Free Email Header Analyzer

Email headers are metadata attached to every email message that record the complete delivery path from sender to recipient. They include server names, IP addresses, timestamps, and authentication results. Analyzing headers helps IT staff verify whether an email is legitimate, diagnose delivery delays, identify spoofing attempts, and troubleshoot routing issues. For businesses handling sensitive data or subject to compliance requirements, header analysis is a critical part of email security.

SPF (Sender Policy Framework) verifies that the sending server is authorized to send mail for the domain. DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify the message was not altered in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a policy that tells receiving servers what to do when checks fail. When all three pass, you can be more confident the email is legitimate and has not been tampered with.

When email flows through a security gateway or relay (like Proofpoint, Mimecast, or Barracuda), the gateway evaluates SPF and DKIM against the original sending server. After the gateway processes and forwards the email, the destination server sees the relay IP (not the original sender IP) for SPF, and the message body may have been modified (breaking DKIM signatures). This is why checking both gateway and destination authentication results gives you the full picture. Our tool shows results from all available authentication sources so you can see exactly where and why checks passed or failed.

Yes. This tool runs entirely in your web browser using client-side JavaScript. The email headers you paste are never sent to our servers or any third party. All parsing and analysis happens locally on your device. When you close or refresh the page, the data is gone. This makes it safe to use with headers from sensitive or confidential emails.

In Gmail, open the email, click the three-dot menu in the top right, and select "Show original." In Outlook desktop, open the email, go to File, then Properties, and copy the text from the "Internet headers" box. In Outlook on the web, open the email, click the three dots, go to View, then "View message source." The full header text can then be copied and pasted into the analyzer above.

An SPF failure means the sending server's IP address is not listed in the domain's authorized senders. A DKIM failure means the cryptographic signature on the email could not be verified, suggesting the message may have been altered after it was sent. Either failure can indicate a spoofed or phishing email, though legitimate emails can sometimes fail these checks due to forwarding, mailing lists, relay gateways, or misconfigured DNS records. If you see failures on business-critical emails, it is worth investigating further or consulting your IT team.