Email Header Analyzer

Paste the full email headers (found in email client under "Show Original" or "View Source"). The tool parses all header fields and displays: sender IP, mail servers traversed, authentication results (SPF, DKIM, DMARC), timestamps, and routing path.

Look for the bottom-most "Received:" header (first server to handle the email). The IP in that header is closest to the sender. The tool highlights the originating IP and provides geolocation data. Note: some email services strip the sender's IP for privacy.

SPF: verifies the sending server is authorized for the domain. DKIM: verifies the email wasn't modified in transit. DMARC: policy that combines SPF and DKIM results. Pass = legitimate. Fail = potentially spoofed. The tool shows all authentication results clearly.

Check: Does the "From" domain match the actual sending server? Do SPF/DKIM pass? Is the originating IP from an unexpected country? Are there suspicious "Received" hops? The tool flags common phishing indicators and suspicious header patterns.

Open the email. Click the three dots (more options) → "Show original." This displays the full headers and message source. Copy all the text and paste it into the analyzer. The tool works with headers from Gmail, Outlook, Yahoo, and any email client.