🔬 SPF · DKIM · DMARC · Routing Trace · Origin IP · Spam Score

Email Header Analyser

Free online email header analyser. Paste raw email headers to inspect SPF, DKIM, and DMARC authentication, trace the full routing path, identify the origin IP, and detect spam signals.

✓ SPF / DKIM / DMARC✓ Routing hop trace✓ Origin IP✓ Spam score✓ Full field viewer✓ 100% client-side

Paste Raw Email Headers

All analysis runs in your browser. Headers are never sent to any server.

What this tool does

Free email header analyser. Decode SPF, DKIM, DMARC results, trace routing, and detect spoofing

Every email message carries a block of metadata called headers, added by each mail server that handles it. Defined in RFC 5322 and extended by RFC 2822, these headers record who sent the message, who received it, when, via which route, and the authentication verdicts from each server along the way. This tool parses that raw header block and presents all of it in a structured, tab-organised format. Authentication results, routing path, spam scores, and every individual header field.

The Authentication tab shows SPF, DKIM, and DMARC results extracted from the Authentication-Results header. The most authoritative authentication signal in any email, because it is written by the receiving server (which you control or trust) rather than by the sender. A message with all three passing is authenticated end-to-end. Any failure is worth investigating: it may indicate a spoofed sender, a domain with weak authentication, a phishing attempt, a misconfigured mail server, or a legitimate message forwarded through a relay that broke SPF alignment.

The Routing tab reconstructs the delivery path chronologically from the originating server to your inbox, with per-hop timestamps and delay calculations. The originating IP, extracted from the oldest Received header, is the actual IP address of the server that first injected the message into the internet's mail infrastructure. Unlike the From: header (which any attacker can forge), the originating IP cannot be spoofed because it is written by your receiving server, not the sender. Discrepancies between the claimed sending domain and the originating IP's registered owner are among the strongest indicators of a spoofed or phishing message.

Key header fields explained

Received

Added by each mail server that handled the message. Multiple Received headers trace the full delivery path in reverse chronological order.

Authentication-Results

Added by the receiving server. Cannot be forged by the sender. Contains SPF, DKIM, and DMARC verdicts with domain and alignment details.

Received-SPF

The receiving server's SPF verdict. Includes the client IP checked, the envelope-from domain, and the final pass/fail result.

DKIM-Signature

The cryptographic signature header. Contains the signing domain (d=), selector (s=), algorithm (a=), and the signature itself (b=).

Return-Path

The bounce address. Where delivery failure notifications are sent. Often differs from From: for ESP-sent mail. SPF validates this domain.

Message-ID

A globally unique identifier assigned by the originating mail server. Useful for tracking a message across logs and systems.

X-Spam-Score

Numerical spam score from SpamAssassin or similar. Negative scores are clean. Above 5 is typically flagged. X-Spam-Flag shows the final YES/NO verdict.

X-Mailer

The software or service used to compose or send the email. Can help identify bulk senders, ESPs, or unusual sending clients.

Why it matters

Why reading email headers is essential for security, deliverability, and phishing investigation

Email headers are the ground truth of email delivery. While the visible interface of an email client shows you only From:, Subject:, and Date:, all three of which can be trivially forged, the headers show the actual servers that handled the message, the cryptographic authentication results that cannot be faked, and the routing timeline that reveals whether the message travelled a normal or suspicious path. For anyone investigating a suspicious email, the headers are always the first stop.

For email deliverability troubleshooting, headers reveal what actually happened to a message. Not what was supposed to happen. A transactional email that is landing in spam will show an elevated X-Spam-Score and often a DMARC p=none policy (monitoring mode, no enforcement), a missing DKIM signature, or an SPF softfail. The headers tell you exactly which of these is the problem. Checking the same information at the DNS level using the Email Health Checker or the Email Privacy Auditor confirms whether the issue is a configuration gap or a per-message authentication failure.

For security investigations, headers expose Business Email Compromise (BEC) attempts and phishing emails that visual inspection alone cannot catch. The most sophisticated phishing emails are visually identical to legitimate messages. Same logo, same formatting, same domain in the visible From: field. The headers reveal the reality: a DMARC fail, an SPF fail from an unrecognised IP, a missing DKIM signature, and a Return-Path pointing to an attacker-controlled domain. This combination is unmistakable in the headers even when the email looks completely authentic to a non-technical recipient.

For email marketing and cold outreach, headers provide confirmation that your authentication stack is working correctly for delivered messages. DKIM is signing, SPF is passing, and DMARC is aligned. A single real sent message analysed here gives you more certainty than any DNS checker, because you are seeing the authentication result that the actual receiving server reported for that specific message.

Troubleshooting

Common email header analysis findings: what they mean and what to do

Most authentication failures and suspicious patterns in email headers fall into a small number of recognisable patterns. Here is what each one means and how to respond.

dmarc=fail with p=reject. Message was or should be blocked

What it means: The message failed DMARC alignment. Neither SPF nor DKIM passed with a domain matching the From: header. With p=reject, the receiving server's policy is to block the message. This is the strongest authentication failure signal.

What to do: If this is your own mail: check that DKIM signing is configured for your sending domain via your ESP, and that your SPF record covers the sending server. If this is a suspicious incoming message: this is strong evidence of spoofing or phishing. The From: domain has strict enforcement in place and the message failed it. It should not have been delivered.

spf=fail but dmarc=pass. Forwarded mail or DKIM-only alignment

What it means: SPF failed because the forwarding server's IP is not in the original domain's SPF record. But DKIM passed with the correct d= domain, providing DMARC alignment. DMARC passes when either mechanism passes with alignment. So DKIM alone is sufficient.

What to do: This is normal behaviour for forwarded email (alumni addresses, server redirects, mailing lists). No action needed. The DMARC pass on DKIM alignment confirms the message is legitimate despite the SPF failure.

dkim=unknown or no DKIM-Signature header

What it means: The message was sent without DKIM signing, or the DKIM-Signature header was stripped by a forwarding or processing server. Many older mail servers and some bulk senders still send unsigned mail.

What to do: If this is your own outgoing mail: enable DKIM signing in your email provider's admin settings. For Google Workspace, go to Admin Console → Gmail → Authenticate email. For Microsoft 365, configure DKIM in the Defender portal. For SendGrid, Mailchimp and other ESPs, enable custom DKIM via CNAME records. Check your <Link href='/tools/dkim-analyzer' style={{color:'#7c3aed',textDecoration:'none',fontWeight:600}}>DKIM record</Link> after setup to confirm the key is published.

spf=softfail with dmarc=pass. Weak SPF but DKIM saves alignment

What it means: The sending IP is not explicitly authorised in the SPF record (producing a softfail with ~all), but DKIM alignment passes, so DMARC passes overall. The message is legitimate but the SPF configuration is suboptimal.

What to do: If this is your own mail: add the sending server's IP or include: mechanism to your SPF record, then harden from ~all to -all. Use the <Link href='/tools/spf-record-checker' style={{color:'#7c3aed',textDecoration:'none',fontWeight:600}}>SPF Record Checker</Link> to verify the update.

Unusually high hop count (8+) or very long delivery delay

What it means: Normal email delivery completes in 2-4 hops within 30 seconds. Many more hops or multi-hour delays can indicate the message passed through multiple relay servers, was held in a spam queue, experienced greylisting, or has a manipulated timestamp.

What to do: Look at the originating IP and the intermediate server hostnames. If any hop is from an unrecognised or suspicious host, look it up in WHOIS and check it against an IP blacklist. Very long delays with clean authentication may indicate greylisting at one of the intermediate servers. This is common for first-contact mail from new sending IPs.

From: domain differs completely from Return-Path domain and no DKIM for From: domain

What it means: The visible From: header claims one domain, but the actual envelope sender (Return-Path) is a completely different domain, and there is no DKIM signature from the From: domain to provide alignment. This is the pattern used in both BEC attacks and poorly configured marketing emails.

What to do: If this is a suspicious incoming message: this is the classic BEC or CEO fraud pattern. Do not act on the email's instructions. Report it to your security team. If this is your own marketing email: configure your ESP to sign with a CNAME-delegated DKIM key for your own domain in the d= field, so the signature provides alignment to the From: domain.

Examples

Authentication results explained: what each outcome means and how to respond

Five real-world header patterns covering the most common authentication outcomes from fully authenticated to spoofed.

Pass. AuthenticAll three checks pass. Fully authenticated legitimate email

Authentication-Results: mx.example.com; spf=pass smtp.mailfrom=sender.com; dkim=pass header.d=sender.com; dmarc=pass p=reject header.from=sender.com Hops: 2 | Total delay: 0.8 seconds

SPF pass confirms the sending server is authorised by the domain's DNS. DKIM pass confirms message content was not modified in transit. DMARC pass with p=reject means the domain enforces its policy. Two hops and under one second total delivery time indicates clean, direct delivery with no suspicious relay involvement.

Fail. SpoofedDMARC fail with p=reject. CEO impersonation attempt blocked

Authentication-Results: mx.example.com; spf=fail smtp.mailfrom=attacker.com; dkim=none; dmarc=fail p=reject header.from=victim.com Return-Path: bounce@attacker.com From: ceo@victim.com

The From: header claims the email is from victim.com but the actual infrastructure belongs to attacker.com. SPF fails because attacker.com's servers are not authorised for victim.com. DKIM is absent entirely. This is a classic Business Email Compromise (BEC) attempt. The p=reject DMARC policy caused receiving servers to block delivery.

Warning. SoftfailSPF softfail. Sender not explicitly authorised but not blocked

Authentication-Results: mx.example.com; spf=softfail smtp.mailfrom=example.com; dkim=pass header.d=example.com; dmarc=pass p=none header.from=example.com

SPF softfail (~all) means the sending server is not in the authorised list but the domain has not explicitly blocked it. DKIM still passes and DMARC passes on DKIM alignment. The p=none policy means no enforcement action is taken. This is typical of domains in DMARC monitoring mode before upgrading to quarantine or reject.

Info. ForwardedSPF fail due to forwarding. Not a spoofing attempt

Authentication-Results: mx.example.com; spf=fail smtp.mailfrom=originalhost.com; dkim=pass header.d=sender.com; dmarc=pass p=quarantine X-Forwarded-To: user@example.com Received: from forwarder.university.edu

Email forwarding breaks SPF because the forwarding server's IP is not in the original sender's SPF record. DKIM passes because the signature travels with the message intact. DMARC passes on DKIM alignment so the message is delivered despite the SPF failure. This is normal behaviour for alumni forwarding, mailing lists, and server-side redirect rules.

Fail. Suspicious12 hops and 4-hour delay. Unusual routing pattern

Received hops: 12 (expected: 2-4 for direct delivery) Total delay: 4 hours 17 minutes DKIM: none SPF: neutral

Legitimate email from major providers typically delivers in 1-30 seconds via 2-4 hops. Twelve hops and a four-hour delay strongly suggest the message was held in a spam queue or passed through multiple untrusted relay servers. The absence of DKIM and a neutral SPF result add to the suspicion.

FAQ

Email header analysis questions and answers

Answers to the most common questions about reading email headers, interpreting SPF/DKIM/DMARC results, tracing email origin, and identifying phishing and spoofing.

What is an email header?

An email header is a block of metadata prepended to every email message by each mail server that handles it. Headers record the sender's address, recipient, subject, timestamps, routing path through mail servers, and authentication results for SPF, DKIM, and DMARC. They are hidden by default in most email clients but can be viewed via a 'Show original' or 'View source' option. The header section ends at the first blank line. Everything after that is the message body. RFC 5322 defines the standard format for email header fields.

How do I copy email headers from Gmail, Outlook, and Apple Mail?

In Gmail: open the message, click the three-dot menu (⋮) → 'Show original' → copy all the text from the top of the page down to the blank line. In Outlook (web): open the message, click the three-dot menu → 'View' → 'View message source'. In Outlook (desktop): open the message, go to File → Properties and copy the 'Internet headers' field. In Apple Mail: open the message, hold Option and click View → Message → All Headers, then select all and copy. In Yahoo Mail: open the message, click the three-dot menu → 'View raw message'.

What do SPF, DKIM, and DMARC results mean?

SPF (Sender Policy Framework) verifies that the sending server's IP address is authorised to send email for the envelope domain. DKIM (DomainKeys Identified Mail) verifies a cryptographic signature proving the message was not altered in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with alignment requirements, the authenticated domain must match the visible From: header, and specifies what to do with failures: none (no action), quarantine (spam folder), or reject (block). All three passing means the message is authenticated end-to-end. A DMARC pass with p=reject is the strongest authentication signal a message can carry.

What does SPF fail or DKIM fail mean?

An SPF fail means the sending IP is not listed in the domain's SPF record. The message may be spoofed, sent from an unauthorised server, or sent via a forwarding service that broke SPF alignment. A DKIM fail means the cryptographic signature did not verify. This can indicate the message was altered in transit, the signing key has been rotated, or the DKIM configuration is incorrect. A DKIM fail combined with an SPF fail and a DMARC fail is a strong indicator of a spoofed or phishing message. If only SPF fails but DKIM passes and DMARC passes, the message may have been forwarded. Forwarding breaks SPF but preserves DKIM signatures.

How do I trace where an email came from?

The Routing tab shows each mail server hop in chronological order from the originating server to your inbox. The originating IP, extracted from the oldest Received header, is the IP address of the first server to handle the message. Unlike the From header, which can be trivially forged, the originating IP reflects the actual network infrastructure used to send the message. You can look up this IP in a WHOIS database or blacklist checker to identify the sending organisation. Discrepancies between the claimed From: domain and the originating IP's ownership are a strong spoofing indicator.

What is the originating IP and why does it matter?

The originating IP is the IP address of the first server that injected the message into the mail system. Found in the oldest (last chronologically) Received header. It is one of the few header values that genuinely cannot be forged, because it is written by the receiving server (your mail server), not by the sender. For phishing investigation, comparing the originating IP's registered organisation against the claimed sending domain is often the fastest way to confirm spoofing. An email claiming to be from your bank's domain but originating from an IP registered to a hosting provider in a different country is a classic indicator.

What is a routing hop and what delays are normal?

Each hop represents one mail server receiving and forwarding the message, adding a Received header with a timestamp. Normal delivery from major providers (Gmail, Outlook, SendGrid) completes in under 30 seconds via 2-4 hops. A single hop with a delay of several minutes may indicate greylisting, a slow relay, or a congested mail queue. Large delays (hours or days) can indicate delivery problems, spam filter holds, or deliberate timestamp manipulation to obscure the true sending time. More than 8-10 hops is unusual for legitimate email and worth investigating.

What does the X-Spam-Score header mean?

The X-Spam-Score header is added by spam filtering software, most commonly SpamAssassin, and reflects a numerical score based on characteristics of the message content, headers, sending IP reputation, and structural patterns. Negative scores (e.g. -2.6) indicate clean mail. Scores between 0 and 5 are borderline. Scores above 5 are typically classified as spam. The X-Spam-Flag header shows YES or NO as the final filter verdict. The X-Spam-Status header often lists the individual rule matches that contributed to the score.

Can email headers be faked?

Some headers can be forged and some cannot. The From:, Reply-To:, and Subject: headers are trivially spoofable. Anyone can put any value there. Return-Path and some Received headers from upstream servers can also be manipulated. However, headers added by the receiving mail server, particularly Authentication-Results and Received-SPF, are written by your own mail server and cannot be forged by the sender. DKIM signatures are cryptographically verifiable and cannot be forged without access to the private key. When analysing a suspicious message, always focus on the authentication results added by the destination mail server, not on visible fields like From: which any attacker can fake.

Is my email content processed by this tool?

No. This analyser only processes the header section of the email. The metadata block that precedes the message body. The email body, any text or HTML content, and any attachments are not read, processed, or used in any way. Additionally, all parsing runs entirely in your browser using JavaScript. Nothing is transmitted to any server. Your email headers are processed client-side on your device and are never uploaded, stored, or logged anywhere.

What is a Return-Path and why does it differ from the From address?

The Return-Path (also called the envelope sender or MAIL FROM address) is the address that delivery failure notifications (bounces) are sent to when a message cannot be delivered. It is set during the SMTP transaction and is separate from the visible From: header displayed in email clients. Legitimate email service providers (Mailchimp, SendGrid, HubSpot) always use their own Return-Path domains for bounce handling, which is why the Return-Path and From addresses almost always differ for ESP-sent email. Critically, SPF validates the Return-Path domain, not the From: domain. Which is why SPF alone cannot prevent From: header spoofing, and why DMARC alignment is needed on top.

How do I identify a phishing email from its headers?

The most reliable phishing indicators in email headers are: (1) DMARC fail combined with a p=reject or p=quarantine policy. The message was explicitly rejected by authentication checks. (2) SPF fail with no DKIM signature and a DMARC fail. The classic spoofed From: header pattern. (3) Originating IP belonging to an unrelated organisation or hosting provider. (4) Return-Path domain completely different from the From: domain with no DKIM signing of the From: domain. (5) Unusual routing with many hops or long delays. (6) X-Spam-Flag: YES or a high spam score. Authentication failures on their own can occur for forwarded legitimate mail, but multiple indicators together, especially DMARC fail with p=reject, strongly indicate a spoofing attempt.

What is Business Email Compromise (BEC) and how do headers expose it?

Business Email Compromise is a type of fraud where attackers impersonate executives, vendors, or trusted contacts to trick recipients into transferring money or sensitive information. BEC emails typically forge the From: header to show a trusted name while using a completely different Return-Path and sending infrastructure. Email headers expose BEC attempts by showing the Authentication-Results (which will show SPF and DKIM failures for the claimed domain), the originating IP (which will be unrelated to the legitimate organisation's mail infrastructure), and the discrepancy between the From: domain and the actual sending domain. A well-configured DMARC p=reject policy on the impersonated domain would cause the BEC email to be blocked before delivery.

What is DMARC alignment and why do headers show it?

DMARC alignment means the domain authenticated by SPF (the Return-Path domain) or DKIM (the d= signing domain) must match the domain in the From: header. 'Relaxed alignment' (the default) allows subdomain matches. 'Strict alignment' requires an exact match. The Authentication-Results header shows the alignment result. Dmarc=pass means at least one mechanism passed with alignment, dmarc=fail means neither did. This is why you may see spf=pass and dkim=pass but dmarc=fail. Both mechanisms passed for their own domains, but neither of those domains matched the From: header. DMARC alignment is the critical concept that distinguishes real authentication from spoofed authentication.

What are the most important headers to check when investigating a suspicious email?

In order of importance: (1) Authentication-Results. Shows the receiving server's SPF, DKIM, and DMARC verdicts; this is the most authoritative signal. (2) Received-SPF. Shows which IP was checked and whether it was authorised. (3) DKIM-Signature. Confirms whether a signature was present and for which domain. (4) From: vs Return-Path discrepancy. The most visible spoofing indicator. (5) The oldest Received header. Shows the true originating IP. (6) X-Spam-Score / X-Spam-Flag. The spam filter's verdict. For phishing investigation, focus on items 1-3 first: a DMARC fail from the receiving server is the strongest single indicator that something is wrong.

Technical background

Understanding email authentication results in headers: SPF, DKIM, and DMARC decoded

The three authentication standards that appear in email headers work together as a layered system. Understanding what each one validates, and crucially what it does not validate, is essential for correctly interpreting header analysis results.

SPF (Sender Policy Framework, RFC 7208) answers: is this IP address authorised to send email for the envelope domain? It checks the Received-SPF header, which contains the sending IP, the envelope MAIL FROM domain, and the result (pass, fail, softfail, neutral, none, permerror, temperror). Critically, SPF validates the Return-Path domain, the hidden envelope address used for bounces, not the visible From: header. This is why SPF pass does not mean the From: address is genuine, and why spf=pass alongside dmarc=fail can still indicate a spoofed message. You can verify a domain's SPF configuration independently using the SPF Record Checker.

DKIM (DomainKeys Identified Mail, RFC 6376) answers: was this message cryptographically signed by the domain in the d= tag, and has it been altered since signing? The DKIM-Signature header contains the signing domain (d=), selector (s=), algorithm (a=, typically rsa-sha256), the headers included in the signature (h=), and the signature itself (b=). A dkim=pass result means the signature verified correctly against the public key in DNS. DKIM survives forwarding, making it the more reliable alignment mechanism for third-party ESPs. Use the DKIM Analyzer to inspect a domain's published key strength and status.

DMARC (RFC 7489) answers: does the authenticated domain match the visible From: header? It enforces alignment. The SPF Return-Path domain or the DKIM d= domain must match (or be a subdomain of, in relaxed mode) the From: domain. The Authentication-Results header shows the DMARC verdict (pass/fail) and the policy applied (none/quarantine/reject). A dmarc=pass means at least one mechanism passed with alignment. A dmarc=fail means neither did. And the message's claimed From: domain is not what actually sent it. The DMARC Checker shows a domain's current policy and whether rua= reporting is configured.

The interaction between these three standards produces the most important rule in email security: a message can have spf=pass and dkim=pass and still be a spoofed phishing email. If SPF passes for the Return-Path domain (not the From: domain) and DKIM passes for the signing domain (not the From: domain), and neither aligns with the From: header, DMARC will fail. This is exactly why phishing emails from sophisticated actors often show individual SPF and DKIM passes alongside a DMARC fail. The DMARC result is the authoritative verdict. When combined with a domain-level policy of p=reject, that verdict should have blocked the message before delivery.

Related Email Security & DNS Tools

Email Privacy Auditor Email Health Checker DMARC Checker DMARC Analyzer DKIM Analyzer SPF Record Checker SPF Flattening Tool MX Record Lookup DNS Lookup Tool BIMI Record Checker All Tools

Need a disposable email address?Generate a free, instant throwaway. Zero signup, zero trace.

Get Free Temp Mail ->