Email Header Analyzer
Parse and analyze raw email headers to trace the delivery path, check authentication (SPF, DKIM, DMARC), detect delays, and identify potential issues.
What are Email Headers?
Email headers are metadata attached to every email message that contain detailed information about the message's origin, routing, and delivery. They are typically hidden from view in email clients but contain valuable technical information.
Headers include information such as the sender and recipient addresses, the subject line, timestamps, the servers the message passed through, and authentication results. Each time an email passes through a mail server, a new "Received" header is prepended, creating a trail of the message's journey from sender to recipient.
Analyzing email headers is essential for troubleshooting delivery issues, verifying the authenticity of a message, identifying spam or phishing attempts, and understanding network delays in email delivery.
Understanding Authentication Results
SPF (Sender Policy Framework)
SPF verifies that the sending mail server is authorized by the domain's DNS records to send email on behalf of that domain. A "pass" result means the sending IP is listed in the domain's SPF record. A "fail" indicates the IP is explicitly not authorized, while "softfail" means it is probably not authorized but the domain owner is not fully enforcing SPF.
DKIM (DomainKeys Identified Mail)
DKIM uses cryptographic signatures to verify that an email was sent by the domain it claims to be from and that its content has not been altered in transit. The sending server signs the message with a private key, and the receiving server verifies the signature using the public key published in the domain's DNS.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC builds on SPF and DKIM by allowing domain owners to specify a policy for handling emails that fail authentication checks. It also provides a reporting mechanism so domain owners can monitor who is sending email on their behalf. A DMARC "pass" requires that at least one of SPF or DKIM passes and aligns with the "From" domain.
How to Read Email Headers
Email headers are read from bottom to top. The bottom-most "Received" header represents the first server that handled the email (closest to the sender), and the top-most "Received" header represents the last server (closest to the recipient).
Each "Received" header follows the general format: Received: from [sending-server] by [receiving-server] with [protocol]; [timestamp]
By comparing timestamps between consecutive hops, you can identify where delays occur in the delivery chain. Large gaps may indicate server congestion, greylisting, content scanning, or network issues.
Key headers to look for include From, To, Subject, Date, Message-ID, Return-Path, Authentication-Results, and X-Spam-Status.