Email Header Analyser
Paste the raw headers from any email to parse the delivery path, authentication results and message metadata.
| Header | Value |
|---|
About the Email Header Analyser
Email headers contain the full delivery path a message took to reach your inbox, including every server it passed through, the authentication checks it underwent, and timestamps for each hop. Reading raw headers by eye is tedious and easy to misread, especially the authentication results buried in the middle. This tool parses pasted email headers and presents the SPF, DKIM, and DMARC authentication results, the delivery path, and timing in a readable format, useful for diagnosing why a message was flagged as spam or delayed.
How it works
Paste the full raw headers from an email, most mail clients have a "view source" or "show original" option that reveals them, and DNSbyte parses the content directly in your browser. The tool extracts the Received chain to show each server hop in order, reads the Authentication-Results header to report SPF, DKIM, and DMARC pass or fail status, and surfaces key fields like the sending server, originating IP, and any delay between hops.
Nothing is sent to DNSbyte's servers for processing beyond what any standard form submission requires, the header text you paste is used only to generate the result shown to you.
Frequently asked questions
Where do I find the raw headers for an email?
Most webmail and desktop clients have an option for this, often labelled "show original", "view source", or found in a message's right-click or three-dot menu. The exact wording varies by provider but it is usually within a couple of clicks of the message itself.
What does it mean if SPF passes but DKIM fails?
This usually means the sending server was authorised to send on behalf of the domain, but the message's cryptographic signature did not validate, possibly because the message was modified in transit, such as by a mailing list or forwarding service that altered the content.
Why are there multiple Received headers and which one matters most?
Each Received header represents one hop the message took between mail servers, added by each server in the order it passed through, with the most recent hop at the top. The bottom-most Received header is typically closest to the original sending server, which is useful when tracing where a message actually originated.
The headers show a different sending IP than I expected, is that suspicious?
Not necessarily, many legitimate services send email through dedicated outbound mail providers rather than directly from their own infrastructure, so the IP belonging to a third-party mail service is common and expected for businesses using providers like that.
Can I use this to prove an email was spoofed?
It can show you whether SPF, DKIM, and DMARC passed or failed, which is strong supporting evidence, but a complete forensic determination of spoofing usually also involves looking at the full header set together with context only the recipient has.