Reputation & monitoring
Email Header Analyzer
Paste raw email headers, or drop in a full .eml file. We pull out the authentication verdicts, walk every server in the Received chain, and surface anything a recipient added that looks like a spam score.
New to headers? Read What are email headers in the Email Almanac.
How this tool works
What the analyzer is actually doing
Every email carries a stack of headers above the body. They record who sent it, who relayed it, who checked it, and what those checks decided. The body is what the recipient reads; the headers are the forensic trail of how the message arrived.
You read headers from the bottom up. The earliest Received header at the bottom is the first server that handled the message. Each new Received line above it adds the next hop, in order, until you reach the inbox at the top. Authentication-Results sits beside those hops and tells you what each receiver decided about SPF, DKIM, and DMARC.
Parsing happens server-side on a single request. If the input is a full .eml file the body is dropped before any parsing begins. We do not log the headers, we do not write them to disk, and we do not send them anywhere else.
Authentication verdicts
SPF, DKIM, and DMARC results are pulled from Authentication-Results, falling back to Received-SPF and the presence of a DKIM-Signature when no consolidated verdict was written.
Sender alignment
From, Reply-To, and Return-Path are extracted side by side. If Reply-To routes to a different domain than From, we flag it. Common in ticketing systems and forwarders, also a cheap phishing tell.
Hop chain and delivery time
Every Received header is parsed into originating server, receiving server, protocol, and timestamp. End-to-end delivery time is computed when both ends have a parseable date. Sudden gaps between hops usually mean a queue backlog or a greylist.
Spam scoring signals
Every header added by a SpamAssassin, rspamd, Barracuda, Microsoft Anti-Spam, or Proofpoint filter is surfaced with the score, threshold, and rules that fired.
When to use it
Reach for it in these moments
Headers are the source of truth when something specific went wrong. If you have one bounced message, one mystery delivery delay, or one phishing tip-off, this is what you read first.
- A specific message bounced or hit spam and you have the .eml. The analyzer surfaces every authentication verdict and every spam-filter score the receiver wrote. You see exactly what they did not like.
- A user reports a suspicious email and you want to know if it is a real phishing attempt. Pull the raw headers. Check From vs Return-Path vs the actual sending IP. If they do not line up, you have your answer.
- A message took unusually long to deliver. The hop chain shows the time between each receive event. A long gap on one hop is a queue, a greylist, or a relay under load.
- You changed your authentication setup and want to confirm it landed. Send yourself a test, paste the headers, and check that SPF, DKIM, and DMARC all say pass with alignment.
Email Almanac
Related questions to read next
The analyzer surfaces what each header says. The Almanac explains how to read the chain end-to-end and what each authentication result means for delivery.
Want a full deliverability audit?
Headers tell you what happened to one message. We read every signal across your whole sending pattern and write you a plain-English report.
Try it deeper with RME