EmailAudit.io

Email Header Analyzer

Paste raw email headers to decode authentication results, trace the message route, and flag suspicious patterns.

How to find your email headers

Gmail

Open the email → click the ⋮ (three-dot) menu → Show original → copy all the text at the top before the message body.

Outlook

Open the email → click File → Properties → copy the text from the Internet headers box.

Apple Mail

Open the email → View menu → Message → All Headers → select all and copy.

Frequently Asked Questions

What are email headers and why should I analyse them?

Email headers are metadata attached to every email that record how the message was sent, routed, and authenticated. They contain SPF, DKIM, and DMARC authentication results, the IP addresses of every server that handled the message, timestamps for each routing hop, and fields like From, Reply-To, and Return-Path. Analysing headers lets you verify whether an email is legitimate, detect spoofing or phishing attempts, and diagnose delivery problems.

How do I find email headers in Gmail, Outlook, or Apple Mail?

In Gmail: open the email, click the three-dot menu, choose Show original, and copy the text at the top. In Outlook: open the email, go to File → Properties, and copy from the Internet headers field. In Apple Mail: open the email, go to View → Message → All Headers, then select all and copy. Paste the copied text into this tool.

What does it mean if SPF or DKIM failed in the headers?

SPF fail means the sending server was not authorised to send email for the domain listed in the message. DKIM fail means the cryptographic signature on the message could not be verified — either the message was modified in transit or the signing key is misconfigured. Either failure is a significant red flag, especially combined with a DMARC fail result. Legitimate senders should consistently pass SPF and DKIM.

What is a suspicious Reply-To or Return-Path mismatch?

The From header shows who sent the email. Reply-To controls where replies go. Return-Path controls where bounces go. When the domain in Reply-To or Return-Path differs from the From domain, it means replies or bounces go to a completely different organisation — a technique commonly used in phishing and business email compromise (BEC) attacks. This tool flags these mismatches automatically.

What is a routing hop in email headers?

Every server that handles an email adds a Received header recording when it received the message, from where, and to where it forwarded it. Each Received header is one routing hop. A typical legitimate email has 2–5 hops. More than 10 hops can indicate a forwarding loop or an unusual delivery path. This tool traces each hop in chronological order and shows the delay between hops.