← Back to Tools

📨 Email Header Analyzer

Paste raw email headers to verify SPF, DKIM, and DMARC authentication, detect spoofing, and trace the delivery path hop by hop.

ℹ️ How to copy raw email headers

Gmail

Open the email → click ⋮ (More) → Show original → copy everything in the top section.

Outlook (desktop)

Open email → File → Properties → copy everything in the Internet headers box.

Apple Mail

Open email → View → Message → All Headers.

Thunderbird

Open email → View → Headers → All.

Copy all headers from your email client (in Gmail: ⋮ → Show original; in Outlook: File → Properties). Paste everything above the email body.

🎭 How Email Spoofing Works

The gap between what you see and what the email really is.

What you see in your inbox
P

Your account has been limited. Click here to verify your identity.

Looks completely legitimate. Most users stop here.

What the headers actually show
From: [email protected] (forged)
Return-Path: [email protected]
SPF: fail (IP not authorized)
DKIM: none (no signature)
DMARC: fail (alignment mismatch)

The headers tell the real story — if you know how to read them.

The key insight: The From header is just a label — anyone can put anything there. SPF, DKIM, and DMARC exist precisely because the From field can be forged. A legitimate email from PayPal will always pass all three checks. If any fail, be suspicious.

📚 SPF, DKIM, and DMARC Explained

SPF (Sender Policy Framework)

A DNS TXT record that lists which mail servers are allowed to send email for a domain. When a message arrives, the receiving server checks if the sending IP is on that list. A fail means the IP isn't authorized — strong spoofing indicator. Stored as: v=spf1 include:_spf.google.com ~all

DKIM (DomainKeys Identified Mail)

The sending server signs the email with a private key. The receiving server fetches the public key from DNS and verifies the signature. A valid DKIM signature proves the email content wasn't modified in transit and genuinely came from the signing domain.

DMARC (Domain-based Message Authentication)

Ties SPF and DKIM to the domain in the From header. DMARC pass requires that at least one of SPF or DKIM passes and the domain is aligned with the From header. It also lets domain owners publish a policy (none / quarantine / reject) for what to do with failing mail.

Rule of thumb: Legitimate email from a major service will pass all three. Phishing that spoofs the From address will typically fail SPF and DMARC, and won't have a DKIM signature at all.