Email Header Analyzer

Trace email delivery paths and verify authentication results

How to Get Email Headers

Gmail

  1. Open the email
  2. Click the three dots (⋮) menu
  3. Select "Show original"
  4. Copy the headers section

Outlook

  1. Open the email
  2. Click File → Properties
  3. Look for "Internet headers"
  4. Copy the entire contents
100% Client-Side Analysis

Your email headers are analyzed entirely in your browser. No data is sent to any server. This tool is safe to use with sensitive or confidential email headers.

Related Tools

SPF ValidatorValidate SPF records referenced in headersMX LookupLook up mail exchange recordsDNS LookupQuery DNS records for servers in headersWhat's My IPCheck your IP to compare with header IPs

How Email Headers Work

Every email carries a block of metadata called headers that record its entire journey from sender to recipient. Headers are added by each mail server that handles the message — the sending client, outbound SMTP server, any intermediate relays, spam filters, and the final delivery server. They're read bottom-to-top, with the oldest headers at the bottom and the most recent at the top.

Example: Key headers from an email sent via NetOz

Return-Path: <hello@netoz.au>

Received: from smtp.netoz.au (138.252.126.33)

  by mx.google.com with ESMTPS id a1b2c3;

  Fri, 14 Mar 2026 09:15:22 +1030

Received: from [10.0.1.5] (auth user hello@netoz.au)

  by smtp.netoz.au with ESMTPSA id x7y8z9;

  Fri, 14 Mar 2026 09:15:20 +1030

From: NetOz Support <hello@netoz.au>

To: customer@example.com

Subject: Your hosting account is ready

Message-ID: <abc123@smtp.netoz.au>

Date: Fri, 14 Mar 2026 09:15:20 +1030

The Received headers are the most important for tracing delivery. Each one records the server that received the message, where it came from (IP address and hostname), the protocol used (SMTP, ESMTP, ESMTPS for TLS-encrypted), and a timestamp. By reading these from bottom to top, you can trace the exact path the email took and measure the delay at each hop.

Other key headers include Return-Path (the envelope sender used for bounces), Message-ID (a unique identifier for the message), X-Mailer or User-Agent (the sending software), and various X- headers added by spam filters and security gateways.

How to Trace Spam Using Email Headers

When you receive a suspicious email, the headers reveal its true origin — regardless of what the "From" field says. Spammers and phishers routinely forge the From address, but the Received headers and authentication results are much harder to fake because they're added by servers you trust.

1

Find the Originating IP

Look at the bottommost Received header — this is typically where the email entered the public mail system. The IP address here is the true sender. Check it against the claimed sender's domain. If an email claims to be from your bank but originates from a residential IP in a different country, it's almost certainly phishing.

2

Check Authentication Results

Look for the Authentication-Results header added by your mail server. This shows whether SPF, DKIM, and DMARC passed or failed. A legitimate email from a well-configured sender should pass all three. Failed authentication is a strong indicator of spoofing or a compromised sending server.

3

Look for Suspicious Patterns

Check if the Reply-To differs from the From address (common in phishing). Look for mismatched timezones in the Received headers. Check X-Originating-IP if present — this reveals the sender's actual IP when sending through webmail. Examine X-Spam-Score and X-Spam-Status headers for spam filter verdicts.

4

Check the IP Reputation

Once you have the originating IP, check it against email blacklists using our Mail Blacklist Checker. A listed IP confirms the sender has a history of spam. You can also do a WHOIS Lookup to identify who owns the IP range.

Report spam and phishing

Once you've confirmed an email is spam or phishing, report it to the originating IP's abuse contact (found via WHOIS) and to your email provider. For phishing that impersonates Australian businesses, report to the ACSC (Australian Cyber Security Centre) at ReportCyber.

SPF, DKIM, and DMARC Explained

These three protocols work together to authenticate email and prevent spoofing. When you analyse email headers, the Authentication-Results header shows the verdict for each one. Understanding what they check helps you interpret those results.

SPF (Sender Policy Framework)

SPF verifies that the sending server's IP address is authorised to send mail for the envelope sender's domain. The domain owner publishes a DNS TXT record listing approved IPs and include mechanisms. When your mail server receives a message, it checks the connecting IP against this list.

# SPF record for netoz.au

v=spf1 ip4:138.252.126.33 include:_spf.google.com ~all

# Header result when SPF passes

spf=pass (sender IP 138.252.126.33 is permitted)

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to the email that proves the message hasn't been tampered with in transit and confirms the signing domain. The sending server signs specific headers and the body using a private key, and the recipient verifies the signature using a public key published in DNS.

# DKIM-Signature header (abbreviated)

DKIM-Signature: v=1; a=rsa-sha256; d=netoz.au;

  s=mail; h=from:to:subject:date;

  b=dGhpcyBpcyBhIHNpZ25hdHVyZQ==...

# Header result when DKIM passes

dkim=pass header.d=netoz.au header.s=mail

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together by checking that at least one of them passes and aligns with the From header domain. It also tells receiving servers what to do with messages that fail (none, quarantine, or reject) and where to send aggregate reports. DMARC is the policy layer that makes SPF and DKIM actionable.

# DMARC record for netoz.au

v=DMARC1; p=reject; rua=mailto:dmarc@netoz.au; pct=100

# Header result when DMARC passes

dmarc=pass (p=reject) header.from=netoz.au

# Header result when DMARC fails

dmarc=fail (p=reject) header.from=netoz.au

Authentication-Results header example

Authentication-Results: mx.google.com;

  spf=pass (google.com: domain of hello@netoz.au designates 138.252.126.33 as permitted sender);

  dkim=pass header.d=netoz.au header.s=mail;

  dmarc=pass (p=REJECT) header.from=netoz.au

For optimal email deliverability, all three should pass. Build your SPF record with our SPF Record Builder, validate it with the SPF Validator, and check your mail server's DNS records with MX Lookup.

Check if your sending IP is blacklisted with the Mail Blacklist Checker, or verify your domain's DNS configuration with DNS Lookup.