Mail Header Analyzer — Parse Email Headers, Trace Route & Authentication Online

Paste raw email headers to instantly extract sender/recipient info, trace the delivery route with hop-by-hop timing, check SPF/DKIM/DMARC authentication results, parse anti-spam scores, and identify all IP addresses. Includes plain-English explanations for every header. 100% client-side — headers never leave your browser.

Mail Header Analyzer

Paste headers to begin analysis

How to Use the Mail Header Analyzer

  1. Open your email and find the option to view full headers. In Gmail, click the three dots → "Show original". In Outlook, open the message → File → Properties → "Internet headers". In Apple Mail, View → Message → All Headers.
  2. Copy all header text — it typically starts with "Received:" and ends before the blank line that separates headers from the body.
  3. Paste into the textarea above — parsing happens automatically as you paste.
  4. Review the Overview tab for key info (From, To, Subject, Date, Message-ID).
  5. Check the Route tab to see the hop-by-hop delivery path with timing between each server.
  6. Inspect the Authentication tab for SPF, DKIM, and DMARC results to verify the sender's legitimacy.
  7. Review anti-spam headers for SpamAssassin scores and verdicts.
  8. Copy a summary with one click for sharing in support tickets or documentation.

Understanding Email Headers

Email headers are metadata attached to every message as it travels from sender to recipient. Each server the message passes through adds a Received header, creating a chronological audit trail. Headers also carry authentication results (SPF, DKIM, DMARC), spam scores, content type information, and unique message identifiers used for threading and delivery tracking.

Received headers are read bottom-up: the bottommost Received header is the first hop (sender's server), and the topmost is the last hop (recipient's server). Each header records the sending server's identity, the connecting IP, the timestamp, and optionally the protocol and message size.

SPF (Sender Policy Framework) verifies the sending IP is authorized to send for the domain. DKIM (DomainKeys Identified Mail) validates a cryptographic signature proving the message wasn't tampered with. DMARC combines SPF and DKIM alignment to enforce a policy (none, quarantine, or reject) for messages that fail authentication.

Frequently Asked Questions

Gmail: Open the email, click the three-dot menu (⋮) next to Reply, select "Show original". Outlook: Open the email, go to File → Properties, look under "Internet headers". Apple Mail: View → Message → All Headers. Thunderbird: Open the email, click "More" → "View Source". Yahoo Mail: Open the email, click the three dots, select "View raw message".

SPF results range from "pass" to "fail" with intermediate states. A softfail (~all) means the sending IP is not authorized but the message shouldn't be outright rejected — it's a hint that the message may be suspicious. A neutral (?) result means the domain makes no claim. A hardfail (-all) means the IP is definitively unauthorized and the message should be rejected.

Email servers prepend new Received headers at the top of the header block. So the first server to handle the message adds its header at the very top, then each subsequent server pushes it down. When you read the headers top-to-bottom, you're reading from the most recent hop (recipient's server) to the oldest hop (sender's server). This analyzer displays them in chronological order (oldest first) for clarity.

SpamAssassin scores vary by configuration, but generally: 0-1.9 is not spam, 2.0-2.9 is borderline (often held for review), 3.0-6.9 is likely spam, and 7.0+ is definitely spam. The default threshold for flagging spam is usually 5.0. Some servers use stricter thresholds (3.0 or 4.0). Check your server's configuration for the exact thresholds.

Yes. Paste whatever portion of the headers you have. The tool will parse all recognizable headers from whatever you provide. Even partial headers (e.g., just the Received chain) will yield useful route and timing information.

A DKIM failure means the cryptographic signature in the message doesn't match the sender's public key. This could indicate the message was modified in transit, the signing domain doesn't match the From domain, or the DNS record for the signing key has changed. A none result means no DKIM signature was found at all — not necessarily malicious, but worth investigating.

Use Cases

Tracing Email Delivery Path

Follow the complete delivery route of an email to identify where delays or failures occur.

Identifying Spam Sources

Track spam emails back to their source IP addresses and analyze anti-spam scores.

Debugging Delivery Failures

Diagnose why emails aren't being delivered by examining server responses and error codes.

Verifying SPF/DKIM/DMARC

Check email authentication results to verify sender legitimacy and prevent spoofing.

Analyzing Routing Delays

Measure time between email hops to identify slow servers and optimize delivery performance.

Related Tools

Email Records

Build SPF, DKIM, DMARC DNS records

Hash Calculator

MD5, SHA-1, SHA-256, SHA-512 hashes

Encoder / Decoder

Base64, URL, HTML encode & decode