Email Header Analyzer

Paste the raw headers from a suspicious message. See the path it took, where it really came from, whether SPF, DKIM, and DMARC passed, and whether the From, Reply-To, and Return-Path agree. Everything is parsed in your browser.

Raw email headers

How to read email headers, and what actually signals a fake

What the headers are

Every email carries a block of headers describing how it was built and routed. Mail servers stamp their own lines as the message passes through, so the headers are a rough audit log of the journey from sender to your inbox. The body can lie freely; the headers are harder to fully fake because each relay adds its own trustworthy line on top.

The Received chain

Each server that handles the message prepends a Received: line, so the list reads newest first. The bottom entry is usually the origin, and the top is the server that delivered to you. Reading from the bottom up shows the path. A large gap between two hops can mean the message sat in a queue, and a hop claiming a private or mismatched address is worth a closer look.

SPF, DKIM, and DMARC

These three checks tell you whether the sending domain authorized this message. SPF checks whether the sending server's IP is allowed to send for the envelope domain. DKIM verifies a cryptographic signature tied to the domain. DMARC ties the visible From domain to SPF or DKIM passing and tells receivers what to do on failure. A real failure on a domain that should pass is a strong phishing signal, though forwarding and mailing lists can break SPF and DKIM legitimately.

The mismatch tells

Look at the relationship between the addresses. A display name that reads like a known brand while the actual From domain is unrelated, a Reply-To pointing somewhere different from the From, or a Return-Path on a throwaway domain are classic business-email-compromise patterns. None of these is proof on its own, but together they raise the odds.

Trust, honestly

Authentication results stamped inside the headers were written by whichever server claims to have done the check. On mail you received through your own provider, the top Authentication-Results line is trustworthy because your provider added it. Lines deeper in the chain were added by upstream servers you do not control, so weigh them accordingly. This tool reports what the headers say; it does not re-run the cryptographic checks.