Headers Email Header Analyzer
Paste raw email headers to trace the delivery path, measure hop delays, and read the authentication results.
What are email headers?
Every email carries a block of headers — metadata that records who sent it, how it traveled, and what authentication checks it passed. Your mail client only shows a few (From, Subject, Date), but the full header block contains the complete delivery history.
Analyzing headers is the fastest way to answer questions like "why did this land in spam?", "where did this phishing email really come from?", and "why did delivery take 20 minutes?"
How to get the raw headers
- Gmail: open the message → ⋮ menu → Show original. Copy everything in the box.
- Outlook (desktop): open the message → File → Properties → copy the Internet headers box.
- Outlook.com / Microsoft 365 web: open the message → ⋮ → View → View message source.
- Apple Mail: select the message → View → Message → All Headers (or Raw Source).
- Yahoo Mail: open the message → ⋮ More → View raw message.
What this analyzer shows
- Delivery path — the
Received:chain reconstructed in order, oldest hop first, so you can see every server the message passed through. - Per-hop delay — the time gap between consecutive hops, which pinpoints where a slow delivery stalled.
- Originating IP — the first public IP in the chain, i.e. the server that actually injected the message.
- Authentication results — SPF, DKIM, and DMARC outcomes parsed from the
Authentication-Resultsheader added by the receiving server. - Key headers — From, To, Return-Path, Message-ID, and other identifying fields.
Reading the Received chain
Mail servers prepend a Received: header each time they handle a message, so in the raw text the newest hop is at the top. This tool reverses that — hop 1 is where the message originated, and the last hop is final delivery. Each hop records the from host (who handed off the message), the by host (who received it), the protocol used, and a timestamp.
Be aware that Received headers before your own infrastructure can be forged by a spammer — only the headers added by servers you trust are reliable. The originating IP shown here is the first public IP in the chain, but in a forged chain that may itself be fabricated.
Frequently Asked Questions
Are my pasted headers stored anywhere?
No. The headers are sent to the server, parsed in memory to produce this page, and discarded when the response is returned. They are not written to disk, logged, or associated with you.
Why is the delivery time negative or zero between some hops?
Each server stamps its own clock into the Received header, and server clocks aren't perfectly synchronized. A small negative gap is just clock skew — this tool clamps those to zero. Large gaps are real queueing delays.
Can I trust the originating IP?
You can trust the Received headers added by servers you control or trust (your mail provider's). Anything before that point can be forged by a malicious sender. For a genuine message from a reputable provider, the originating IP is reliable; for suspected phishing, treat the lower hops with suspicion.
What does "dkim=signed" mean versus "dkim=pass"?
dkim=pass comes from the receiving server's Authentication-Results header — it actually verified the signature. dkim=signed is what this tool reports when it only sees a DKIM-Signature header but no verification result — the message was signed, but we can't confirm the signature checked out.
The analyzer found no Received headers — what went wrong?
You probably pasted only the headers your mail client displays (From, To, Subject) rather than the full raw headers. Use the "Show original" / "View source" option described above to get the complete block, including every Received: line.
Why does SPF pass but DMARC fail?
DMARC requires SPF or DKIM to pass and to be aligned — the authenticated domain must match the visible From domain. A message can pass plain SPF (the envelope sender's domain is authorized) yet fail DMARC because that domain differs from the From header domain. This is common with mailing lists and forwarders.