Free tool
Email Header Analyzer
Paste raw email headers to decode the real delivery path: every server hop and delay, the originating IP, and the SPF / DKIM / DMARC results, then surface the From vs Return-Path mismatches that signal spoofing. Runs entirely in your browser.
Parsing runs entirely in your browser. Headers are never uploaded or stored.
Reading a header trace
An email's headers are appended top-down as it moves, so the most recent server appears first. The analyzer reverses the Received: chain into chronological order and computes the delay between hops — unusually long gaps can indicate a message that was queued, relayed through suspicious infrastructure, or back-dated.
The three badges summarize the Authentication-Results header:
- SPF — did the sending IP have permission to send for the envelope domain?
- DKIM — was the message cryptographically signed and unmodified in transit?
- DMARC — does the authenticated identity align with the visible From: domain, under the domain owner's policy?
What this catches
The highest-value signal for phishing triage is a From / Return-Path mismatch paired with an SPF or DMARC failure — a message wearing a trusted brand's From: address that the brand never authorized. To fix this on your own domain so attackers can't spoof it, use the DMARC, SPF, and DKIM checkers, then publish records with the DMARC generator.
Frequently asked questions
What do email headers tell you?
Headers record a message's full journey: every mail server that handled it (the Received chain), the time at each hop, the originating IP, and the results of SPF, DKIM, and DMARC authentication. Together they reveal whether a message really came from where it claims, the core question in any phishing investigation.
How do I get the raw headers of an email?
In Gmail, open the message → ⋮ menu → 'Show original'. In Outlook, open the message → File → Properties → 'Internet headers'. In Apple Mail, View → Message → 'All Headers' (or Raw Source). Copy everything and paste it into the analyzer.
What does it mean if SPF or DMARC says FAIL?
An SPF fail means the server that sent the message isn't authorized to send for the envelope domain. A DMARC fail means the message isn't aligned and authorized to use the From: domain a recipient sees, a strong spoofing signal. Legitimate mail from a well-configured domain should pass both.
Why does the From domain differ from the Return-Path?
The Return-Path (envelope sender) can legitimately differ from the visible From — for example when a marketing platform sends on a brand's behalf with proper alignment. But a mismatch combined with an SPF or DMARC failure is a classic sign of a spoofed or forged message.
Is it safe to paste headers here?
Yes. The analyzer parses everything locally in your browser. Headers are never uploaded, logged, or stored. That said, raw headers can contain your own email address and internal hostnames, so treat the output as you would any sensitive log.
Related free tools
Awareness
Phishing Quiz
Realistic email, SMS, QR-code, voice and social scenarios. Guess phishing or legitimate, then see which red flags gave each one away.
Breach & exposure
Data Breach Checker
Enter a company domain to see if it's appeared in known data breaches and dark-web leaks — which breaches, when, and exactly what data was exposed.
URL & link analysis
Phishing URL Checker
Paste a suspicious link and see its phishing red flags — homoglyphs, lookalike domains, IP hosts, sneaky TLDs — scored and explained.
Spoofed sender? Find the infrastructure behind it.
PhishEye links spoofed mail to the domains and pages running the campaign and takes them down across channels.