Email Header Analyzer

Analyze email headers to trace sender location, detect spam, verify authenticity, and check email security. Identify spoofed emails, trace routing path, and understand email authentication.

Paste Email Headers

How to Find Email Headers

Gmail ⋮ → Show original

Outlook Web ··· → View message details

Outlook Desktop File → Properties → Internet headers

Yahoo Mail More → View raw message

Apple Mail View → Message → Raw Source

Thunderbird View → Message Source (Ctrl+U)

Paste Email Headers to Begin

Paste your email headers in the left panel and click "Analyze Headers" to see the sender, route, authentication, and security analysis.

Uncover the Hidden Truth Behind Every Email

Every email you receive contains hidden technical information that reveals its true origin, authenticity, and journey through the internet. While scammers can easily fake the "From" address you see, they cannot fake the email headers—the detailed routing information that shows exactly where an email really came from and whether it passed security checks. This hidden information is your key to spotting fake emails, phishing attempts, and spam.

Our Email Header Analyzer decodes this technical information into easy-to-understand results. Paste any email header and instantly see the sender's real IP address and location, the complete path the email took through mail servers, whether the email passed authentication checks (SPF, DKIM, DMARC), spam indicators and red flags, and whether someone is trying to impersonate a trusted sender. Protect yourself from scams by verifying every suspicious email in seconds.

How to Analyze Email Headers

Get the Email Headers

Open the suspicious email in your email service. Look for "Show Original," "View Source," or "Message Details" option (usually in a menu or More options). Copy all the technical text that appears—this is the email header.

Paste Headers into Analyzer

Paste the complete email header text into our analyzer. Don't worry if it looks confusing—the tool will organize and explain everything. Make sure to paste the entire header for complete analysis.

Review the Analysis Results

See organized information including sender IP location, routing path showing each server the email passed through, authentication results (whether security checks passed), spam indicators and warnings, and a verdict on whether the email appears legitimate or suspicious.

Make an Informed Decision

Use the analysis to decide if the email is safe. Red flags like failed authentication, mismatched locations, or spam indicators mean you should delete the email or report it as spam. Verified emails with passing checks are likely legitimate.

Powerful Email Security Analysis

Trace Sender Location

Extract IP addresses from headers and identify the approximate geographic location of the sending server. See city and country instantly.

Authentication Verification

Check SPF, DKIM, and DMARC authentication results. Passed checks mean legitimate email; failed checks indicate potential fraud.

Spam Detection

Identify spam indicators including suspicious headers, forged information, unusual routing, and known spam patterns in the email path.

Routing Path Visualization

See the complete journey of the email through all mail servers from sender to your inbox. Identify unusual or suspicious routes.

Spoofing Detection

Identify when someone is pretending to be another sender. Compare displayed sender with actual sending server information.

Timestamp Analysis

Review when the email was sent and received at each server. Detect timing anomalies that may indicate tampering or delays.

How to Find Email Headers in Popular Email Services

Email Service	How to View Headers	Menu Location
Gmail (Web)	Open email → Click three dots (⋮) → Show original	Top right of email
Outlook (Web)	Open email → Click three dots (···) → View → View message details	Top of email
Outlook (Desktop)	Open email → File → Properties → Copy from "Internet headers" box	File menu
Yahoo Mail	Open email → More (···) → View raw message	Right side of email
Apple Mail	Select email → View → Message → Raw Source	Menu bar at top
Thunderbird	Open email → View → Message Source (or Ctrl+U)	View menu or keyboard shortcut
ProtonMail	Open email → Three dots → View headers	Top right of email
iCloud Mail	Open email → View (flag icon) → Show All Headers	Bottom of email

Tip: Look for options labeled "Show Original," "View Source," "Message Details," "Raw Message," or "View Headers." Copy ALL the text that appears—partial headers give incomplete analysis.

When to Analyze Email Headers

Detecting Phishing Emails

Verify emails claiming to be from your bank
Check government agency emails for authenticity
Identify fake PayPal or payment notifications
Spot fraudulent package delivery emails
Verify password reset requests are legitimate

Identifying Email Spoofing

Check if boss/CEO email is actually from them
Verify emails from company executives
Detect impersonation of colleagues or vendors
Identify fake customer support emails
Spot forged sender addresses

Spam Investigation

Determine why emails go to spam folder
Check if marketing emails are legitimate
Identify sources of unwanted emails
Report spam with evidence to authorities
Block specific servers sending spam

Email Troubleshooting

Track delivery delays and routing problems
Identify why emails bounce back
Debug email delivery issues
Verify emails reached the right server
Check email client and server information

Understanding Email Authentication (SPF, DKIM, DMARC)

Email authentication methods prove that an email genuinely comes from who it claims to be. These security measures prevent scammers from pretending to be banks, companies, or trusted senders. Understanding these checks helps you identify legitimate vs. fraudulent emails.

SPF (Sender Policy Framework)

SPF lets domain owners list which mail servers are authorized to send email on their behalf. When an email arrives, receiving servers check if it came from an authorized server.

SPF Pass: Email came from an authorized server for that domain—good sign of legitimacy
SPF Fail: Email came from unauthorized server—major red flag, likely spoofed or spam
SPF Neutral/Softfail: Domain doesn't use SPF or has permissive settings—cannot confirm authenticity

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to emails, proving they weren't altered during transit and came from the claimed sender's server.

DKIM Pass: Email has valid signature, content unchanged—strong authenticity indicator
DKIM Fail: Signature invalid or missing—email may be forged or tampered with
DKIM Neutral: Domain doesn't use DKIM signatures—common but provides no verification

DMARC (Domain-based Message Authentication)

DMARC combines SPF and DKIM, and tells receiving servers what to do when checks fail (reject, quarantine, or allow).

DMARC Pass: Email passed SPF or DKIM and domain alignment—highly trustworthy
DMARC Fail: Failed both SPF and DKIM—very suspicious, likely fake email
DMARC None: Domain doesn't use DMARC policy—provides no protection guidance

What Results Mean for You

All Checks Pass: Email is very likely legitimate. The sender is who they claim to be.

One or More Checks Fail: Be cautious. Email may be spoofed. Verify through another channel before taking action.

No Authentication: Neutral—some legitimate senders don't use these, but scammers exploit this. Check other indicators.

Email Security Best Practices

Verify Before Clicking Links

Never click links in suspicious emails, even if they look official. Analyze headers first. If you're unsure, go directly to the company's website by typing the URL yourself, not clicking the email link.

Check Mismatched Information

Compare the "From" address with the sending server location. An email claiming to be from your local bank but sent from another country is a huge red flag indicating fraud.

Look for Multiple Red Flags

One failed check might be a technical issue. Multiple failures (failed SPF + failed DKIM + suspicious IP location) almost certainly means a scam. Trust your analysis results.

Verify Urgent Requests Separately

Scammers create urgency ("Your account will be closed!" "Act now!"). If an email claims urgency, analyze the headers, then contact the company through official channels to verify.

Report Confirmed Phishing

After confirming an email is fraudulent through header analysis, report it to your email provider, the impersonated company, and relevant authorities. Help protect others from the same scam.

Educate Family and Colleagues

Share this tool with others who receive suspicious emails. Elderly family members and non-technical colleagues are often targeted. Show them how to verify emails before responding.

Red Flags in Email Headers

Our analyzer automatically checks for these warning signs, but understanding them helps you spot suspicious emails faster:

Major Warning Signs

Failed Authentication: SPF, DKIM, or DMARC failures indicate the email may be forged
Mismatched Sender Info: "From" address doesn't match actual sending server domain
Suspicious IP Location: Email claims to be from local business but sent from foreign country
Multiple Server Hops: Excessive routing through many countries suggests spam infrastructure
Generic Greetings: Real companies use your name; scammers use "Dear Customer" or "Dear Sir/Madam"
Urgent Language: Threats of account closure, suspicious activity, or immediate action required

Technical Red Flags

Missing or Invalid Message-ID: Legitimate servers include unique message identifiers
Unusual Time Stamps: Send/receive times that don't make sense or show wrong time zones
Suspicious Return-Path: Reply address completely different from displayed sender
No Reverse DNS: Legitimate mail servers have proper reverse DNS records
Spam Score Present: Some headers include spam scores—high scores indicate known spam

Content Red Flags (Not in Headers)

While not in headers, watch for these in email content:

Requests for passwords, credit card numbers, or personal information
Links that look official but have misspellings or odd domains
Attachments you didn't expect, especially .exe, .zip, or .scr files
Poor grammar, spelling errors, or awkward phrasing
Offers that are too good to be true

Real-World Email Scam Examples

Understanding common scam scenarios helps you recognize them before they cause harm. Here are frequent phishing and spoofing attempts that header analysis can detect:

Example 1: Fake Bank Email

What You See: Email appears to be from your bank with their logo. Subject: "Unusual Activity Detected - Verify Now!" Claims someone accessed your account from China.

Header Analysis Reveals: SPF and DKIM both failed. Sending IP is from Russia, not your bank's servers. Return-path shows completely different domain. This is a phishing attempt to steal your login credentials.

Example 2: CEO Impersonation (Business Email Compromise)

What You See: Email from your CEO asking you to urgently wire money or send gift cards. Seems to come from CEO's email address.

Header Analysis Reveals: Email sent from free webmail service (Gmail, Yahoo) not company mail server. Authentication checks failed. IP location shows another country. Scammer spoofed the display name but couldn't fake the technical details.

Example 3: Fake Package Delivery

What You See: Email from "FedEx" or "DHL" saying package can't be delivered. Asks you to click link to reschedule or pay customs fees.

Header Analysis Reveals: Not sent from official delivery company servers. Domain looks similar but isn't exact (fedex-delivery.com instead of fedex.com). Failed authentication. Clicking link would install malware or steal payment information.

Example 4: Tax/Government Scam

What You See: Email claiming to be from IRS, tax authority, or government agency. Says you owe money or are getting a refund—click link to claim/pay.

Header Analysis Reveals: Government agencies rarely email citizens directly. Email shows completely unrelated server location. No proper authentication. Real government communications come by mail, and legitimate email communications pass authentication checks.

Privacy and Security of Email Header Analysis

We understand that email headers can contain sensitive information. Here's how we protect your privacy:

Complete Browser-Based Processing

All email header analysis happens entirely in your web browser. When you paste headers into our tool:

Headers are never uploaded to our servers
No data is stored, saved, or transmitted anywhere
Analysis completes on your device using your computer's processing power
Close the browser tab and all data is immediately erased
No login required means no tracking of which emails you analyze

What Information Headers Contain

Email headers include technical routing information but not the email message content. Headers show:

Email addresses (sender and recipient)
IP addresses of mail servers
Server names and routing path
Timestamps and technical identifiers
Subject line (but not email body content)

Safe to Use for Sensitive Emails

Because processing is local and nothing is stored, you can safely analyze headers from:

Work emails and business correspondence
Banking and financial institution emails
Medical and healthcare communications
Legal and attorney-client emails
Any confidential or private email

How to Report Phishing and Scam Emails

After confirming an email is fraudulent through header analysis, reporting it helps protect others and can lead to the shutdown of scam operations.

Report to Your Email Provider

Gmail: Click Report spam or Report phishing in the email menu
Outlook/Hotmail: Click Report → Phishing or Report junk
Yahoo Mail: Click More → Report spam or Phishing
Apple Mail: Message → Report Junk or Move to Junk

Report to Authorities

United States: Forward to reportphishing@apwg.org (Anti-Phishing Working Group) and spam@uce.gov (FTC)
United Kingdom: Forward to report@phishing.gov.uk (National Cyber Security Centre)
European Union: Report to your country's national cybercrime reporting center
Australia: Report to ReportCyber (www.cyber.gov.au/report)
Canada: Report to Canadian Anti-Fraud Centre (antifraudcentre-centreantifraude.ca)

Report to Impersonated Company

If scammers impersonated a real company (bank, retailer, delivery service):

Forward the email to the company's official security or phishing email address
Most companies have addresses like phishing@company.com or abuse@company.com
Include the full email with headers so they can investigate
Companies want to know about impersonation to protect their brand and customers

Frequently Asked Questions

What is an email header and why analyze it?

An email header is hidden technical information that shows the complete journey of an email from sender to recipient. It includes sender IP address, routing path, authentication results, and timestamps. Analyzing headers helps you verify if an email is legitimate, trace the real sender location, detect spam or phishing attempts, and understand if someone is impersonating a trusted sender.

How do I find email headers in Gmail, Outlook, or other email services?

In Gmail: Open the email, click the three dots menu, select "Show original". In Outlook: Open the email, go to File > Properties, copy text from "Internet headers" box. In Yahoo Mail: Open email, click More > View raw message. In Apple Mail: Select email, choose View > Message > Raw Source. Most email services have a "View Source", "Show Original", or "View Headers" option in their menus.

Can I trace where an email really came from?

Yes! Email headers contain IP addresses showing the actual server that sent the email. Our analyzer extracts these IPs and can show the approximate location (city/country) of the sender. This reveals if someone claiming to be from your bank in New York actually sent the email from another country, indicating a scam attempt.

How can I tell if an email is spam or phishing?

Email headers reveal spam indicators including: mismatched sender information, failed authentication checks (SPF, DKIM, DMARC failures), suspicious IP addresses, unusual routing paths, forged sender addresses, and absence of proper email signatures. Our analyzer checks all these factors and highlights red flags that indicate spam or phishing attempts.

What are SPF, DKIM, and DMARC?

These are email authentication methods that prove an email is genuinely from who it claims to be. SPF checks if the sending server is authorized to send for that domain. DKIM adds a digital signature proving the email wasn't altered. DMARC combines both and tells receiving servers what to do with failed checks. When these pass, the email is legitimate; when they fail, it may be spoofed or forged.

Can someone fake the "From" address in an email?

Yes, email "From" addresses can be easily faked—this is called email spoofing. Scammers often make emails appear to come from banks, government agencies, or trusted companies. However, they cannot fake the email headers. Analyzing headers reveals the real sender IP address and whether authentication checks failed, exposing the fake email.

What information can I see in email headers?

Email headers show: sender and recipient addresses, subject line, sending server IP address, all servers the email passed through (routing path), timestamps showing when the email traveled through each server, authentication results (SPF/DKIM/DMARC), spam score, message ID, content type, and email client/software used to send the message.

Is it safe to share email headers for analysis?

Email headers contain technical routing information but not the email content itself. However, they do include email addresses, IP addresses, and server names. Our analyzer processes everything in your browser—headers are never uploaded to our servers. This ensures complete privacy and security when analyzing potentially sensitive email information.

Can I track an email sender's exact location?

Email headers provide the IP address of the sending server, which can be traced to an approximate location (city and country). However, this shows the server location, not necessarily the sender's physical location. Senders using VPNs, proxies, or web-based email will show the location of those services, not their actual location. Still, this helps identify obviously fake emails.

Is this email header analyzer free?

Yes! Our email header analyzer is completely free with unlimited analysis. No registration, no download, no hidden fees. Analyze as many email headers as needed to verify authenticity, trace senders, or detect spam. All processing happens in your browser for complete privacy and security of your email data.