Email Header Analyzer - Decode & Understand Email Headers
Paste your email headers below to analyze the path, authentication, and potential security issues.
How to Find Email Headers in Different Email Clients
Email headers contain important information about the path an email took to reach you and can help identify potential issues. Here's how to access them in popular email clients:
Gmail
- Open the email you want to analyze
- Click on the three dots (⋮) in the top-right corner of the email
- Select "Show original"
- A new tab will open with the complete email headers and content
- Click the "Copy to clipboard" button to copy all the headers
- Paste into the analyzer text area
Outlook.com / Microsoft 365
- Open the email message
- Click on the three dots (⋯) in the top-right corner
- Select "View message details" or "View > Message details"
- A popup window will appear with the headers
- Select all the text (Ctrl+A) and copy (Ctrl+C)
- Paste into the analyzer text area
Outlook Desktop App
- Open the email message
- From the Message tab, click "File" (or sometimes Actions > Other Actions)
- Select "Properties" or "Message Options"
- Look for the "Internet headers" section at the bottom of the dialog
- Select all the text and copy it
- Paste into the analyzer text area
Apple Mail
- Open the email message
- Select "View" from the menu bar
- Click "Message" and then "All Headers"
- The headers will appear at the top of the message
- Select all headers (they appear above the message body) and copy
- Paste into the analyzer text area
Yahoo Mail
- Open the email message
- Click on the three dots (⋯) in the top-right corner
- Select "View Raw Message"
- A new window will open with the full headers and message
- Select all (Ctrl+A) and copy (Ctrl+C)
- Paste into the analyzer text area
Mozilla Thunderbird
- Open the email message
- Click "View" from the menu bar
- Select "Headers" and then "All"
- Right-click in the header section and choose "Select All"
- Copy the selected text
- Paste into the analyzer text area
Example Headers
Here's what email headers typically look like:
Return-Path: <sender@example.com>
Delivered-To: recipient@example.com
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53])
by mx.example.com (Postfix) with ESMTPS id 8DBCF21478
for <recipient@example.com>; Wed, 21 Jul 2021 14:22:01 -0700 (PDT)
Authentication-Results: example.com;
dkim=pass header.i=@example.com;
spf=pass (example.com: domain of sender@example.com designates 209.85.221.53 as permitted sender) smtp.mailfrom=sender@example.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=20210112;
h=from:to:subject:date:message-id:mime-version;
bh=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=;
b=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X-Received: by 2002:adf:f6d3:: with SMTP id b12mr112233pfl.240.1626901321009;
Wed, 21 Jul 2021 14:22:01 -0700 (PDT)
From: "Sender Name" <sender@example.com>
To: "Recipient Name" <recipient@example.com>
Subject: Example Email with Headers
Date: Wed, 21 Jul 2021 14:22:00 -0700
Message-ID: <CAXXXXX_XXXXXXX-XXXXXXXXXXacWgQGcF@mail.gmail.com>
Understanding Email Headers
Email headers are like the digital envelope of an email, containing crucial metadata about its journey from sender to recipient. They are not usually visible in standard email clients but can be accessed via "Show Original" or "View Source" options.
Key Information in Headers:
- From/To/Cc/Bcc: Sender and recipient addresses.
- Subject: The email's subject line.
- Date: When the email was sent.
- Message-ID: A unique identifier for the email message.
- Received: A series of entries tracing the path the email took through various mail servers. Each "Received" header is added by a server that handled the email. Analyzing these can help identify the origin and route.
- Return-Path: The address where bounce messages are sent.
- Authentication-Results: Contains results of security checks like SPF, DKIM, and DMARC, which help verify the sender's authenticity and prevent spoofing.
- MIME-Version & Content-Type: Define the email's format (e.g., HTML, plain text) and character encoding.
Email Authentication Explained
SPF (Sender Policy Framework)
SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. When an email is received, the receiving server checks if the sending server's IP address is listed in the domain's SPF record.
- Pass: The email came from an authorized server
- SoftFail: The domain suggests the host is not authorized but isn't asserting it strongly
- Fail: The email came from an unauthorized server - likely spoofed
- Neutral/None: No policy or no assertion made
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature linked to a domain name to each outgoing email message. Receiving servers can verify this signature to ensure the email was not altered in transit.
- Pass: The DKIM signature is valid - content wasn't modified in transit
- Fail: The signature couldn't be verified - message may have been tampered with
- None: No DKIM signature present
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC builds on SPF and DKIM to help email senders and receivers work together to combat email spoofing and phishing.
- Pass: The message passed either SPF or DKIM and the identifiers are aligned
- Fail: The message failed both SPF and DKIM or the identifiers aren't aligned
- None: No DMARC policy published or applicable
Why Analyze Email Headers?
- Troubleshooting Delivery Issues: Identify where an email got delayed or rejected.
- Detecting Phishing & Spoofing: Uncover forged sender information or suspicious routing by scrutinizing authentication results and the received path.
- Spam Investigation: Determine the true origin of spam emails.
- Learning Email Flow: Understand the technical journey of an email.
Common Issues Identified Through Header Analysis
- Sender Spoofing: Mismatch between the "From" address and actual sending server
- Missing or Failed Authentication: Emails without SPF, DKIM or with failed validation
- Suspicious Routing: Email taking unusual paths through unexpected or known-problematic servers
- Time Anomalies: Unusual delays between server hops that may indicate issues
- X-Headers Anomalies: Custom headers sometimes reveal information about spam filtering or other processing