Email Header Analyzer
Paste raw email headers to trace the delivery route and authentication results.
Paste the full raw headers from your email client. Headers are analyzed in your browser session and not stored.
About this tool
Every email carries a hidden trail of headers added by each server it passed through. Paste the full raw headers here and the analyzer reconstructs the delivery route from the Received chain, extracts the originating sender IP, and reads the SPF, DKIM and DMARC verdicts from the Authentication-Results header, along with From, Return-Path and Message-ID.
To get raw headers: in Gmail open a message and choose "Show original"; in Outlook use File > Properties > Internet headers; in Apple Mail use View > Message > All Headers. Copy everything from the top of the message.
Frequently asked questions
Which Received header shows the real sender?
Received headers stack newest-first, so the bottom one is closest to the origin. Note that any server can forge headers below its own, so only the entries added by servers you trust are reliable.
Why do From and Return-Path differ?
From is the address shown to the reader; Return-Path (the envelope sender) is where bounces go. Mailing lists and sending services legitimately use their own Return-Path, but a mismatch combined with failed authentication is a phishing signal.
What does dkim=fail mean in Authentication-Results?
The message's DKIM signature did not verify — either the content was modified in transit (common with mailing lists that rewrite messages) or the message is forged. Check the SPF and DMARC results alongside it before concluding.