LIVE NEWSROOM · --:-- · May 15, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  EMAIL HEADERS

Email Header Analyzer

Paste raw email headers (from your client’s “view source” or “show original”). We trace the Received: chain, check SPF/DKIM/DMARC pass status, and flag common spoofing indicators.

    What it does

    Email headers tell the full delivery story: every hop the message traversed, the authentication results at the receiving end, the From/Return-Path/Reply-To trinity that phishing-aware analysts inspect. Our analyzer takes raw headers (the “Show Original” or “View Source” output from your mail client), parses them per RFC 5322, reconstructs the Received chain in chronological order, and surfaces spoofing red flags like mismatched From vs Return-Path domains.

    How to use it

    1. In Gmail: open message → 3-dot menu → "Show original".
    2. In Outlook: open message → File → Properties → "Internet Headers" pane.
    3. Copy ALL the headers (everything before the empty line that precedes the body).
    4. Paste in the textarea here and click "Analyze headers".
    5. Read the Received chain (oldest hop first), the authentication-results panel, and any red flags raised.

    Common use cases

    Phishing triage When a user reports a suspicious email, paste headers to verify whether it actually came from the claimed sender.
    Delivery troubleshooting When your outbound email lands in spam, headers from a test recipient show what authentication failed and where.
    Forensic timeline reconstruction In incident response involving email-borne compromise, headers establish exact timestamps and hops.
    Phishing-training analysis After a phishing simulation, walk through real headers with the team to teach what spoofing looks like.

    Frequently asked questions

    What is the "Received chain"? +
    Each SMTP server that processed the message added a "Received:" header. Read them BOTTOM-UP — the bottom is the first hop (original sender), the top is the last hop (your inbox).
    What does Authentication-Results mean? +
    Your inbound mail server’s verdict on SPF / DKIM / DMARC. Pass = email passed that check. Fail = failed (possible spoofing).
    Why does From != Return-Path matter? +
    Sender forgery: spammers often set From: to a recognizable brand but the Return-Path (where bounces go) to their own throwaway domain. The mismatch is a strong phishing signal.
    Should I trust SPF/DKIM pass? +
    Pass = the email is authenticated as having come from the claimed domain. But "authentic" ≠ "trustworthy" — a compromised legitimate account passes auth and still sends phish.
    Is my email content read? +
    No. We only need the headers (the part before the empty line). Don’t paste the body.

    Related tools

    Related coverage on Ciphers Security

    Free for everyone, no signup required. Tool runs at /tools/email-header-analyzer/ — bookmark or share.

    Scroll to Top