Free tools

Email Header Analyzer

Trace any email's route hop by hop, read its authentication results, and spot spoofing red flags - without the headers ever leaving your browser.

Analyzed entirely in your browser - headers never leave this page.

What email headers tell you

Headers are the envelope metadata of a message: who really sent it, which servers relayed it, how long each hop took, and whether it passed SPF, DKIM, and DMARC checks. The body of an email can claim anything; the headers are where forgery shows.

Common things to look for

  • Authentication failures - spf/dkim/dmarc=fail in Authentication-Results on mail from a domain that should pass.
  • Mismatched domains - From says one company, Return-Path or Reply-To points somewhere unrelated.
  • Suspicious first hop - the bottom Received header shows the true origin server, no matter what the From claims.
  • Delivery delays - large gaps between hop timestamps show exactly which relay slowed a late message.

Parsing email programmatically?

If you're doing this in code - agents triaging inbound mail, QA verifying auth results - you don't need to parse MIME yourself. AgenticEmail delivers every inbound message as clean JSON (headers, body, attachments already parsed) to your webhook or WebSocket, with raw MIME still available when you want it. See how email webhooks work or the docs.

Frequently asked questions

How do I get the raw headers of an email?
Gmail: open the message → three-dot menu → 'Show original'. Outlook: File → Properties → 'Internet headers'. Apple Mail: View → Message → All Headers. Copy everything from the top through the first blank line and paste it into the analyzer.
Is it safe to paste headers here?
Yes - this analyzer runs entirely in your browser. The headers are parsed with JavaScript on this page and are never uploaded, stored, or sent to any server.
How can I tell if an email is spoofed from its headers?
Check the Authentication-Results header first: spf=fail, dkim=fail, or dmarc=fail on mail claiming to be from a major brand is a strong signal. Then compare the From domain with the Return-Path and Reply-To domains, and look at the earliest Received hop - the server that first handled the message.
What does each Received header mean?
Every server that handles a message prepends a Received header, so reading them bottom-up gives the delivery path from origin to your inbox. Each carries the sending host (from), the receiving host (by), and a timestamp - the gaps between timestamps show where a slow delivery got stuck.
Talk to a real person