Email Header Analyzer

Paste raw email headers below to trace the complete delivery path, identify routing delays, and verify authentication results including SPF, DKIM, and DMARC. All analysis runs locally in your browser — no data is sent to any server.

Paste Email Headers

What Are Email Headers?

Email headers are metadata lines prepended to every email message as it travels from sender to recipient. They contain critical information about the message's origin, routing path, and authentication status. Understanding headers is essential for troubleshooting delivery problems, identifying spam, and verifying that security mechanisms like SPF and DKIM are working correctly.

Every time an email passes through a mail server, a new Received header is added. By reading these headers in order, you can trace the exact path your email took across the internet — similar to how you'd use a DNS lookup to trace domain resolution or a ping test to measure network latency.

How to Find Email Headers

Each email client exposes raw headers differently. Here's how to access them in the most popular clients:

Email Client	How to View Headers
Gmail	Open message → three dots menu → "Show original"
Outlook (Web)	Open message → three dots → "View message details"
Outlook (Desktop)	Open message → File → Properties → "Internet headers"
Apple Mail	View → Message → All Headers
Thunderbird	View → Headers → All
Yahoo Mail	Open message → three dots → "View raw message"

Pro Tip: Always copy the complete headers, not just the visible ones. Partial headers will miss important routing hops and authentication data. The headers start from the very first line (usually Received:) and end just before the email body. If you're investigating a suspicious email, also check the sender's IP with our IP Lookup tool.

Understanding Email Authentication

Modern email relies on three primary authentication mechanisms to prevent spoofing and phishing. These are checked by the receiving mail server and recorded in the Authentication-Results header:

Mechanism	What It Checks	DNS Record	Pass Means
SPF	Sending server IP authorized by domain	TXT record	The sending IP is in the domain's allowed list
DKIM	Email cryptographic signature is valid	TXT record (selector._domainkey)	Message wasn't altered in transit
DMARC	SPF or DKIM align with From domain	TXT record (_dmarc)	Domain owner's policy is satisfied

You can verify these DNS records directly using our DNS Lookup tool. For SPF specifically, see our SPF Record Checker, and for DKIM, use the DKIM Record Checker.

Reading the Received Chain

The Received headers form a chain showing each server that handled the email. They are read bottom-to-top — the bottom-most Received header is the first server (closest to the sender), and the top-most is the last server (closest to the recipient).

Each hop typically includes:

from — the server that sent the message (hostname or IP)
by — the server that received it
with — the protocol used (SMTP, ESMTP, ESMTPS for TLS)
timestamp — when the handoff occurred

Large delays between hops can indicate server-side processing issues, greylisting, or spam filtering queues. If you see an unfamiliar IP in the chain, look it up with our IP Lookup or What Is My IP tool to identify the server's location and owner.

Note: Some email providers (like Gmail) may rewrite or consolidate Received headers for internal routing. This means you might see fewer hops than expected for messages sent between accounts on the same platform. This is normal and doesn't indicate a problem.

Common Email Header Fields

Header	Description	Example
`From`	Display sender address	John Doe <john@example.com>
`Return-Path`	Envelope sender (bounce address)	<bounces@example.com>
`Reply-To`	Address for replies	<support@example.com>
`Message-ID`	Unique message identifier	<abc123@mail.example.com>
`X-Mailer`	Software used to send	Thunderbird 115.0
`X-Originating-IP`	Sender's original IP	[203.0.113.50]
`Content-Type`	Message format	multipart/alternative; boundary="..."
`MIME-Version`	MIME standard version	1.0

Troubleshooting Email Delivery Issues

When emails aren't being delivered, headers are your first diagnostic tool. Here are common problems and what to look for:

SPF failure — The sending server's IP isn't in the domain's SPF record. Check the Authentication-Results header and verify the SPF record with a DNS lookup.
DKIM failure — The signature doesn't match, possibly because the message was modified by a forwarding server or mailing list.
Long delays — Compare timestamps between Received headers. Delays over 30 seconds may indicate greylisting or overloaded servers.
Blacklisted IP — If the sending IP appears on a DNS blacklist, the message may be rejected. Check the IP using our IP Blacklist Checker.
Missing TLS — Look for with ESMTPS in the Received headers. If it says ESMTP (no S), the connection was unencrypted. Ensure your network is secured.

If you're managing your own mail server, make sure your DNS is properly configured. Use our Port Checker to verify that port 25 (SMTP), 587 (submission), and 993 (IMAPS) are open. Also verify your MX records are pointing to the correct server.

Email Security Best Practices

Protecting your email infrastructure requires multiple layers of defense, much like securing your home WiFi network:

Publish SPF, DKIM, and DMARC records for all domains that send email.
Use TLS encryption (STARTTLS or implicit TLS) for all mail server connections.
Set up a PTR record (reverse DNS) that matches your mail server's hostname.
Monitor blacklists regularly to ensure your sending IPs aren't listed.
Keep your router firmware updated to prevent your network from being compromised and used for spam.
Use a strong password for all email accounts and enable two-factor authentication.

Key Takeaways

Email headers are read bottom-to-top — the first Received header at the bottom is closest to the sender.
SPF, DKIM, and DMARC results are recorded in the Authentication-Results header.
Large delays between hops indicate greylisting, spam filtering, or server overload.
The X-Originating-IP header (when present) reveals the sender's actual IP address.
Always verify suspicious sender IPs with an IP Lookup tool.
Proper DNS configuration (SPF, DKIM, DMARC, PTR) is essential for email deliverability.

Video: How Email Works Behind the Scenes

Related Tools and Guides

Frequently Asked Questions

What do email headers tell you?

Email headers reveal the complete delivery path of a message, including every server it passed through, timestamps for each hop, authentication results (SPF, DKIM, DMARC), the sender's IP address, and the software used to send the message. This information is invaluable for troubleshooting delivery issues and identifying spam or phishing attempts.

How do I trace the origin of an email?

Look at the bottom-most Received header — this is the first server in the chain and is closest to the sender. The X-Originating-IP header, if present, shows the sender's actual IP. You can then use an IP lookup tool to find the geographic location and ISP associated with that IP address.

What does SPF failure mean in email headers?

An SPF failure means the IP address of the sending mail server is not authorized in the domain's SPF DNS record. This often happens when emails are forwarded, sent through a third-party service not listed in SPF, or when someone is spoofing the sender address. Check the domain's SPF record using a DNS lookup to see which IPs are authorized.

Why are there delays between email hops?

Delays between hops can be caused by greylisting (a spam prevention technique that temporarily rejects unknown senders), spam filtering and virus scanning, overloaded mail servers, DNS resolution delays, or rate limiting. Delays under 5 seconds are normal; anything over 30 seconds warrants investigation.

Can email headers be faked?

Some headers like From, Reply-To, and X-Mailer can be easily spoofed by the sender. However, Received headers added by receiving servers are generally trustworthy. This is why SPF, DKIM, and DMARC exist — to verify that the email actually came from the claimed sender domain.

What is the difference between From and Return-Path?

The From header is the display address shown to recipients and can be set to anything by the sender. The Return-Path (also called the envelope sender) is the address where bounce notifications are sent and is set during the SMTP transaction. SPF checks are performed against the Return-Path domain, not the From domain.

How do I improve my email deliverability?

Ensure your domain has valid SPF, DKIM, and DMARC DNS records. Set up a PTR record for your mail server IP. Monitor your IP reputation and check if you're on any blacklists. Use TLS encryption for all connections. Keep your sending volume consistent and avoid sudden spikes that trigger spam filters.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.