Reputation & monitoring

Email Header Analyzer

Paste raw email headers, or drop in a full .eml file. We pull out the authentication verdicts, walk every server in the Received chain, and surface anything a recipient added that looks like a spam score.

New to headers? Read What are email headers in the Email Almanac.

We parse the headers server-side. The message body, if any, is dropped before parsing and never stored.

How this tool works

What the analyzer is actually doing

Every email carries a stack of headers above the body. They record who sent it, who relayed it, who checked it, and what those checks decided. The body is what the recipient reads; the headers are the forensic trail of how the message arrived.

You read headers from the bottom up. The earliest Received header at the bottom is the first server that handled the message. Each new Received line above it adds the next hop, in order, until you reach the inbox at the top. Authentication-Results sits beside those hops and tells you what each receiver decided about SPF, DKIM, and DMARC.

Parsing happens server-side on a single request. If the input is a full .eml file the body is dropped before any parsing begins. We do not log the headers, we do not write them to disk, and we do not send them anywhere else.

Authentication verdicts

SPF, DKIM, and DMARC results are pulled from Authentication-Results, falling back to Received-SPF and the presence of a DKIM-Signature when no consolidated verdict was written.

Sender alignment

From, Reply-To, and Return-Path are extracted side by side. If Reply-To routes to a different domain than From, we flag it. Common in ticketing systems and forwarders, also a cheap phishing tell.

Hop chain and delivery time

Every Received header is parsed into originating server, receiving server, protocol, and timestamp. End-to-end delivery time is computed when both ends have a parseable date. Sudden gaps between hops usually mean a queue backlog or a greylist.

Spam scoring signals

Every header added by a SpamAssassin, rspamd, Barracuda, Microsoft Anti-Spam, or Proofpoint filter is surfaced with the score, threshold, and rules that fired.

When to use it

Reach for it in these moments

Headers are the source of truth when something specific went wrong. If you have one bounced message, one mystery delivery delay, or one phishing tip-off, this is what you read first.

  • A specific message bounced or hit spam and you have the .eml. The analyzer surfaces every authentication verdict and every spam-filter score the receiver wrote. You see exactly what they did not like.
  • A user reports a suspicious email and you want to know if it is a real phishing attempt. Pull the raw headers. Check From vs Return-Path vs the actual sending IP. If they do not line up, you have your answer.
  • A message took unusually long to deliver. The hop chain shows the time between each receive event. A long gap on one hop is a queue, a greylist, or a relay under load.
  • You changed your authentication setup and want to confirm it landed. Send yourself a test, paste the headers, and check that SPF, DKIM, and DMARC all say pass with alignment.

Email Almanac

Related questions to read next

The analyzer surfaces what each header says. The Almanac explains how to read the chain end-to-end and what each authentication result means for delivery.

Want a full deliverability audit?

Headers tell you what happened to one message. We read every signal across your whole sending pattern and write you a plain-English report.

Try it deeper with RME