Tool
Email Header Analyzer
Paste raw email headers to trace the origin IP, check SPF/DKIM/DMARC, and identify spoofed or malicious senders.
How to get email headers
Gmail: Open email → three-dot menu (⋮) → Show original → Copy to clipboard
Outlook: Open email → File → Properties → copy from "Internet headers"
Apple Mail: Open email → View → Message → All Headers
About
What Are Email Headers?
Email headers are metadata prepended to every message as it travels from sender to recipient. They record the path the email took through mail servers, authentication check results, timestamps, message IDs, and routing decisions — a complete audit trail invisible in the email body.
This tool parses over 20 header fields and surfaces the most security-relevant information: the originating IP address, SPF/DKIM/DMARC authentication results, server hop chain, and delivery timestamps. It's used by security analysts investigating phishing emails, mail administrators debugging delivery issues, and compliance teams auditing email flows.
All analysis runs server-side. The parsed header data is not stored or logged.
Authentication
Email Authentication Checks
SPF — Sender Policy Framework
Verifies the sending server is authorized by the From domain's SPF record. A fail means the server IP isn't listed — a strong spoofing indicator. Softfail (~all) flags but doesn't reject.
DKIM — DomainKeys Identified Mail
Verifies a cryptographic signature applied to the message by the sending server. A pass confirms the message was not modified in transit and originated from an authorized server.
DMARC — Domain-based Message Authentication
Enforces alignment between SPF/DKIM results and the visible From domain. A DMARC fail with a reject policy means the message should be blocked — many email providers honor this.
Originating IP
The IP address of the first external server in the Received chain — the closest indicator of where the email actually came from, before any internal relay hops.
FAQ
Frequently Asked Questions
How do I get email headers from my email client?+
Gmail: three-dot menu → Show original. Outlook: File → Properties → Internet headers. Apple Mail: View → Message → All Headers. Copy the full header block and paste it into the tool above.
What does the Received chain tell me?+
The chain of servers the email passed through. Reading bottom-to-top, the lowest Received header is the originating server — the most reliable indicator of the true sender IP before any internal relay hops.
What is email spoofing?+
Forging the From address to appear as a trusted sender — a bank, IT department, or colleague. Header analysis reveals the true originating IP and whether SPF/DKIM/DMARC passed. Spoofed emails typically fail at least one of these checks.
What does SPF pass vs fail mean?+
SPF pass means the sending server IP is listed in the domain's SPF policy as authorized. Fail means it isn't — a strong spoofing indicator. Softfail (~all) is a weaker policy that flags but doesn't reject the message.