Email headers contain critical information about the origin, routing, authentication, and delivery of every email message. Our free email header analyzer parses complex header data into a clear, visual format, showing hop-by-hop routing, authentication results (SPF, DKIM, DMARC), delivery delays, and potential security issues.
Comprehensive analysis powered by Vysiro's scanning engines
Complete header parsing and visualization
Hop-by-hop routing trace with timestamps
SPF, DKIM, and DMARC authentication results
Delivery delay identification between hops
Sender IP geolocation and reputation check
Header forgery detection
Received chain analysis
Message-ID and threading analysis
Get results in seconds with our automated scanning process
Copy the full email headers from your email client
Paste the headers into the analyzer text area
Our engine parses each header field and value
The routing path is reconstructed with timing data
Authentication results are extracted and validated
You get a visual trace with delay analysis and security checks
Everything you need to know about email header analyzer
In Gmail: Open the email, click the three dots menu, select 'Show original'. In Outlook: Open the email, click File > Properties, look at 'Internet headers'. In Apple Mail: View > Message > All Headers. Copy the entire header text and paste it into our analyzer.
Email headers contain the sender and recipient addresses, subject, date, message ID, routing path (Received headers), authentication results (SPF, DKIM, DMARC), the originating IP address, mail server information, and various processing flags.
Headers reveal the true origin of an email. Check the Received headers from bottom to top to trace the actual sending server. If the originating IP does not match the claimed sender's known mail servers, or if authentication (SPF/DKIM/DMARC) fails, the email may be spoofed.
Our analyzer shows the time spent at each hop in the delivery chain. Common causes of delay include greylisting, content filtering, DNS resolution issues, server overload, and network congestion. The hop with the longest delay is highlighted in the analysis.
These are authentication checks. SPF=pass means the sending server is authorized. DKIM=pass means the email signature is valid. DMARC=pass means the email passes domain policy. Any 'fail' result indicates a potential spoofing attempt or misconfiguration.
Some headers (like From, Subject) can be forged. However, Received headers added by intermediate servers are difficult to forge convincingly. Our analyzer identifies potentially forged headers by checking for inconsistencies in timestamps, IP addresses, and server names.
Continue your domain security analysis
Analyze DMARC records and email authentication policies instantly.
Use toolValidate SPF records, check DNS lookup limits, and resolve include chains.
Use toolCheck DKIM key existence, configuration, and selector validation.
Use toolCheck domain and IP reputation against DNS-based blacklists.
Use toolGet continuous monitoring, automated fixes, proof packs, and API access. Protect your domains with Vysiro's agentless attack-surface monitor.