Email Header Analyzer

Paste a raw email header to trace its Received hops, read the SPF, DKIM and DMARC results, and find the originating IP. Free, and it runs entirely in your browser.

Paste the full email header

How to get the raw header: in Gmail, open the message, click the three-dot menu and choose Show original. In Outlook, open the message and go to File > Properties (or … > View > View message source on the web). In Apple Mail, select the message and choose View > Message > Raw Source. Copy everything and paste it above.

Reads Received hops and SPF, DKIM & DMARC results straight from a pasted email header — entirely in your browser. Nothing is uploaded.

How it works

1

Open the raw header

Use Show original in Gmail, message source in Outlook, or Raw Source in Apple Mail.

2

Paste it in

Copy the whole header block and paste it into the box above.

3

Analyze

The tool unfolds the header, traces every Received hop and reads the auth results.

4

Read the trace

See the origin, the SPF, DKIM and DMARC verdicts, and each hop's delay.

Trace where an email really came from

Every email carries a hidden header that records its full journey — each mail server it passed through, the time it arrived, and the authentication checks that ran along the way. Reading it by hand is awkward because the Received lines are folded across multiple lines and listed in reverse order.

This email header analyzer does the reading for you. Paste a raw header and it unfolds the lines, orders the Received hops from origin to delivery, extracts the originating IP, and lays out the From, To, Subject, Date and Message-ID so you can see at a glance who sent a message and how it reached you.

Check SPF, DKIM and DMARC at a glance

The header also tells you whether a message was authenticated. The analyzer pulls the SPF, DKIM and DMARC verdicts out of the Authentication-Results line, shows them as colour-coded pass, fail or none chips, and names the signing and aligned domains — then sums it up in a plain-English verdict so you don't have to decode the raw syntax.

That makes it easy to spot a spoofed sender (a friendly From address whose DMARC fails) or to confirm that a real message authenticated cleanly. If the failures are on your own sending domain, the fix is in your DNS records rather than the header.

Everything stays in your browser

Email headers can contain sensitive routing details, internal server names and recipient addresses, so this tool never uploads them. The parsing is 100% client-side JavaScript — the header you paste is analyzed on your device and nothing is sent to, stored on, or logged by any server.

It's free, needs no signup, and works on any raw header from Gmail, Outlook, Apple Mail, or any other mail client.

Common questions about email headers

What is an email header?


An email header is the block of technical metadata that travels with every message above the body you normally read. It records the path the email took between mail servers (the Received lines), authentication results like SPF, DKIM and DMARC, and fields such as From, To, Subject, Date and Message-ID. Mail apps hide it by default, but it is the definitive record of how — and from where — a message actually reached you.

How do I get or view the full email header in Gmail, Outlook and Apple Mail?


In Gmail, open the message, click the three-dot menu at the top right and choose Show original, then copy everything on that page. In Outlook desktop, open the message and go to File > Properties and copy the Internet headers box; in Outlook on the web, open the message, choose the three-dot menu > View > View message source. In Apple Mail, select the message and choose View > Message > Raw Source. Paste whatever you copy into the box above.

How do I read the Received hops in an email header?


Each Received line is one hop the message made between servers, and they are written in reverse order — the bottom Received line is the origin (where the email started) and the top one is the server that finally delivered it to you. Read from the bottom up to follow the journey. This tool re-orders them for you, numbers each hop from the origin, and shows the delay between hops so you can spot where a message was slowed down.

What do SPF, DKIM and DMARC pass or fail mean in a header?


These are the three authentication checks the receiving server ran. SPF pass means the sending server was authorised to send for the envelope domain. DKIM pass means the message carried a valid cryptographic signature for the signing domain, so the content wasn't tampered with in transit. DMARC pass means the visible From domain aligns with the SPF or DKIM domain, tying it all together. A pass on all three is a strong sign the sender is genuine; a fail — especially on DMARC — is a common signal of spoofing or a misconfigured sender.

How do I find who really sent an email and the originating IP?


Look at the earliest (bottom) Received line — it usually contains a from clause with the sending server's name and a bracketed IP address, which is the originating IP. This analyzer pulls that IP out for you and highlights it in the summary. Combined with the Return-Path and the DKIM and SPF domains, the originating IP tells you which network actually injected the message, which is how you tell a legitimate sender from a spoofed From address.

Is my pasted header uploaded anywhere?


No. The entire analysis runs in your browser using JavaScript — the header you paste is never sent to a server, stored, or logged. You can confirm this by disconnecting from the internet after the page loads and running the tool; it still works, because nothing leaves your device.

Ready to 10x your pipeline?

Send your first cold email campaign today, risk-free.

Try for free