Email Header Analyzer
Paste raw email headers from "Show original" (Gmail) / "View source" (Outlook) / "All Headers" (Apple Mail). The analyzer parses the hop trail, extracts the originating IP, decodes SPF/DKIM/DMARC results, and flags suspicious patterns. Free, in-browser, nothing uploaded.
| Header | Value |
|---|
How to find raw headers
- Gmail: open the message, three-dot menu, "Show original" - the new tab shows the raw RFC-5322 message. Copy from the top down to the blank line before the body.
- Outlook (desktop / web): open the message, File menu, Properties (Outlook desktop) or three-dot menu, "View message source" (Outlook web). Headers are in the "Internet headers" textarea or as the top of the source.
- Apple Mail: View menu, Message submenu, All Headers (Cmd+Shift+H). Or "Raw Source" for the full message.
- Yahoo: open the message, More menu, "View Raw Message".
What gets parsed
- Header values: From, To, Subject, Date, Message-ID, Return-Path, Reply-To, List-Unsubscribe.
- Hop trail: every Received: header in chronological order (origin first), with timestamp and per-hop delay.
- Auth verdicts: SPF, DKIM, DMARC results from Authentication-Results: and ARC-Authentication-Results: headers.
- DKIM signature details: signing domain (d=), selector (s=), and the body-hash header (b=).
- Originating IP: the IP address from the bottom-most Received: header (the first hop in the chain).
- Suspicious flags: hop delays > 60s, hop count > 10, From/Return-Path domain mismatch, DKIM signed by an unrelated domain, missing auth headers, missing Message-ID.
FAQ
How do I find raw email headers?
Gmail: three-dot menu, "Show original". Outlook: File menu, Properties. Apple Mail: View menu, Message, All Headers (Cmd+Shift+H). Yahoo: More menu, "View Raw Message".
What does the hop trail tell me?
Each Received: header is added by a mail server as the message passes through. The bottom-most line is the origin (sender's outbound MTA); the top-most is your incoming server. The hop trail is the path the message took. Delays over 60 seconds between consecutive hops are unusual.
How are SPF, DKIM, and DMARC reported?
The receiving server adds an Authentication-Results: header summarizing each check. We parse spf=, dkim=, and dmarc= entries and render them as pass/fail/neutral/temperror badges. ARC-Authentication-Results: is also parsed - that's the chain when forwarded.
What is the originating IP?
The IP of the very first server that handled the message - the sender's outbound MTA. We extract it from the bottom-most Received: header. If it doesn't match the From: domain's published SPF record, the message likely failed SPF.
What suspicious patterns get flagged?
Hop delays over 60s, hop count over 10, missing or weak Authentication-Results, From-domain ≠ Return-Path domain (classic spoofing tell), DKIM signed by an unrelated domain, missing Message-ID. Each is a starting point for investigation, not a definitive verdict.
Does my email get sent anywhere?
No. The parser runs entirely in your browser. Zero outbound requests.
Can I look up the originating IP's reputation?
We surface the IP and link to MXToolbox / Spamhaus where you can run reputation lookups manually. We don't run those queries server-side - would require rate-limited DNS and a backend.
What if my email is being delivered to spam?
Start here to verify SPF/DKIM/DMARC pass. If any fail, fix DNS first. If all pass and you're still going to spam, try the Spam Score Checker for content signals, or use DeliverIQ for continuous DMARC monitoring.
Continuous deliverability monitoring
This tool diagnoses one message. DeliverIQ watches your domain's DMARC reports, alerts on auth-failure spikes, and tracks reputation across all your sending sources continuously.
See DeliverIQ →