Free Email Header Analyzer

Paste the raw headers of an email to reconstruct the route it took, read its SPF, DKIM, and DMARC authentication results, and flag mismatches between the From, Return-Path, and Reply-To addresses. It's free and instant — useful for checking a suspicious message you received. The analysis runs on the server during your request and the headers are never stored.

What this email-header analyzer shows

  • Received hop chain — every mail server the message passed through, in order from origin to your inbox, with the originating IP, timestamp, and per-hop transit time.
  • SPF / DKIM / DMARC — the authentication results the receiving server recorded, each as pass, fail, or none.
  • Identity mismatches — when the visible From domain differs from the envelope (Return-Path) or Reply-To domain, a common phishing signal.
  • Plain-language verdict — a short, advisory read of how consistent the headers are.

How to get an email's raw headers

In Gmail, open the message, click the three-dot menu and choose Show original. In Outlook, open the message and choose File → Properties (or View → Message details). Copy everything from the top of that view and paste it below.


Frequently asked questions

Are my email headers stored?
No. The headers you paste are parsed in memory to produce the report and then discarded — nothing is written to disk or a database, matching the privacy posture of our other tools.
What is the Received chain?
Each mail server that handles a message stamps its own Received: header on top. Read from the bottom up, those headers trace the message from its origin to your mailbox. This tool orders them origin-first and shows the originating IP, the timestamp, and how long each hop took.
What do SPF, DKIM, and DMARC mean?
They are the three checks that tell a receiving server whether a message is authentic. SPF verifies the sending server is allowed to send for the domain, DKIM verifies a cryptographic signature, and DMARC ties those results back to the visible From domain. A pass on all three is a good sign; a fail is worth a closer look.
Why does the From domain differ from the Return-Path?
Forwarded mail and mailing lists legitimately rewrite the envelope, so a mismatch is not proof of anything on its own. But spoofed phishing mail also shows this pattern, so the tool flags it as one signal to weigh alongside the authentication results.
Does this contact the sender's servers?
No. The analysis is entirely local: it reads only the text you paste and makes no outbound connections of any kind.