Email Header Analyzer

Decode any email header — trace origin, check SPF/DKIM/DMARC, geolocate IPs, reverse DNS, validate MX records, detect breached domains, scan for malicious URLs and check IP reputation. All in one tool.

Gmail ✓Outlook ✓Yahoo ✓Apple Mail ✓Exchange ✓Any Raw Header ✓
📧
Email Security Analyzer

Paste your raw email header for full analysis: delivery timeline, authentication results, IP geolocation, reverse DNS, MX validation, HIBP breach detection, Google Safe Browsing, VirusTotal IP reputation, security score, and export.

Raw Email Header

Analyzing header…

Email Header Analysis Report
How to Use
Email Header Analyzer
  1. Find and copy your email header — in Gmail: open the email → three-dot menu → Show original. In Outlook: open email → File → Properties → Internet Headers. In Apple Mail: View → Message → All Headers. Copy everything from the first Received: line to just before the blank line separating headers from the body.
  2. Paste and click Analyze Header — the tool automatically detects whether it is a Gmail, Outlook, Yahoo, Exchange or generic header and shows a detection badge. Click Load Sample to try a real example.
  3. Security Score (0–100) — an instant risk rating based on 8 checks: SPF, DKIM, DMARC pass/fail, TLS encryption, no breached sender domain, no malicious IPs, valid PTR records, and MX alignment.
  4. Delivery Timeline — each Received: hop is shown as a visual step-by-step timeline with server name, IP, timestamp and the delay between each hop. Delays over 5 minutes are flagged yellow; over 15 minutes are flagged red.
  5. IP Geolocation — all public IPv4 addresses are automatically looked up via ip-api.com showing country flag, city, ISP and ASN. No API key required.
  6. Reverse DNS (PTR) — each IP is checked for its reverse DNS record. A mismatch between the sending hostname and PTR record is a classic spam/spoofing indicator.
  7. MX Record Validation — the sender's domain MX records are fetched and compared against the actual sending server. A mismatch means email did not come through the domain's authorised mail servers.
  8. HaveIBeenPwned — the sender's domain is checked against the HIBP breach database. Any known breaches are listed with date, affected records, and data types exposed.
  9. HaveIBeenPwned Breach Check — the sender's domain is checked against the HIBP breach database. Any known breaches are listed with date, affected records and data types exposed. No API key required.
  10. Copy All + Print PDF — click Copy All Results to copy the complete analysis as formatted text. Click Print / Save PDF to open the browser print dialog with a clean print stylesheet — all results are visible with no cut-off, optimised for A4.
Privacy note: Core analysis runs in your browser. API calls send only IP addresses and domain names — never your full header or message content.
Frequently Asked Questions
What is an email header?
An email header is a block of metadata prepended to every email. It records the delivery path, every server that handled the message, timestamps at each hop, and authentication results like SPF, DKIM and DMARC. It is invisible in normal email views but accessible via "Show Original" or "View Source" in your client.
Is it safe to paste my email header here?
Yes. Headers contain only routing metadata — server names, IPs, timestamps and authentication results. They never contain the message body or attachments. Core analysis runs in your browser. API enrichment features send only IP addresses or domain names to external services — your full header stays in your browser.
What are SPF, DKIM and DMARC?
SPF (Sender Policy Framework) verifies the sending server is in the domain's authorised sender list. DKIM adds a cryptographic signature confirming the message was not modified in transit. DMARC ties them together and tells receiving servers to reject, quarantine, or accept messages when authentication fails.
What does the Security Score mean?
The score (0–100) rates the email across 8 weighted checks. SPF pass (+15), DKIM pass (+20), DMARC pass (+15), TLS used (+10), no breached sender domain (+15), no malicious IPs (+10), valid PTR records (+10), MX alignment (+5). Scores above 80 are low risk; below 50 should be treated with caution.
What does a PTR mismatch mean?
A PTR (reverse DNS) record maps an IP address back to a hostname. Legitimate mail servers have a PTR that matches the hostname they announce in SMTP (the HELO/EHLO hostname). A mismatch — where the PTR points to a completely different domain — is a strong indicator that the email came from a compromised server, a misconfigured server, or a bulk spam source.
Why might MX validation show a mismatch?
If the sending server is not one of the domain's MX records, the email did not come through the domain's designated mail servers. This can indicate spoofing, a compromised account on a different server, a misconfigured bulk email service, or a forwarded email that has passed through an intermediate server.
What causes email delivery delays?
Common causes include greylisting (a deliberate short delay to filter spam), DNS lookup timeouts, overloaded mail servers, spam filtering queues, and network congestion. The delivery timeline shows the timestamp at each hop so you can pinpoint exactly where time was lost.
How do I save the analysis as a PDF?
Click Print / Save PDF after running the analysis. This opens the browser print dialog. Select Save as PDF as the destination (available in Chrome, Edge, Firefox and Safari). The print stylesheet hides the nav, hero and input form — only the analysis results are included. All sections are set to avoid page breaks mid-card so nothing is cut off.