Skip to main content
ShieldMarc
100% free, no sign-up needed

Free Email Header Analyser

Paste raw message headers below to instantly trace the delivery route, verify SPF, DKIM and DMARC authentication, measure hop-by-hop delays, and surface security warnings. Everything runs in your browser - no data is sent to any server.

Paste raw email headers below. In most clients, use "Show Original" or "View Message Source" to get them. Your data never leaves the browser.

Protect your domain with ShieldMarc

Get continuous DMARC monitoring, aggregate report analysis, and real-time alerts when authentication fails.

Start monitoring

What are email headers?

Every email carries a set of headers that act like a postmark on a letter. They record the full journey the message took from the sender's outbox to your inbox, including every server it passed through, the timestamps at each hop, and the results of authentication checks performed along the way.

Most email clients hide these headers behind a "Show Original" or "View Source" option. Once you copy them, this tool will parse and display them in a structured, easy-to-read format.

What does this analyser check?

  • Message route (Received headers) - every server hop the email passed through, displayed in chronological order with delay calculations between each hop.
  • SPF authentication- whether the sending server was authorised by the domain's SPF record.
  • DKIM authentication - whether the message carried a valid cryptographic signature from the sending domain.
  • DMARC evaluation - whether the message passed DMARC, which requires either SPF or DKIM to pass with alignment to the From domain.
  • TLS encryption - which hops used encrypted transport (ESMTPS/STARTTLS) and which transmitted in the clear.
  • Security warnings - authentication failures, From/Return-Path mismatches, unencrypted hops, excessive delays, and internal IP leaks.

How to find email headers

  • Gmail- Open the message, click the three-dot menu, select "Show original".
  • Outlook (web)- Open the message, click the three-dot menu, select "View > View message source".
  • Apple Mail- Open the message, go to View > Message > All Headers.
  • Thunderbird- Open the message, go to View > Message Source (Ctrl+U).

Privacy and security

Email headers can contain internal hostnames, IP addresses, and infrastructure details. This tool parses everything directly in your browser using JavaScript. No headers are uploaded, stored, or transmitted. You can verify this by inspecting network traffic in your browser's developer tools while using the analyser.

Frequently Asked Questions

What does SPF fail mean in my headers?

An SPF fail (spf=fail or spf=softfail) means the sending server's IP address was not listed in your domain's SPF record. A softfail (~all) means the message was allowed through but flagged. A hard fail (-all) means the server was explicitly not authorised. If this is legitimate mail, your SPF record may be missing an include for that sending service. Use our DMARC & SPF Checker to audit your SPF record.

What does DMARC fail mean?

DMARC fail (dmarc=fail) means the message failed both SPF alignment and DKIM alignment checks. DMARC requires at least one of them to pass with the From domain aligned. If you are investigating a legitimate email that failed, check whether the sending service has DKIM signing configured and whether the SPF Return-Path aligns with your From domain.

Why does my email show so many hops?

Each hop is a server that received and forwarded the message. A typical email passes through 2-4 servers: the sender's outgoing mail server, possibly a relay or filtering service, and the recipient's incoming mail server. More hops are normal when using third-party email security gateways (Proofpoint, Mimecast, Barracuda). Excessive hops (6+) can indicate misconfiguration or mail routing issues.

What is a normal hop delay?

Most hops should take under 5 seconds. The total delivery time for a normal email is under 30 seconds. Delays of several minutes at a single hop usually indicate a receiving server under load, greylisting (a spam mitigation technique that temporarily rejects new senders), or a DNS resolution problem. Delays of hours suggest a mail queue backup or misconfigured relay.

Why does the From address not match the Return-Path?

The From address is what you see in your email client. The Return-Path (envelope sender) is where bounce messages are sent and is what SPF checks against. It is normal for these to differ when using a third-party sending service — for example, a marketing platform may send from your branded From address while using their own Return-Path domain. DMARC alignment determines whether this is acceptable.

Can I use this to investigate phishing emails?

Yes. Paste the headers from a suspicious email to see the actual sending server IP, the true origin of the message, and whether authentication passed or failed. A legitimate email from your bank should show DKIM pass with the bank's domain and a clean delivery route. SPF fail, DMARC fail, or an unusual originating IP are strong indicators of spoofing.

Related Tools