How do I read email headers?

Open the raw header of your email, then paste it into the analyzer above. It parses every field for you: the Authentication-Results line (SPF, DKIM, DMARC), the Received chain, the originating IP, the From and Return-Path addresses, and anti-spam scores. You read a plain-language report instead of dense technical text.

How do I view the full email header in Gmail or Outlook?

Gmail: open the email, click the 3 dots (⋮), then 'Show original'. Outlook (desktop): open the email, File → Properties, copy the 'Internet headers' box. Outlook on the web: open the email, ⋯ → 'View' → 'View message details'. Apple Mail: menu Message → 'Show all headers'. Then paste the text into our analyzer.

What does the Authentication-Results header mean?

The Authentication-Results header records what the receiving server found when it checked your message. It lists results such as spf=pass, dkim=pass or dmarc=fail, plus the smtp.mailfrom (envelope from) and the DKIM signing domain (d= tag). It is the single most useful line for diagnosing why a message was accepted, filtered or rejected.

What does spf=pass but dmarc=fail mean?

It means SPF authenticated the envelope sender, but DMARC still failed because the domains are not aligned: the From domain does not match the smtp.mailfrom domain (SPF) and DKIM did not provide an aligned pass either. DMARC requires SPF or DKIM to both pass and align with the visible From address. Fix it by aligning your Return-Path or DKIM d= domain with your From domain.

How can I tell if an email is spoofed or phishing from its headers?

Look for spf=fail or dkim=fail combined with dmarc=fail, a From address that does not match the Return-Path or the DKIM signing domain, and an originating IP that does not belong to the claimed sender. The analyzer flags these spoofing and phishing signals automatically so you do not have to read the raw header by hand.

How do I find the originating IP address of an email?

The originating IP is in the first (bottom-most) Received header, and sometimes in an X-Originating-IP header. The analyzer extracts it for you, shows the full Received chain top to bottom, and highlights the real sending server so you can check its reputation.

Email Header Analyzer - Free Online Header Checker

Why analyze email headers?

Email headers (also called "message headers", "email source", "raw headers", or "original message") record every step of your message's journey: sending server, routing, security checks (SPF/DKIM/DMARC), anti-spam verdicts. This free email header analyzer (also a message header analyzer and RFC 822 / RFC 5322 parser) lets you read and decode the email source code for a complete deliverability diagnostic. Without analysis, you're working blind.

New to header analysis? The companion guide how to read email headers walks through every field line by line.

Three main use cases:

Emails in spam → Discover if it's SPF, DKIM, DMARC or content
Email not delivered → Find where it stopped and why
Verify email authenticity → Detect phishing and spoofing attempts

How to use the analyzer in 3 steps

Step 1: Extract raw header

Gmail / Google Workspace:

Open the email
Click the 3 dots (⋮) → "Show original"
Copy all text

Outlook / Microsoft 365:

Open the email
Click "Actions" (⋯) → "View message details"
Copy the content

Apple Mail:

Open the email
Menu "Message" → "Show all headers"
Copy the text

Step 2: Paste in analyzer

Paste the complete raw header in the form above. The tool automatically analyzes:

✅ SPF, DKIM, DMARC, BIMI authentication
✅ Anti-spam verdicts (Gmail, Microsoft, etc.)
✅ Routing and intermediate servers
✅ Anomalies and spoofing risks

Step 3: Read results

You get a clear report with:

Authentication status (pass/fail for each protocol)
Failure reason (if applicable)
Recommended actions to fix

What is an email header?

An email header (also called "message header", "email source code", "raw header", "original message") is the complete history of a message: who sent it, through which server, what checks were performed, and what verdict was issued. Knowing how to show original email in Gmail or view message source in Outlook helps you understand exactly what happened.

Unlike the email body (which you see), the header is immutable: it cannot be forged once sent. That's why security investigators and email administrators use it to verify email authenticity and identify phishing attempts.

Simplified example:

From: alice@captaindns.com
To: bob@captaindns.com
Date: 19 Jan 2026 10:30:00 +0000
Authentication-Results: pass spf=pass dkim=pass dmarc=pass
X-Spam-Score: 2.1 (LOW)
Received: from mail.captaindns.com (203.0.113.5) by mail.captaindns.com

What does the tool analyze exactly?

Email authentication (SPF, DKIM, DMARC, BIMI)

The analyzer decodes the Authentication-Results header so you can check SPF, DKIM and DMARC straight from the email header, including DMARC alignment (whether SPF or DKIM pass and align with the visible From domain) and the DKIM signing domain (the d= tag).

Protocol	Checks	Result
SPF (Sender Policy Framework)	Is the sending server authorized? (smtp.mailfrom)	✅ Pass / ❌ Fail
DKIM (DomainKeys Identified Mail)	Was the email modified in transit? (`d=` signature)	✅ Pass / ❌ Fail
DMARC (alignment policy)	Is the From domain aligned with SPF/DKIM?	✅ Pass / ❌ Fail
BIMI	Brand logo authenticated?	✅ Present / ❌ Absent

If the analyzer flags a failure, fix it at the source with our SPF record checker, DKIM checker or DMARC checker.

Anti-spam verdicts

The analyzer displays verdicts from:

Gmail (spam score, final verdict)
Microsoft 365 (Outlook, Exchange)
Other providers (detected in headers)

Routing and servers

Complete trace of the email path, read from the Received header chain (received hops):

Original sending server and the originating IP address (also exposed via X-Originating-IP)
Intermediate servers (relays)
Final receiving server
Hop delay and timestamps, so you can spot slow delivery between servers

Anomaly detection

The tool automatically flags:

⚠️ Potential spoofing (From ≠ real domain, or Return-Path ≠ From)
⚠️ Failed DMARC alignment (spf=pass but dmarc=fail)
⚠️ Invalid or broken DKIM signature
⚠️ Suspicious routing (too many relays)

Why do my emails go to spam?

This is the most common question. Header analysis usually reveals one of these causes:

Cause	What the header shows	Solution
Failed SPF	`spf=fail` or `spf=softfail`	Add the sending server to your SPF record
Invalid DKIM	`dkim=fail` or `dkim=none`	Configure or repair the DKIM signature
Failed DMARC	`dmarc=fail` with `p=reject` or `p=quarantine`	Fix SPF/DKIM to align the domain
High spam score	`X-Spam-Score: 8.5` or similar	Review content (links, images, keywords)
Blacklisted IP	RBL or blocklist mentions in headers	Check your sending IP reputation

Tip: Paste your headers in the analyzer above to identify exactly which cause is affecting your emails. For the full checklist of triggers and fixes, read why emails go to spam.

Real-world use cases

Incident 1: All your emails land in spam

Symptom: You send newsletters, but 80% land in spam.

Diagnosis: Paste a spam email in the analyzer.

SPF = ❌ Fail → Your server is not authorized
DKIM = ✅ Pass
DMARC = ❌ Fail (SPF failed)

Action: Add your server to your SPF record.

Incident 2: A specific email doesn't arrive

Symptom: You send an important email, recipient doesn't receive it.

Diagnosis: Ask recipient to check headers.

Routing = ✅ Delivered to Microsoft
Verdict = ❌ Rejected by anti-spam filter
Spam Score = 8.5 (VERY HIGH)

Action: Check links, attachments, or content triggering the filter.

Incident 3: You suspect phishing

Symptom: An email claims to come from your bank, but something seems off.

Diagnosis: Paste header in analyzer.

From = noreply@captaindns.com
SPF = ❌ Fail (unauthorized domain)
DKIM = ❌ Fail (invalid signature)
DMARC = ❌ Fail

Conclusion: It's phishing. Email doesn't really come from your bank. To check if URLs in the email are flagged as malicious, use the Phishing URL Checker.

Incident 4: Forwarding fails

Symptom: You forward emails to a colleague, but they land in spam.

Diagnosis: Analyzer shows:

Routing = 3 servers (original → your server → colleague's server)
DKIM = ❌ Fail (signature broken after forwarding)
SPF = ✅ Pass (but DMARC fails)

Action: Configure DMARC with p=none or use ARC (Authenticated Received Chain).

FAQ - Frequently asked questions

Q: What exactly is an email header?

A: It's the complete history of an email: sender, recipient, servers crossed, security checks (SPF/DKIM/DMARC), anti-spam verdicts. The header cannot be forged.

Q: How do I extract headers from my email?

A: It depends on your client:

Gmail: Open email → 3 dots (⋮) → "Show original"
Outlook: Open email → "Actions" → "View message details"
Apple Mail: Menu "Message" → "Show all headers"

Q: Why does my email land in spam?

A: Most common reasons:

Failed SPF: Your sending server is not authorized
Invalid DKIM: Email was modified or signature is broken
Failed DMARC: SPF or DKIM failed + domain not aligned
Content: Suspicious links, attachments, or "spam" keywords
Reputation: Your IP or domain has poor reputation

Q: What's the difference between SPF, DKIM and DMARC?

SPF: "Who can send from my domain?" (whitelist of IPs/servers)
DKIM: "Was this email modified?" (cryptographic signature)
DMARC: "Are SPF and DKIM aligned?" (authentication policy)

Analogy: SPF = list of authorized couriers, DKIM = seal on package, DMARC = verify seal and courier match.

Q: Is the tool free?

A: Yes, the header analyzer is 100% free with no signup. Paste your headers and get instant results.

Q: Are my headers secure?

A: Yes. Headers never contain sensitive data (no passwords, no private content). They only contain technical information (servers, domains, verdicts). We don't store your data.

Q: What should I do after analysis?

A: It depends on results:

SPF failed → Add your server to your SPF record
DKIM failed → Check your DKIM key or regenerate it
DMARC failed → Configure DMARC with appropriate policy
High spam → Check content

Complementary tools

Tool	Purpose
SPF Inspector	Verify and fix your SPF record
DKIM Inspector	Validate your DKIM signature
DMARC Inspector	Configure and test your DMARC policy
DNS Propagation Checker	Confirm your DNS records are propagated globally
IP Blacklist Checker	Check if your IP is blacklisted
Domain Blacklist Checker	Check if your domain is blacklisted
Phishing URL Checker	Verify if a URL is flagged as phishing or malicious
DMARC Monitoring	Receive and analyze your aggregate DMARC reports automatically

Guides to go further

How to read email headers: a field-by-field walkthrough of the Received chain, Authentication-Results, Return-Path and From.
Why emails go to spam: the full list of header signals that send messages to the spam folder, and how to fix each one.

Useful resources

RFC 5322 - Internet Message Format (official header specification)
Google - Authenticate emails (Gmail guide)
Microsoft - Email authentication (Outlook/Microsoft 365 guide)

Email Header Analyzer

Analyze email headers and diagnose spam issues in seconds

Read headers step by step

Check SPF, DKIM and DMARC

Detailed anti-spam verdicts

Received chain and originating IP

Spoofing and phishing detection