How to perform end-to-end header analysis for reputation clues?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Your email landed in spam, or maybe a client says they never got it. You've checked your DNS records, your authentication looks fine on paper, but something is still wrong. The full email header is where the real story lives. It's a timestamped log of every server that touched your message, every decision that got made, and every filter that fired along the way.
Here's how to actually read one, from top to bottom (well, technically bottom to top, but we'll get to that).
Step 1: Get the full header
Most email clients hide headers by default. In Gmail, open the message, click the three-dot menu, and choose "Show original." In Outlook, open the message, go to File, then Properties, and look in the "Internet headers" box. The raw text that appears is what you're working with.
If you'd rather not read it manually, you can paste it into our free Email Header Analyzer and get a parsed, readable breakdown in seconds.
Step 2: Read it bottom to top
Headers are written in reverse chronological order. The oldest hop is at the bottom, the newest is at the top. Reading top to bottom feels natural but it's backwards. Start at the bottom and work your way up to trace the message's actual journey.
Each "Received:" line is one server handoff. A clean chain looks like this:
Received: from mail.sender.com (mail.sender.com [203.0.113.42])
by mx.recipient.com with ESMTPS
(TLS1.3) tls TLS_AES_256_GCM_SHA384;
Tue, 10 Jun 2025 14:03:22 +0000
Received: from smtp.esp.io (smtp.esp.io [198.51.100.7])
by mail.sender.com with ESMTP;
Tue, 10 Jun 2025 14:03:19 +0000
That's a two-hop journey with TLS encryption at the final delivery step. Normal, healthy, nothing to worry about.
Still a red flag looks more like this:
Received: from unknown (HELO mail.sketchy-relay.xyz)
by mx.recipient.com;
Tue, 10 Jun 2025 14:03:22 +0000
An unfamiliar relay in the chain, no TLS, no matching hostname. That'll trigger filters fast.
Step 3: Check the Authentication-Results header
This is the big one. It's added by the receiving mail server and shows whether your SPF, DKIM, and DMARC checks passed or failed. A healthy version looks like this:
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourdomain.com;
spf=pass (google.com: domain of you@yourdomain.com designates
198.51.100.7 as permitted sender);
dmarc=pass (p=QUARANTINE) header.from=yourdomain.com
Three passes. That's what you want.
Now a broken version might look like this:
Authentication-Results: mx.google.com;
dkim=fail (signature did not verify);
spf=softfail (google.com: transitional sender not allowed);
dmarc=fail (p=REJECT) header.from=yourdomain.com
DKIM failed, SPF hit a softfail, DMARC failed. That message is going to spam or getting rejected outright. This is where an authentication failure mimics a reputation problem because the symptoms look the same but the fix is completely different.
Step 4: Look at the spam scoring headers
Many servers add an X-Spam-Status or X-Spam-Score header that shows what rules fired and how they scored the message. Example:
X-Spam-Status: Yes, score=6.8 required=5.0
tests=MISSING_HEADERS,HTML_MESSAGE,RDNS_NONE
X-Spam-Score: 6.8
Score of 6.8 with a 5.0 threshold means it crossed into spam territory. The test names tell you why. MISSING_HEADERS means required headers were absent. RDNS_NONE means the sending IP had no reverse DNS. These are fixable technical problems, not reputation damage.
For Microsoft 365 inboxes, look for X-Microsoft-Antispam and X-Forefront-Antispam-Report. They use a different scoring system but tell a similar story about what filters fired.
Step 5: Check the timing
Unusual delays between Received hops are a signal worth noting. A few seconds per hop is normal. Minutes or hours between hops usually means a server was slow, greylisting kicked in, or there was a queue issue. This is particularly relevant if you're troubleshooting after a DNS change, since propagation delays can show up in your routing times before they show up anywhere else.
What a clean header tells you
You're looking for four things: a clear routing chain with recognizable server names, TLS at the delivery hop, three authentication passes (SPF, DKIM, DMARC), and a spam score below the threshold with no alarming rule names. If all four are clean, the problem is almost certainly not technical. It's content, engagement, or list quality.
If any of those four are off, you've just found your starting point.
Want to skip the manual read? Paste your header into our free Email Header Analyzer and it'll flag the problems for you. And if what you find there doesn't make sense, the SOS hotline is free and we're happy to take a look with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.