Email Header Analyzer
Detect phishing, spoofing, SPF/DKIM failures, and trace delivery hops
Paste the raw headers from any suspicious email below. The analyzer will check for sender spoofing, authentication failures (SPF, DKIM, DMARC), mismatched reply-to addresses, and map the full delivery route — revealing where the email actually came from.
In Gmail: Open email → ⋮ menu → "Show original". In Outlook: File → Properties → Internet headers. Copy all header text and paste below.
Security Flags
Key Fields
Authentication Results
Email Delivery Path
What Is an Email Header?
Every email contains hidden metadata called headers — a log of every server the message passed through, who sent it, when, and how it was authenticated. While email clients hide this information by default, security professionals use raw headers to investigate phishing attacks, track spam, and verify sender authenticity.
What Does This Tool Check?
SPF (Sender Policy Framework) — Verifies that the sending server is authorised to send email on behalf of the domain in the From address. A fail means the email may be spoofed.
DKIM (DomainKeys Identified Mail) — A cryptographic signature that proves the email content was not altered in transit and the sender domain is legitimate.
DMARC — A policy layer on top of SPF and DKIM that tells receiving servers what to do when authentication fails. A DMARC fail is a strong phishing indicator.
Reply-To Mismatch — Phishing emails often use a legitimate-looking From address but redirect replies to a different attacker-controlled address.
Delivery Hops — Legitimate emails typically travel through 1–3 servers. Excessive hops or unusual geographies in the Received chain can indicate spam or phishing infrastructure.