Raw Email Headers
Analysis Results
Paste email headers and click Analyze to parse them.
How to find the full email headers in every client
| Client | How |
|---|---|
| Gmail (web) | Open email → three-dot menu (top right) → Show original → copy text |
| Gmail (mobile) | Not supported natively; open email on web client |
| Outlook desktop | File → Properties → "Internet headers" box |
| Outlook Web / Microsoft 365 | Three-dot menu on the email → View → View message source |
| Apple Mail | View → Message → Raw Source (⌥⌘U) |
| Thunderbird | View → Headers → All, then right-click email → View Source (Ctrl+U) |
| iPhone / iPad Mail | Not supported; forward as attachment to another client |
SPF, DKIM, DMARC — what these three acronyms actually mean
Email's original design has zero authentication — anyone can write any From: address. Three layers bolted on top patch this:
- SPF (Sender Policy Framework) — a TXT record on the sending domain lists which IPs are allowed to send email for that domain. Receiver checks the connecting IP against the list.
v=spf1 include:_spf.google.com ~all. - DKIM (DomainKeys Identified Mail) — sending server cryptographically signs each message. Receiver fetches the public key from the sender's DNS TXT record (
selector._domainkey.example.com) and verifies the signature. Prevents tampering. - DMARC — a TXT record at
_dmarc.example.comthat tells receivers what to do if SPF or DKIM fail:none(report only),quarantine(spam folder), orreject(bounce). Requires "alignment" — the SPF/DKIM-verified domain must match the visibleFrom:address.
All three together = strong sender authentication. Missing all three = easy to spoof. Our analyzer highlights each verdict (pass, softfail, fail) so you can see at a glance whether the email is properly authenticated.
Frequently Asked Questions
How do I analyze email headers to find a sender's IP or path?
Copy the full raw headers from your email client (Gmail: Show original. Outlook: View source). Paste into the analyzer. It traces every hop in `Received:` headers, extracts sending IPs, hop latencies, and shows SPF, DKIM, DMARC check results — the authentication trail.
How do I check if an email is phishing or spoofed?
Look at SPF (`pass` means the sending IP is authorised for that domain), DKIM (`pass` means the body signature verifies), DMARC (`pass` means both aligned with the From address). Any `fail`, `softfail` or missing signatures are red flags the analyzer highlights in red.
Where do I find the full email headers in Gmail or Outlook?
Gmail: open email → three-dot menu → Show original → copy. Outlook desktop: File → Properties → Internet headers. Outlook web: three-dot menu → View → View message source. Apple Mail: View → Message → Raw Source.
What does SPF, DKIM and DMARC mean in email headers?
SPF verifies the sending server is allowed for that domain (via DNS TXT). DKIM verifies the message body signature (via DNS TXT with public key). DMARC tells receivers what to do if SPF or DKIM fail (quarantine / reject). All three together = trusted sender.
Can I trace the path an email took through the internet?
Yes. Each `Received:` header logs a hop (with IP, timestamp, server name). The analyzer renders them in order (oldest to newest), showing ISP path, latency per hop, and any suspicious detours — useful for diagnosing deliverability or spoofing.
Smarter quality checks. Faster deployments.
Better apps.
