Free Email Header Analyzer
Paste the raw source of an email and see exactly how it was delivered. The tool reconstructs the Received chain into a chronological timeline with per-hop delays, parses Authentication-Results for SPF, DKIM, and DMARC verdicts, and flags common spoofing or misconfiguration patterns (mismatched From / Return-Path, suspicious Reply-To, long delivery delays, large hop counts). Headers are processed entirely in your browser.
- Gmail: open the email, click the three-dot menu, choose "Show original".
- Outlook (web): open the email, three-dot menu, "View message source".
- Apple Mail: menu View, "Message", "Raw Source".
- Thunderbird: Ctrl+U to open Source.
How to use
- 01Open the email in your mail client and find the "Show original" or "View source" option (instructions for Gmail, Outlook, Apple Mail, and Thunderbird are inside the tool).
- 02Copy the entire raw source and paste it into the textarea. The body is ignored; only headers are needed.
- 03Read the summary card for sender, recipient, subject, return path, and reply-to.
- 04Scan the findings panel: red items are hard fails, amber are warnings, green confirm pass.
- 05Inspect the delivery chain table to see each MTA the message passed through, the IP it came from, and the time delay vs the previous hop. Long delays often point to greylisting, queue backups, or a slow relay.
FAQ
Where do I find the raw email source?▼
In Gmail, open the message, click the three-dot menu, then "Show original". In Outlook for web: three dots, "View message source". Apple Mail: View > Message > Raw Source. Thunderbird: Ctrl+U.
Is anything sent over the network?▼
No. The textarea contents are parsed entirely in the browser using regular expressions. You can verify by opening DevTools Network tab while pasting and analyzing.
What does an SPF "softfail" mean?▼
The sending IP is not on the published list of authorized senders, but the domain owner asked receivers to accept the message anyway with a tag. Most modern receivers still deliver it but mark it. Softfail is weaker than hardfail (-all) and stronger than neutral (?all).
What is DKIM alignment?▼
DMARC requires the domain in the From header to align with either the SPF Return-Path domain or the DKIM signing domain. If neither aligns, DMARC fails even when SPF and DKIM individually pass. The Authentication-Results header records this verdict.
Why do legitimate mailing lists fail DMARC sometimes?▼
Mailing lists rewrite the From header to make replies go to the list, which breaks DMARC alignment. ARC (Authenticated Received Chain) was designed to fix this by letting an intermediate server vouch for the original auth state.
What does a high "delay" between hops mean?▼
The receiving MTA waited that long between accepting the message from the previous hop and stamping the next Received line. Short delays (under 5 seconds) are normal queue processing. Multi-minute delays usually indicate greylisting (deliberate temporary rejection then retry), queue backup under load, or a slow downstream filter.