OneWebDesk
All tools
한국어|English

Email Header Analyzer

Analyze mail headers: hops, delays and SPF/DKIM/DMARC results.

When an email arrives late, lands in spam, or comes from a suspicious sender, the surest clue is the raw message header. Paste the full header copied from your mail client into this email header analyzer and it lays out a From/To/Subject/Date/Message-ID summary, the path of mail servers (Received hops) the message traveled with per-hop delays, and the SPF, DKIM and DMARC authentication results at a glance.

All analysis runs entirely in your browser and the header content is never sent to any server. Use it to trace delivery delays, check for sender-domain spoofing, and confirm that authentication policies were applied correctly.

Paste a message header above to see the analysis.

Where do I copy the header from?

Most mail services offer a view original option. In Gmail, open the message and choose Show originalfrom the more menu; in Outlook, double-click the message and open the internet headers under File → Properties; in Apple Mail use View → Message → Raw Source. Copy the entire header block and paste it into the box above.

How do I read the Received path?

The Received lines stack up from top to bottom as the message passes through servers, which means thetopmost line is the final receiving server and the bottom one is the original sender. This tool reverses them into sender→recipient (chronological) order and shows, for each hop:

  • from / by: which server handed off to which server
  • timestamp: when that hop received the message
  • delay (seconds): the gap from the previous hop — a large value points to a bottleneck at that step

What SPF, DKIM and DMARC results mean

The Authentication-Results header carries the verdicts the receiving server reached.

  • SPF: whether the sending IP is on the domain's allow list (pass is healthy)
  • DKIM: whether a signature proves the body/headers were not tampered with
  • DMARC: the final verdict combining SPF/DKIM alignment with the domain's policy

When all three are pass, the sender is highly trustworthy. A fail or softfailsuggests spoofing or a misconfigured sending setup, so review the authentication records. Look up the domain's SPF, DKIM and DMARC records individually, or diagnose them at once with Email Deliverability Check.

Frequently asked questions

Is the header content sent anywhere?
No. All parsing and analysis happen entirely in your browser, and the pasted header is never transmitted to or stored on any server.
The Received lines don't line up chronologically — why?
If the servers' clocks are skewed, a delay can show up as negative or the order can look odd. The displayed delay is simply the difference between the timestamps recorded in the header, so interpret it allowing for clock drift.
Why is SPF a pass but DMARC a fail?
Even when SPF or DKIM passes, DMARC also requires the authenticated domain to align with the From address domain. If they don't align, SPF can pass while DMARC still fails.
Does a hop with a large delay always mean a problem?
Not necessarily. Greylisting deliberately delays mail, and a queue can briefly back up under normal conditions. But a repeatedly large delay at one step is a strong hint to check that server first.
What if there is no Authentication-Results header?
Either the receiving server didn't record authentication results, or they were dropped from the copied header. In that case the authentication section shows an informational 'none' state.

Related tools

Email
Email Bounce Code Decoder
Explain 4xx/5xx SMTP bounce codes and how to fix them.
DMARC Record Generator
Generate a DMARC TXT record from policy and report settings.
SPF Record Lookup
Look up a domain's SPF TXT record and check syntax.
DMARC Record Lookup
Look up the _dmarc TXT record and explain its policy and tags.
DKIM Record Lookup
Look up the selector._domainkey TXT record for a DKIM public key.
Email Blacklist (DNSBL) Check
Check whether an IP is listed on major DNSBL blacklists.