search

Found

info Overview

Paste a raw email header to read SPF, DKIM and DMARC results, the originating IP and every Received hop with relay delays. For spoofing and spam checks.

📘 How to Use

  1. Open "Show Original" or "View Source" in your mail client
  2. Select the full raw header and paste it into the input box
  3. Read the authentication, sender and delivery-path results

Email Header Analyzer

grid_view Related

Article

Email Header Analyzer | Decode SPF, DKIM, DMARC and Routing

Paste a raw email header and read the SPF, DKIM and DMARC verdicts, the originating IP, the full chain of Received hops and the delay between each relay. Built for spoofing investigations and delivery troubleshooting.

💡 About this tool

"Did this really come from who it claims?" and "Why did it take so long to arrive?" are questions the message body can't answer. The visible From line is trivial to forge, so the trustworthy evidence lives in the headers: the authentication verdicts and the routing log.

This analyzer pulls three authentication results out of whatever you paste. SPF checks whether the sending IP is authorized for the domain, DKIM checks whether a cryptographic signature still matches the message, and DMARC is the policy-level verdict that ties those two back to the visible From domain. It then reorders every Received header into chronological order, numbers each hop, and shows which server handed off to which, plus how many seconds each leg took. It also extracts the originating IP so you have a starting point when tracing a spam source.

Everything runs locally in your browser. The header you paste is never uploaded to a server.

🧐 Frequently Asked Questions

Where do I find the raw header? In Gmail, open "Show original"; in Outlook, open Properties and copy the Internet headers; in Apple Mail, choose "Show All Headers". Paste the raw text exactly as shown.

SPF passed but the mail was still spam. How? SPF only confirms that the sending server is authorized to send for its own domain. An attacker sending from their own legitimately configured domain will pass SPF. Whether that domain itself is trustworthy is a separate judgment.

Why does DMARC show "Not found"? Not every message carries a DMARC result. If the receiving server didn't run DMARC validation, or the sending domain never published a DMARC record, no verdict appears in the header.

How do I read the order of Received hops? In a raw header the most recent relay is listed first. This tool reverses them into chronological order (sender to recipient) and numbers them, so you can follow the path top to bottom.

One hop shows a large delay. Is that a problem? Each delay is the time between two servers accepting the message. Greylisting or a busy queue can add minutes. An unusually long leg points to where a delivery slowdown happened.

📚 Why three authentication standards instead of one

SPF, DKIM and DMARC arrived in stages because each closes a gap the previous one left open. SPF publishes, in DNS, which servers may send for a domain. DKIM adds a signature so the recipient can confirm the body wasn't altered in transit.

Both had blind spots. SPF breaks easily when mail is forwarded, and DKIM alone says nothing about whether the visible From domain is legitimate. DMARC layers on top: it requires that an SPF or DKIM pass also "aligns" with the From domain, and it lets the domain owner declare what to do on failure (quarantine or reject). Reading all three verdicts together is what makes a confident trust decision possible.