Email Header Analyzer

Paste the full raw headers from any email to instantly trace its exact delivery route — every server hop, timestamp, and delay — and verify SPF, DKIM, and DMARC authentication status. Everything runs in your browser; no header data is ever sent to EpicTools servers.

or Ctrl+Enter

How to Use the Email Header Analyzer

What is an Email Header Analyzer?

An email header analyzer is a tool that reads the invisible technical metadata embedded in every email message and translates it into a human-readable format. Raw email headers look like a wall of cryptic text, but they contain a complete forensic trail of everywhere your email traveled — from the sender's mail server all the way to your inbox. Our email header analyzer decodes that trail instantly, right in your browser.

How to copy your raw email headers

Every major email client lets you view raw headers. Here's where to find them:

  • Gmail: Open the email → click the three-dot menu (⋮) → Show original. Copy everything from the top down to the blank line before the message body.
  • Outlook (Web): Open the email → three-dot menu → View → View message source. Copy the header block at the top.
  • Outlook (Desktop): Open the email → File → Properties. The "Internet headers" text box has your raw headers.
  • Apple Mail: Open the email → View → Message → All Headers (keyboard shortcut ⌥⌘H).
  • Thunderbird: Open the email → View → Headers → All, or press Ctrl+U for the full source.

Paste the copied text into the input box above and click Analyze Headers. The email header analyzer will instantly parse everything and display the results.

Understanding the Email Delivery Route

The delivery route is the most valuable output of any email header analyzer. It shows every server that handled your email in chronological order — from the original sender to your mailbox. Each stop is called a hop. The analyzer reads all Received: headers and assembles them into a timeline. For each hop you can see:

  • From: The server that claimed to be sending at this hop, including its hostname and IP address.
  • By: The server that received the message and added this Received: header.
  • Via: The mail transfer protocol used at this hop (e.g. ESMTPS, ESMTP, HTTP).
  • When: The exact timestamp the receiving server accepted the message.
  • Delay: The time elapsed since the previous hop — color-coded green (fast), amber (slow), or red (very slow).

Normal email delivery completes in under a minute for well-configured servers. A large delay (shown in amber or red) usually indicates a spam filtering queue, a greylisting policy on the receiving server, or a misconfigured relay. Hops routing through unexpected countries or cloud regions can indicate a compromised relay or mail forwarding rule.

SPF, DKIM, and DMARC Authentication Explained

The email header analyzer extracts authentication results from the Authentication-Results: header that receiving mail servers add to every incoming message. Three standards together form the backbone of modern email security:

  • SPF (Sender Policy Framework) — Verifies that the IP address of the sending server is authorized to send email on behalf of the envelope-from domain. The domain owner publishes a list of permitted IPs in a DNS TXT record. Pass means the sending IP was on that list. Fail or SoftFail means it was not, which can cause the email to be flagged as spam or rejected.
  • DKIM (DomainKeys Identified Mail) — Uses a cryptographic signature added to the email by the originating server. The receiving server retrieves the public key from DNS and validates the signature. Pass proves the message was not altered in transit and came from a server authorized by the signing domain.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) — Ties SPF and DKIM together by checking that at least one passes and that the authenticated domain aligns with the domain in the visible From: header. Pass is the strongest indicator of a legitimate sender. Fail means both SPF and DKIM failed alignment — a strong signal of a forged or spoofed email.

Phishing & Spoofing Red Flags

A good email header analyzer does more than show routing — it also surfaces signs of potential phishing. Watch for these warnings in the Key Headers section:

  • ⚠ From / Reply-To mismatch: If the From: domain and the Reply-To: domain differ, replies will go to a different address than the displayed sender — a classic phishing trick.
  • ⚠ From / Return-Path mismatch: The Return-Path: is the actual envelope sender. If it differs from the From: domain, the sender may be spoofing a trusted domain.
  • DMARC fail with a plausible From address: An email that appears to be from a major brand but fails DMARC is almost certainly a phishing attempt.
  • Unusual hop count: Legitimate emails rarely need more than 4–5 hops. A long chain of unknown relays is suspicious.

Privacy & Security

The email header analyzer runs entirely in your browser using JavaScript. Your raw headers are never transmitted to EpicTools servers or any third party. You can safely analyze headers from sensitive, confidential, or corporate emails.