How can headers be analyzed for placement patterns?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Email headers are the metadata stapled to every message that explain how it got where it got, whether it passed authentication, and what each hop thought of it. If you're trying to figure out why an email landed in spam, headers are where the answer lives.

Where to find them

In Gmail: open the message, click the three-dot menu, choose "Show original." In Outlook web: open the message, click the three-dot menu, choose "View message source." In Apple Mail: select the message, then View > Message > All Headers. Full walkthrough with screenshots lives in how to read email headers.

What to look at first

So Start with the Authentication-Results header. It tells you in one line whether SPF, DKIM, and DMARC passed. Any fail or softfail here is almost always your problem. Grab two messages side by side (one that landed in the inbox, one that landed in spam) and diff these results first. If the authentication lines differ, stop looking anywhere else.

Next, scan for provider-specific headers. Gmail adds X-Google-Smtp-Source and sometimes a spam-score hint. Microsoft adds X-MS-Exchange-Organization-SCL (spam confidence level, 0-9, higher is worse) and X-Forefront-Antispam-Report with explanation codes. These won't appear in every message, but when they do, they tell you exactly what the receiver flagged.

Finally, walk the Received headers from bottom to top. That's the message's actual path from your sending IP to the recipient's inbox. You're looking for: unexpected hops (a rogue relay), timing gaps (queue delays that suggest throttling), or a sending IP you don't recognize (a misconfigured relay or a spoofer using your domain).

The diff trick

If you have one copy in the inbox and one in spam, a plain text diff of both header blocks surfaces the delta in about 30 seconds. That delta is your root cause 90% of the time.

If the headers are showing you something weird you can't interpret, our free DMARC analyzer parses authentication results in plain English, and the SOS hotline is there when you want a second pair of eyes.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your headers for a plain-English read

I pasted headers from an email that landed in spam below. Inbox provider: GMAIL / OUTLOOK / OTHER. My sending domain: DOMAIN. My ESP: ESP NAME. Headers: PASTE. What do these headers say went wrong, and what should I fix first?

Edit the yellow boxes, then send to the AI of your choice.