UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

Email Header Analyzer

Summarize Received chains and auth hints from pasted headers.

About Email Header Analyzer

Email Header Analyzer on UtilityKit parses the raw headers of any email message and presents the delivery path, authentication results, and timing information in a clear, structured layout — without sending your headers to any external service. Paste the full header block copied from Gmail, Outlook, Apple Mail, or any webmail client, and the tool extracts and displays the complete Received chain with each hop's timestamp, total delivery time, originating sender IP, and the SPF, DKIM, and DMARC authentication-results lines that mailbox providers use to make spam and phishing decisions. Originating IPs are flagged with their RDNS hostname so you can spot unexpected relay servers at a glance.

Why use Email Header Analyzer

Delivery Diagnosis

Pinpoint which hop in the Received chain introduced a delay or rejected the message, cutting troubleshooting time from hours to minutes.

Phishing Investigation

The From: address in phishing emails is spoofed. Header analysis reveals the real originating IP, sending infrastructure, and whether SPF/DKIM authentication failed.

SPF & DKIM Verification

Confirm your SPF record covers all sending servers and that DKIM signatures are present and aligned before tightening your DMARC policy to p=reject.

DMARC Troubleshooting

Understand exactly why DMARC is passing or failing — whether due to SPF or DKIM alignment — and which policy (none, quarantine, reject) was applied.

Privacy-Safe Parsing

Headers often contain internal hostnames, IP addresses, and message IDs. All parsing runs in your browser — nothing is sent to external servers or logged.

Client-Agnostic

Works with headers copied from Gmail, Outlook, Apple Mail, Yahoo Mail, ProtonMail, or any email client that exposes raw headers in a selectable text block.

How to use Email Header Analyzer

  1. Open the message in your email client. In Gmail: three-dot menu → Show original. In Outlook: File → Properties → Internet headers. In Apple Mail: View → Message → All Headers.
  2. Select all text in the raw headers view and copy it to your clipboard — this includes everything from the first Received line down to the blank line before the message body.
  3. Paste the header block into the analyzer input field and click Analyze (or the tool processes automatically on paste).
  4. Read the Delivery Path section: each Received hop is listed chronologically with server name, timestamp, and delay from the previous hop — long gaps indicate slow relays.
  5. Check the Authentication Results section for SPF (pass/fail/softfail/neutral), DKIM (pass/fail and the signing domain), and DMARC (pass/fail and policy applied).
  6. Review the originating IP and its reverse-DNS hostname to identify the true sending server, which is often different from the From: address and relevant for phishing investigation.

When to use Email Header Analyzer

  • When a transactional email (order confirmation, password reset) is reported as not delivered and you need to trace which server rejected or delayed it.
  • When investigating a phishing email and you need to identify the real sending IP, mail server infrastructure, and whether the sender authenticated with SPF/DKIM.
  • When configuring a new email sending service (SendGrid, SES, Postmark) and you want to verify the DKIM signature and SPF alignment appear correctly in delivered mail.
  • When tightening a DMARC policy from p=none to p=quarantine or p=reject and you need to confirm all legitimate senders pass SPF or DKIM alignment checks.
  • When a contact reports your email landed in their spam folder and you need to diagnose authentication failures or relay reputation issues.
  • When auditing a corporate mail environment for unexpected relay hops or external forwarding services that might break SPF alignment.

Examples

Legitimate transactional email (SPF + DKIM pass)

Input: Received chain from SendGrid relay, Authentication-Results: spf=pass smtp.mailfrom=sendgrid.net; dkim=pass header.d=example.com

Output: Delivery path: sender → SendGrid relay → recipient MX. SPF: pass. DKIM: pass (d=example.com, aligned). DMARC: pass. Total delivery time: 3.2 s.

Phishing email with SPF fail

Input: From: support@paypal.com, Received: from 185.220.101.x (unknown), Authentication-Results: spf=fail smtp.mailfrom=paypal.com

Output: Originating IP: 185.220.101.x — not in PayPal's SPF record. DKIM: none. DMARC: fail (policy=quarantine). Likely spoofed sender.

Delayed delivery with greylisting hop

Input: Three Received headers: hop 1 at 14:00:01, hop 2 at 14:04:33 (4-minute gap), hop 3 at 14:04:35

Output: Total delivery time: 4 min 34 s. Delay introduced at hop 2 (recipient MX applied greylisting — first-time sender temporarily rejected then retried by sending server).

Tips

  • When diagnosing DMARC failures, check both SPF and DKIM alignment separately — a message can pass SPF but fail DMARC if the SPF domain does not align with the From: header domain.
  • The 'X-Originating-IP' or 'X-Forwarded-To' headers, when present, can reveal the true client IP even when the main Received chain is obscured by a privacy-preserving gateway.
  • If DKIM shows 'body hash did not verify', the message body was modified in transit — possibly by a mailing list, forwarding rule, or anti-virus gateway that appended a footer.
  • Compare the 'envelope-from' (Return-Path) domain with the 'From:' header domain. DMARC requires alignment between these two domains (for SPF) or between DKIM d= and From: domain.
  • Save the analyzed header output as a text file when filing abuse reports with hosting providers or ISPs — include the originating IP and authentication results to make the report actionable.

Frequently Asked Questions

Where do I find raw email headers in Gmail?
Open the message, click the three-dot menu in the top-right corner of the email, and select 'Show original'. A new tab opens with the full raw message including headers. Select all and copy the text above the blank line that separates headers from the body.
What does SPF pass or fail mean?
Sender Policy Framework (SPF) checks whether the sending mail server's IP address is listed in the DNS SPF record of the domain in the envelope-from address. A pass means the IP is authorised; a fail or softfail means it is not, which typically indicates a spoofed or misconfigured sender.
What is DKIM alignment?
DKIM alignment (used by DMARC) means the domain in the DKIM d= tag matches the domain in the message's From: header. A valid DKIM signature that signs a different domain does not satisfy DMARC alignment even if the signature itself is cryptographically valid.
Why does the Received chain appear in reverse order?
Each mail server prepends its own Received header as the message passes through, so the most recent hop is at the top of the raw headers. The analyzer reverses this to show the delivery path chronologically from sender to recipient.
Is it safe to paste headers containing internal server names?
Yes. The analyzer runs entirely in your browser using JavaScript — no header data is transmitted to any server or third-party service. Internal hostnames, IP addresses, and message IDs stay on your device.
What does DMARC p=quarantine or p=reject mean in the headers?
The DMARC policy is published in the sender domain's DNS. 'quarantine' means the receiving server should treat failing messages as spam. 'reject' means they should be discarded outright. The Authentication-Results header records which policy was applied to the message you received.
Can I trace the original sender's IP from the headers?
Usually yes. The bottom-most (first) Received header typically contains the IP address of the original sending client or server. However, some providers (e.g. Gmail) redact this for privacy when the sender uses their webmail interface.
Why does the total delivery time matter?
Most legitimate email is delivered in under 30 seconds. Delivery times of several minutes often indicate a greylisting policy, a slow external relay, or a DNS lookup timeout on one of the hops. The per-hop timestamps in the Received chain show exactly where time was spent.

Explore the category

JSON to Rust Struct Generate Rust structs from JSON with serde rename hints. HTTP Headers Checker Inspect response status and headers from public HTTPS origins XML Sitemap Validator Parse pasted sitemap XML for structural issues. MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. Website Status Checker Check whether any website or URL is up or down and see its HTTP response code, response time, and server headers. HTTP Request Builder Send HTTP requests from your browser via a server-side proxy — set method, headers, body, and inspect the full response.
Understanding HTTP Headers: A Developer's Reference HTTP headers carry critical information about authentication, caching, content type, and security — yet many developers only interact with t Feb 2026 · 10 min How PGP Encryption Works: Keys, Trust, and Real-World Use PGP (and OpenPGP) has secured email and files since 1991. We explain key pairs, the web of trust, signing vs encrypting, and where PGP still Mar 2026 · 8 min

Glossary

SPF (Sender Policy Framework)
A DNS-based email authentication mechanism where the sending domain publishes a TXT record listing authorised mail server IP addresses. Receiving servers check the sending IP against this list and record the result in Authentication-Results headers.
DKIM (DomainKeys Identified Mail)
An authentication method that attaches a cryptographic signature to outgoing messages. The receiving server retrieves the public key from DNS and verifies the signature, confirming the message was not altered and was sent by an authorised server for the signing domain.
DMARC
Domain-based Message Authentication, Reporting, and Conformance — a policy layer built on top of SPF and DKIM. The sending domain publishes a DNS record specifying what receiving servers should do (none, quarantine, reject) when messages fail SPF or DKIM alignment.
Received Chain
The sequence of Received: headers added by each mail server that handled the message in transit. Reading the chain from bottom to top traces the delivery path from the original sender to the final recipient's inbox.
Envelope-From
The Return-Path address used by the SMTP protocol during message transmission — distinct from the visible From: header. SPF is checked against the envelope-from domain, not the From: header domain.
Authentication-Results
A header added by receiving mail servers recording the outcome of SPF, DKIM, and DMARC checks. Contains pass/fail verdicts and the relevant domains, making it the primary source for diagnosing email authentication issues.