Security & Threat Analysis

Free Email Header Analyzer

Instantly diagnose email delivery issues, detect spoofing attempts, and verify SPF, DKIM, and DMARC authentication. Upload an email header or EML file to analyze routing, delays, and security risks in seconds.

SPF, DKIM & DMARCRouting path analysisSpoofing signal detection100% free

Paste a header or upload an .eml, .txt, or .msg file to get started.

About

The Email Header Analyzer parses raw email headers to evaluate SPF, DKIM, and DMARC authentication, routing paths, and spoofing signals.

Use it to determine whether an email was legitimately sent by the domain it claims to come from.

Auth verification

Parses Authentication-Results for SPF, DKIM, and DMARC pass/fail status.

Routing analysis

Traces Received hops to identify the sending IP and mail path.

Spoofing detection

Highlights alignment failures and suspicious routing patterns.

Human-readable output

Structured summary table plus expandable raw headers.

How to use this tool

Paste or upload headers

Paste raw headers or upload a .eml / .txt file (up to 10 MB).

Parse authentication

Extracts DKIM-Signature and Authentication-Results including folded headers.

Evaluate compliance

Checks SPF/DKIM/DMARC pass status and alignment with the From domain.

Review routing

Shows Received hops, sender IP, and security signals like MTA-STS presence.

Understanding the results

Pass

SPF, DKIM, and DMARC all passed, strong evidence the sender is authentic.

Partial

Some authentication passed but not all three, investigate before trusting the email.

Fail

Authentication failed, the sender may not be who they claim. Treat with caution.

Important result fields

Compliance table

SPF, DKIM, and DMARC results with alignment status for each.

Auth summary

Sender IP, applied DMARC policy, reporter, and alignment modes.

Routing hops

Each Received header with source IP and hostname.

Security signals

Whether MTA-STS, TLS-RPT, BIMI, and auth records are present on the domain.

Best practices & recommendations

Use Show original

In Gmail, use Show original → Copy to get complete Authentication-Results headers.

Check alignment

Pass is not enough, verify SPF and DKIM domains align with the From address.

Compare with past mail

Legitimate senders use consistent IPs and authentication patterns over time.

Frequently asked questions

At minimum: From, Authentication-Results, DKIM-Signature, and Received. Full source is best.

Folded Authentication-Results headers can cause parsing issues, this tool handles RFC822 folding correctly.

No. A compromised account or lookalike content can still pass authentication.

Yes. Upload .eml, .txt, or .msg files up to 10 MB.

SPF/DKIM domains must match the From domain (strict or relaxed) for DMARC to pass.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools