**Outlook on Windows**: open the message in a separate window → File tab → Properties → the **"Internet headers"** field at the bottom. **Outlook 365 / web**: open the message → three-dot menu in the top-right → "View" → "View message details". **New Outlook**: unfortunately Microsoft hides the option in different places - easiest is to right-click the message in the inbox → "View source".

**Open the message → View menu → Message → All Headers** (shortcut `Shift+Cmd+H`). The headers appear above the body inside the message window. Select everything from `Delivered-To:` to the end and copy. Alternative: **View → Message → Raw Source** (`Cmd+Option+U`) shows the full raw EML.

What exactly does the Received chain show?

**Every mail server that touches the message prepends a `Received:` header**. So the order in the file is **reverse** to the chronological order - the newest hop sits on top. We flip it back in the UI so it reads naturally: #1 = the first server (usually the sender), the last hop = your mailbox. Each hop shows: **who logged in** (from), **who accepted** (by), **which protocol** (with, e.g. ESMTPS / SMTP), **when** (timestamp at the end) and **how long it took since the previous hop** (delta).

What do SPF / DKIM / DMARC mean in Authentication-Results?

**Authentication-Results** is added by the **last trusted server in the chain** (usually your mail provider). It records three checks: **SPF pass** = the sending server is on the From-domain's allow list, **DKIM pass** = the message's cryptographic signature verifies, **DMARC pass** = SPF and DKIM results align with the domain's policy. One red rarely means phishing on its own; **two or three fails together is a very strong spoofing signal**.

How do I spot a forged email from the headers alone?

**Five classics**: (1) **From differs from Return-Path** or Reply-To - the message claims to be from the bank but replies go elsewhere. (2) **SPF / DKIM / DMARC = fail** in Authentication-Results. (3) **Missing Message-ID** or an unusual format for the claimed sender. (4) **First hop from a server unrelated** to the From domain (a "PKO bank" email sent from a Hetzner VPS). (5) **Date much earlier than the first timestamp in Received** - the attacker manually backdated.

What does the hop delta tell me?

**How long the message sat at each relay**. Each hop normally takes milliseconds to seconds. **Deltas of minutes to hours** mean the message was **queued** somewhere - usually greylisting (deliberate delay on first attempt from an unknown sender) or peak-load. **Very long deltas on hops near the end** are typically anti-spam / anti-virus scanning.

How does your spam score work?

**Sum of simple heuristics**: SPF fail = +3, DKIM fail = +2, DMARC fail = +2, more than 7 hops = +1, reverse-DNS mismatch (host in parentheses does not match the from-host) = +1, missing Message-ID = +1, missing Date = +1. Capped at 10. **This is NOT a full anti-spam engine** (like SpamAssassin), just a quick signal from the headers alone. **3-5 = worth a closer look**, **6-10 = probably spam or phishing**.

Why do some hops have weird IPs or no hostname?

Two common reasons: (1) **internal hops** inside the provider's infrastructure - a message goes through 3-4 Gmail internal servers that have no public DNS names. (2) **Reverse DNS is missing or mismatched** - the admin never set up a PTR record. By itself it doesn't mean phishing, but **combined with SPF fail** it is a strong signal. **Click the IP to open whois-lookup** and see who the address block belongs to.

Does this analyzer store anything on your side?

**No. The whole analysis runs in your browser**. We do not send headers anywhere, there is no server-side API call while parsing. You can verify this in DevTools (Network tab - nothing happens when you paste). **You can safely paste even confidential messages** - everything stays on your device.

Mail Header Analyzer - free

What a mail header analyzer does

A mail header analyzer takes the raw text of an email's headers (everything above the blank line that separates headers from the body) and shows you which servers handled the message, who signed it, and whether the authentication checks pass. Everything runs in your browser - no data leaves your device.

In one screen you get four things: the basic identity block (From, To, Subject, Message-ID, Date), the SPF / DKIM / DMARC verdicts from the Authentication-Results header, a chronological Received-hop timeline (oldest first, with the delay between hops), and a 0-10 heuristic spam score with concrete reasons.

For every IP that appears in the Received chain you get a clickable link to the whois-lookup tool - one click and you can see who owns the relay server.

How to use it

Copy the raw headers from your mail client. Gmail: open the message → three-dot menu → "Show original" → copy the whole text. Outlook: open the message → File → Properties → "Internet headers" field. Apple Mail: open the message → View → Message → All Headers.
Paste into the textarea above. You can paste just the headers or the entire message - the tool slices the body off at the first blank line.
Check the spam score at the top. Green 0-2 = looks healthy, yellow 3-5 = warning signs, red 6-10 = very likely phishing or spam.
In the Authentication-Results section verify that SPF / DKIM / DMARC all show pass. One red verdict often means the message did not really come from the claimed sender.
Scroll to the Received chain. The top hop (#1) is the oldest server - the first one that accepted the message. The bottom hop is the server that handed it to your mailbox.
Click any IP in the chain to open whois-lookup in a new tab and see who that address belongs to.
If you see a weird first hop (a "bank notification" whose first hop is a hosting box in a random country), you have strong evidence of sender spoofing.

When this is useful

Five everyday situations where a header analysis settles the question:

Is this email phishing?. You got a "bank" message with a link to "verify your account". Compare From vs Return-Path vs the first hop in the Received chain. If the first server has nothing to do with the bank, it is textbook phishing.
My critical email never arrived, the recipient says they sent the reply. Ask them for the complete headers of the message they think they got. You can trace the exact path, see where it stalled, and how long each hop took.
Customer complaint: "Your email landed in spam". Look at the headers of the copy they forwarded. Most of the time you will find SPF fail or DKIM fail in Authentication-Results - that is a concrete cause, not a guess.
Post-incident audit. An attacker sent emails from your company domain. From the headers of the suspicious messages you can tell whether they went through your real mail server (compromised account) or through a foreign server with a forged From (spoofing, your domain has no DMARC).
Strange email from a coworker. The CFO emails the finance team asking for an urgent wire transfer. Check Reply-To and Return-Path - in BEC (Business Email Compromise) attacks they differ from the From field, so your reply lands with the attacker.

Related tools: email DNS checker (audit your domain's SPF/DKIM/DMARC), whois-lookup (owner of an IP in the Received chain), DNS lookup.

Questions and answers

Open the message → three-dot menu next to "Reply" → "Show original". A new tab opens with two sections: a meta block on top (SPF/DKIM/DMARC in summary form) and the full raw message with headers below. Copy everything from the start down to the first blank line (roughly down to `Content-Type:`). Shortcut: click "Download Original" and paste the file contents - the tool slices the body off anyway.

What a mail header analyzer does

For every IP that appears in the Received chain you get a clickable link to the whois-lookup tool - one click and you can see who owns the relay server.

How to use it

Copy the raw headers from your mail client. Gmail: open the message → three-dot menu → "Show original" → copy the whole text. Outlook: open the message → File → Properties → "Internet headers" field. Apple Mail: open the message → View → Message → All Headers.

Paste into the textarea above. You can paste just the headers or the entire message - the tool slices the body off at the first blank line.

Check the spam score at the top. Green 0-2 = looks healthy, yellow 3-5 = warning signs, red 6-10 = very likely phishing or spam.

In the Authentication-Results section verify that SPF / DKIM / DMARC all show pass. One red verdict often means the message did not really come from the claimed sender.

Scroll to the Received chain. The top hop (#1) is the oldest server - the first one that accepted the message. The bottom hop is the server that handed it to your mailbox.

Click any IP in the chain to open whois-lookup in a new tab and see who that address belongs to.

If you see a weird first hop (a "bank notification" whose first hop is a hosting box in a random country), you have strong evidence of sender spoofing.

When this is useful

Five everyday situations where a header analysis settles the question:

Is this email phishing?. You got a "bank" message with a link to "verify your account". Compare From vs Return-Path vs the first hop in the Received chain. If the first server has nothing to do with the bank, it is textbook phishing.
My critical email never arrived, the recipient says they sent the reply. Ask them for the complete headers of the message they think they got. You can trace the exact path, see where it stalled, and how long each hop took.
Customer complaint: "Your email landed in spam". Look at the headers of the copy they forwarded. Most of the time you will find SPF fail or DKIM fail in Authentication-Results - that is a concrete cause, not a guess.
Post-incident audit. An attacker sent emails from your company domain. From the headers of the suspicious messages you can tell whether they went through your real mail server (compromised account) or through a foreign server with a forged From (spoofing, your domain has no DMARC).
Strange email from a coworker. The CFO emails the finance team asking for an urgent wire transfer. Check Reply-To and Return-Path - in BEC (Business Email Compromise) attacks they differ from the From field, so your reply lands with the attacker.

Related tools: email DNS checker (audit your domain's SPF/DKIM/DMARC), whois-lookup (owner of an IP in the Received chain), DNS lookup.

Questions and answers

Mail Header Analyzer

What a mail header analyzer does

How to use it

When this is useful

Questions and answers

Related tools

Email DNS Checker (SPF/DKIM/DMARC)

WHOIS Lookup

DNS Lookup

IP Info / ASN Lookup

Mail Header Analyzer

What a mail header analyzer does

How to use it

When this is useful

Questions and answers

Related tools

Email DNS Checker (SPF/DKIM/DMARC)

WHOIS Lookup

DNS Lookup

IP Info / ASN Lookup