evidence and guidance to end users about suspicious emails. Translate technical message headers into plain language explanations that anyone can act on.

Sample Report Highlights

When the tool analyzes email headers, you get a structured report with actionable analytics across four key areas:

Authentication Summary

SPF PASS, DKIM FAIL, DMARC QUARANTINE — with exact DNS records, signature details, and guidance on what each result means for email security and deliverability.

Origin Details

Sending IP 203.0.113.45 (AS12345), hosted in Frankfurt, DE — with full geolocation, network, and IP information including blacklist status.

Relay Timeline

4 hops, 2-minute total transit, unusual delay at hop 3. The routing section makes message content flow and server handoffs visible at a glance.

Risk Assessment

High likelihood of spoofing due to domain mismatch and missing DKIM. The checker surfaces information sent to the recipient that differs from the information about the email's true origin.

Frequently Asked Questions

Common asked questions about our email header analyzer

Is it safe to paste email headers?

Yes. Message headers do not contain full email message content, but may include sender addresses and IP address data. We analyze in-memory and do not store header data by default. For sensitive investigations, use our Enterprise on-premises option.

What authentication checks are performed?

The tool runs SPF record lookup and evaluation, DKIM signature verification with selector and identity checks, and DMARC policy alignment and reporting guidance — covering the full stack of email authentication standards.

Can I automate header analysis?

Yes. Pro and Enterprise plans include an API for automated header analysis and integration into ticketing, SIEM, or anti-spam systems — so you can authenticate and analyze every email you receive at scale without manual effort.

How do I trace an email back to its origin?

To trace an email, copy the full message headers from your email client and paste them into the analyzer. The tool maps the email's originating IP address, shows each server hop with timestamps, and surfaces the sender's IP and network information for a complete origin trail.

Can I use this tool to troubleshoot email delivery issues?

Absolutely. The relay timeline shows exactly where delays occur within the email path between mail servers. Combined with the authentication summary and IP lookup, you can quickly identify whether the email was sent through misconfigured infrastructure or whether the email's deliverability problem is a DNS, DKIM, or SPF configuration issue.