What does 'SPF pass' mean?

SPF stands for Sender Policy Framework. The domain owner specifies which servers are allowed to send email for that domain. An SPF pass means the sending IP is authorized; an SPF fail means the IP is not authorized, which could indicate spoofing or just a misconfiguration. SPF is one of three authentication standards.

DKIM (DomainKeys Identified Mail) places a cryptographic signature on the email that proves it came from the claimed domain and that the content was not changed in transit. A DKIM pass means the signature is valid; a fail means the message was tampered with or signed with the wrong key. It complements SPF for full sender verification.

DMARC builds on SPF and DKIM by adding a domain policy for handling failures — none (monitor only), quarantine (spam folder), or reject (block outright). A DMARC pass means SPF or DKIM authenticated and that the result aligned with the From domain. It is the strongest authentication standard.

How do I trace email's path?

Read the 'Received:' headers bottom-up. The bottom line is the origin server, and the top line is your inbox. Each line includes the server name, IP, and timestamp. The trace reveals where the email started, what servers handled it, the transit time, and any delays or issues along the way.

A Message-ID is a unique identifier for each email, formatted as . Email clients use it to track conversations, servers use it for de-duplication, and support investigations rely on it. Forensically it is important because it can prove an email's existence and origin.

Are headers reliable evidence?

Some headers like From and content can be forged. Others, like Received headers from intermediate servers and the IP addresses they record, are harder to fake. Forensic analysis cross-references multiple headers and server logs. Never rely on headers alone without corroboration.

Is the data sent to a server?

Most analyzer tools parse headers client-side in the browser, so the headers stay local. Your email's metadata, which can be sensitive, never leaves the device. You can verify by checking the network tab during analysis.

Email Header Analyzer

Parse and analyze email headers online to trace delivery paths and check SPF, DKIM, and DMARC authentication. Free header analyzer.

Email Tools Web & SEO

Instant results

Paste Raw Email Headers

What are Email Headers?

Email headers are metadata attached to every email message that contain detailed information about the message's origin, routing, and delivery. They are typically hidden from view in email clients but contain valuable technical information.

Headers include information such as the sender and recipient addresses, the subject line, timestamps, the servers the message passed through, and authentication results. Each time an email passes through a mail server, a new "Received" header is prepended, creating a trail of the message's journey from sender to recipient.

Analyzing email headers is essential for troubleshooting delivery issues, verifying the authenticity of a message, identifying spam or phishing attempts, and understanding network delays in email delivery.

Understanding Authentication Results

SPF (Sender Policy Framework)

SPF verifies that the sending mail server is authorized by the domain's DNS records to send email on behalf of that domain. A "pass" result means the sending IP is listed in the domain's SPF record. A "fail" indicates the IP is explicitly not authorized, while "softfail" means it is probably not authorized but the domain owner is not fully enforcing SPF.

DKIM (DomainKeys Identified Mail)

DKIM uses cryptographic signatures to verify that an email was sent by the domain it claims to be from and that its content has not been altered in transit. The sending server signs the message with a private key, and the receiving server verifies the signature using the public key published in the domain's DNS.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC builds on SPF and DKIM by allowing domain owners to specify a policy for handling emails that fail authentication checks. It also provides a reporting mechanism so domain owners can monitor who is sending email on their behalf. A DMARC "pass" requires that at least one of SPF or DKIM passes and aligns with the "From" domain.

How to Read Email Headers

Email headers are read from bottom to top. The bottom-most "Received" header represents the first server that handled the email (closest to the sender), and the top-most "Received" header represents the last server (closest to the recipient).

Each "Received" header follows the general format: Received: from [sending-server] by [receiving-server] with [protocol]; [timestamp]

By comparing timestamps between consecutive hops, you can identify where delays occur in the delivery chain. Large gaps may indicate server congestion, greylisting, content scanning, or network issues.

Key headers to look for include From, To, Subject, Date, Message-ID, Return-Path, Authentication-Results, and X-Spam-Status.

How to Use Email Header Analyzer

Get email headers

In your email client, find the option labeled 'View source', 'Show original', or 'Raw message', then copy the entire headers section.

Paste into analyzer

Paste the headers — usually a large block of Key value lines — into the tool, which parses them automatically.

Review analysis

The output covers sender info, authentication results from SPF, DKIM, and DMARC, the routing path, server timestamps, and an overall security verdict.

Use insights

Apply what you learn to verify email legitimacy, debug deliverability problems, support forensic investigation, or just understand email infrastructure better.

When to Use Email Header Analyzer

Spam and phishing investigation

When an email looks suspicious, the headers reveal the actual sending server, the routing path it took, and the authentication results from SPF, DKIM, and DMARC. Security teams and individuals trying to identify phishing both rely on this kind of inspection.

Deliverability troubleshooting

When your email keeps landing in the spam folder, the headers usually tell you why — DKIM signing problems, SPF failures, or sender reputation issues. Marketers, IT teams, and email administrators all dig into headers when deliverability drops.

Forensic analysis

Email shows up as evidence in legal and security investigations more often than you would expect. Headers carry timestamps, server paths, IP addresses, and authentication results, which is what forensic analysis, court cases, and breach investigations actually need.

Educational and learning

Headers are an excellent way to learn how email infrastructure actually works — SMTP, mail servers, authentication protocols. The tool teaches the subject through real examples, which is why IT students and sysadmins learning email tend to use it.

Email Header Analyzer Examples

Check authentication

Input

Email headers

Output

SPF: pass. DKIM: pass. DMARC: pass. Authentication: legitimate.

When SPF, DKIM, and DMARC all pass, the email validates as coming from the claimed sender domain, with content unchanged in transit, and compliant with the domain's policy.

Detect spoofing

Input

Apparent banking email headers

Output

From: bank.com. SPF: fail (sender IP not authorized). DKIM: fail. DMARC: quarantine recommended. Likely phishing.

An SPF failure means the sending IP is not authorized for the claimed domain — a classic phishing indicator. Combined with DMARC quarantine, this is almost certainly a suspicious email pretending to be legitimate.

Trace routing

Input

Email with Received headers

Output

Originated: Server A → Server B → Server C → Recipient. Total transit: 2 minutes. All servers identified by IP and reverse DNS.

Tracing the path through servers helps identify delays, find compromised hops, and audit security. Each Received header is a single server hop along the way.

Tips & Best Practices for Email Header Analyzer

1.Read Received headers bottom-up. The email travels from the bottom line (the origin) to the top line (your inbox), and each line shows the next server in the chain.
2.Authentication lines are critical. Look for the 'Authentication-Results' header, which shows the SPF, DKIM, and DMARC verdicts at a glance.
3.Watch for a Sender versus From discrepancy. The 'From:' field is what the user sees, while 'Return-Path:' or 'Sender:' is the actual sender. A mismatch is a potential phishing signal.
4.Long time delays between Received headers can mean server problems, spam filtering pauses, or general transit issues.
5.IP addresses can be faked, but Received headers from intermediate servers usually show the real server IP even when the From line is forged. That makes them critical evidence in security investigations.
6.Use a tool that interprets SPF, DKIM, and DMARC results in plain language. Reading raw header verdicts is less convenient than skimming a translated summary.

Frequently Asked Questions

The exact path differs by client. In Gmail it is 'Show original' from the message menu, Outlook calls it 'View Message Source', Apple Mail uses 'View → Message → Raw Source', and Proton Mail offers 'View Headers'. The header text is then pasted into the analyzer tool.

Email Header Analyzer

What are Email Headers?

Understanding Authentication Results

SPF (Sender Policy Framework)

DKIM (DomainKeys Identified Mail)

DMARC (Domain-based Message Authentication, Reporting and Conformance)

How to Read Email Headers

How to Use Email Header Analyzer

Get email headers

Paste into analyzer

Review analysis

Use insights

When to Use Email Header Analyzer

Spam and phishing investigation

Deliverability troubleshooting

Forensic analysis

Educational and learning

Email Header Analyzer Examples

Check authentication

Detect spoofing

Trace routing

Tips & Best Practices for Email Header Analyzer

Frequently Asked Questions

Related Tools

SPF Record Generator

DKIM Record Generator

DMARC Record Generator

MX Record Lookup

Email Spam Checker

Email Subject Line Tester