Zero Signup ToolsFree browser tools

Developer Tools

Email Header Analyzer

Paste raw email headers and trace the Received chain, SPF, DKIM, and DMARC results in your browser. Spot phishing patterns. Nothing is uploaded.

2022 chars

Paste the headers exactly as your mail client shows them. In Gmail, open the message and choose Show original. In Apple Mail, choose View, Message, All Headers. In Outlook on the web, open the message and choose View, Message Source. The body below the blank line is ignored.

Message identity

  • From

    ACME Notifications <notify@acme.example>

  • To

    alex@example.com

  • Reply-To

    ACME Support <support@acme.example>

  • Return-Path

    <bounce+abc123@notifications.acme.example>

  • Subject

    Your invoice – April 2026

  • Date

    Mon, 04 May 2026 09:00:55 +0000

  • Message-ID

    <0123456789abcdef@app-12.acme.example>

Findings

  • From and Return-Path domains differ

    Warning

    From is at acme.example but Return-Path is at notifications.acme.example. Mismatched envelope and header sender domains are common in phishing and forwarding.

Authentication

Authentication-Results

  • spf

    pass

    identity bounce+abc123@notifications.acme.example

  • dkim

    pass

    identity acme.example

  • dmarc

    pass

    identity acme.example

Received-SPF

pass (mx.example.com: domain of bounce+abc123@notifications.acme.example designates 198.51.100.7 as permitted sender) client-ip=198.51.100.7;

DKIM-Signature (1 signature)

  • domain acme.example, selector mail202604, algorithm rsa-sha256

Delivery path (3 hops)

Hops are ordered chronologically (oldest first). Each shows the from host, the receiving host, the protocol, and the delay since the previous hop.

Total delivery 16s

  1. Hop 1

    • from

      app-server-12.acme.example [10.20.30.12]

    • by

      mail-relay.acme.example

    • with

      ESMTPSA

    • when

      Mon, 04 May 2026 09:00:58 +0000 (UTC)

    • for

      alex@example.com

    Raw Received line
    from app-server-12.acme.example (app-server-12.acme.example [10.20.30.12] HELO app-12) by mail-relay.acme.example (Postfix) with ESMTPSA id 1A2B3C4D5E for <alex@example.com>; Mon, 04 May 2026 09:00:58 +0000 (UTC)

  2. Hop 2

    +13s

    • from

      mail-relay.acme.example [198.51.100.7]

    • by

      mx-in-3.example.com

    • with

      ESMTPS

    • when

      Mon, 04 May 2026 09:01:11 +0000 (UTC)

    • for

      alex@example.com

    Raw Received line
    from mail-relay.acme.example (mail-relay.acme.example [198.51.100.7]) by mx-in-3.example.com (Postfix) with ESMTPS id 6Y7Z8A9B0C for <alex@example.com>; Mon, 04 May 2026 09:01:11 +0000 (UTC)

  3. Hop 3

    +3s

    • from

      mx-in-3.example.com [203.0.113.42]

    • by

      mx.example.com

    • with

      ESMTPS

    • when

      Mon, 04 May 2026 09:01:14 +0000 (UTC)

    • for

      alex@example.com

    Raw Received line
    from mx-in-3.example.com (mx-in-3.example.com [203.0.113.42]) by mx.example.com (Postfix) with ESMTPS id 4F1G2H3J4K for <alex@example.com>; Mon, 04 May 2026 09:01:14 +0000 (UTC)
Identity

6 headers

  • Return-Path

    <bounce+abc123@notifications.acme.example>

  • Date

    Mon, 04 May 2026 09:00:55 +0000

  • From

    ACME Notifications <notify@acme.example>

  • Reply-To

    ACME Support <support@acme.example>

  • To

    alex@example.com

  • Subject

    Your invoice – April 2026

    Decoded from RFC 2047 encoded-words.

Routing

5 headers

  • Delivered-To

    alex@example.com

  • Received

    from mx-in-3.example.com (mx-in-3.example.com [203.0.113.42]) by mx.example.com (Postfix) with ESMTPS id 4F1G2H3J4K for <alex@example.com>; Mon, 04 May 2026 09:01:14 +0000 (UTC)

  • Received

    from mail-relay.acme.example (mail-relay.acme.example [198.51.100.7]) by mx-in-3.example.com (Postfix) with ESMTPS id 6Y7Z8A9B0C for <alex@example.com>; Mon, 04 May 2026 09:01:11 +0000 (UTC)

  • Received

    from app-server-12.acme.example (app-server-12.acme.example [10.20.30.12] HELO app-12) by mail-relay.acme.example (Postfix) with ESMTPSA id 1A2B3C4D5E for <alex@example.com>; Mon, 04 May 2026 09:00:58 +0000 (UTC)

  • X-Mailer

    ACME Mailer 4.2

Authentication

2 headers

  • Authentication-Results

    mx.example.com; spf=pass (mx.example.com: domain of bounce+abc123@notifications.acme.example designates 198.51.100.7 as permitted sender) smtp.mailfrom=bounce+abc123@notifications.acme.example; dkim=pass (signature was verified) header.d=acme.example header.i=@acme.example; dmarc=pass action=none header.from=acme.example

  • Received-Spf

    (sent as Received-SPF)

    pass (mx.example.com: domain of bounce+abc123@notifications.acme.example designates 198.51.100.7 as permitted sender) client-ip=198.51.100.7;

Threading

1 header

  • Message-Id

    (sent as Message-ID)

    <0123456789abcdef@app-12.acme.example>

List / automation

3 headers

  • List-Unsubscribe

    <https://acme.example/u/abc123>, <mailto:unsubscribe+abc123@acme.example>

  • List-Unsubscribe-Post

    List-Unsubscribe=One-Click

  • Feedback-Id

    (sent as Feedback-ID)

    12345:notifications:acme

Transport

2 headers

  • Mime-Version

    (sent as MIME-Version)

    1.0

  • Content-Type

    multipart/alternative; boundary="===bnd_85a3f==="

Custom or unknown

1 header

  • Dkim-Signature

    (sent as DKIM-Signature)

    v=1; a=rsa-sha256; d=acme.example; s=mail202604; c=relaxed/relaxed; h=from:to:subject:date:message-id; bh=Q5l7yK0J2vCp1m4qH7tQp8aJk0Qe9YzCq3NfQwS6+yA=; b=Lr/QJa9dJpYV3vRj+Tk2qZl4z6m8c1pDkVx8LzSKj0eAa1bXyP4Y2g==

Normalized block

Header names rewritten in canonical Hyphen-Capital case.

Return-Path: <bounce+abc123@notifications.acme.example>
Delivered-To: alex@example.com
Received: from mx-in-3.example.com (mx-in-3.example.com [203.0.113.42]) by mx.example.com (Postfix) with ESMTPS id 4F1G2H3J4K for <alex@example.com>; Mon, 04 May 2026 09:01:14 +0000 (UTC)
Received: from mail-relay.acme.example (mail-relay.acme.example [198.51.100.7]) by mx-in-3.example.com (Postfix) with ESMTPS id 6Y7Z8A9B0C for <alex@example.com>; Mon, 04 May 2026 09:01:11 +0000 (UTC)
Received: from app-server-12.acme.example (app-server-12.acme.example [10.20.30.12] HELO app-12) by mail-relay.acme.example (Postfix) with ESMTPSA id 1A2B3C4D5E for <alex@example.com>; Mon, 04 May 2026 09:00:58 +0000 (UTC)
Authentication-Results: mx.example.com; spf=pass (mx.example.com: domain of bounce+abc123@notifications.acme.example designates 198.51.100.7 as permitted sender) smtp.mailfrom=bounce+abc123@notifications.acme.example; dkim=pass (signature was verified) header.d=acme.example header.i=@acme.example; dmarc=pass action=none header.from=acme.example
Received-Spf: pass (mx.example.com: domain of bounce+abc123@notifications.acme.example designates 198.51.100.7 as permitted sender) client-ip=198.51.100.7;
Dkim-Signature: v=1; a=rsa-sha256; d=acme.example; s=mail202604; c=relaxed/relaxed; h=from:to:subject:date:message-id; bh=Q5l7yK0J2vCp1m4qH7tQp8aJk0Qe9YzCq3NfQwS6+yA=; b=Lr/QJa9dJpYV3vRj+Tk2qZl4z6m8c1pDkVx8LzSKj0eAa1bXyP4Y2g==
Date: Mon, 04 May 2026 09:00:55 +0000
From: ACME Notifications <notify@acme.example>
Reply-To: ACME Support <support@acme.example>
To: alex@example.com
Subject: =?UTF-8?Q?Your_invoice_=E2=80=93_April_2026?=
Message-Id: <0123456789abcdef@app-12.acme.example>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="===bnd_85a3f==="
List-Unsubscribe: <https://acme.example/u/abc123>, <mailto:unsubscribe+abc123@acme.example>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Feedback-Id: 12345:notifications:acme
X-Mailer: ACME Mailer 4.2

How to use

  1. Open the message in your mail client and copy the raw source. In Gmail, choose Show original. In Apple Mail, choose View, Message, All Headers. In Outlook on the web, choose View, Message Source. In Outlook desktop, double-click the message and choose File, Properties.
  2. Paste the headers into the input area above. The body below the first blank line is ignored, so you can paste the full source without trimming.
  3. Read the Identity panel for From, Reply-To, Return-Path, Subject, and Date, then scan the Findings panel for any phishing or deliverability warnings.
  4. Open the Authentication panel for SPF, DKIM, DMARC, and ARC results, then walk the Received chain to see each hop, its IP, and the delay since the previous hop.
  5. Use Copy block to grab the canonical header set for an abuse report, a ticket, or a postmortem. Click Load sample to see how a clean transactional message renders.

About this tool

Email Header Analyzer is a browser-only parser for raw email source. Paste the headers your mail client exposes through Show original, View Source, or All Headers, and the tool walks the message in line with RFC 5322, RFC 7601, and the practical fields shipped by Microsoft 365, Google Workspace, Proofpoint, and Mimecast. Folded continuation lines are unfolded so each header is one logical record. RFC 2047 encoded-words in From, To, Cc, Reply-To, and Subject (the =?UTF-8?B?...?= and =?UTF-8?Q?...?= forms) are decoded so display names and subjects render as the recipient actually saw them. The Identity panel surfaces From, To, Cc, Bcc, Reply-To, Return-Path, Subject, Date, Message-ID, In-Reply-To, and References at a glance. The Received chain is reordered chronologically (oldest hop first) and each entry is broken out into its from host, by host, with-protocol, recipient, and timestamp, with per-hop delay and total delivery time. The Authentication panel pulls Authentication-Results apart into per-method badges (spf, dkim, dmarc, arc, dkim-atps) with pass / fail / softfail / permerror tones, surfaces Received-SPF and every DKIM-Signature with its selector and signing domain, and notes when an ARC chain is present (ARC carries SPF and DKIM results across forwarders that would otherwise break alignment). The Findings panel flags the patterns that real phishing relies on: From and Return-Path domains that disagree, Reply-To that redirects to a different domain, display-name brands that do not match the sender domain, missing Date or Message-ID, X-Spam-Flag set to YES, anonymous Received hops where reverse DNS failed, and unusually long delays in the delivery path. Every header is also listed with category badges (identity, routing, authentication, threading, list / automation, tracking, spam scoring, transport, custom) so the long X-* tail from your mail filter or sending platform stays organized. A normalized header block is ready to copy back out for ticket attachments, abuse reports, and bug reproductions. Everything runs locally on your device, which matters because email headers leak the recipient address, internal hostnames, originating IP, mail-server software versions, ticket IDs, and routing detail you should never paste into a third-party server.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

HTTP Headers Parser

Parse, classify, and decode HTTP headers, with a missing security headers audit.

Open tool

Developer

Email Validator

Validate, deduplicate, and clean lists of email addresses with typo suggestions.

Open tool

Developer

User Agent Parser

Decode any User-Agent into browser, engine, OS, device, and bot info.

Open tool

Developer

JWT Decoder

Decode header, payload, and claims of a JWT with expiry checks.

Open tool

Text

Email & URL Extractor

Pull emails, URLs, phone numbers, and IPv4 addresses from any text.

Open tool

All toolsDeveloper Tools