Email Header Analyzer
Analyze email headers to check SPF, DKIM, DMARC authentication and detect potential spoofing issues
SPF Authentication
DKIM Authentication
DMARC Authentication
Key Email Headers
Authentication Analysis
Email Delivery Path
Additional Email Headers
Other important headers found in this email, explained in simple terms
Ready to analyze email headers
Paste your email headers above and click "Analyze Headers" to get started
Why Your Results Matter: From Confusion to Clarity
You analyzed an email header because something felt off. Was it a fake invoice? An urgent request from your "boss"? Email headers hold the technical proof to confirm your suspicions. This tool checks an email's "digital ID" to see if the sender is who they claim to be. A **passing** result means the email is likely legitimate. A **failing** result is a major red flag for phishing or spoofing.
🔴 What is Phishing?
Scammers impersonate trusted brands or people to trick you into revealing sensitive information like passwords, credit card numbers, or company data.
🟢 What is a Legitimate Email?
A legitimate email passes authentication checks (SPF, DKIM, DMARC), proving it came from an authorized server and wasn't altered in transit.
How to Fix Authentication Failures
If emails from your own domain are failing these checks, your customers may not be receiving them, or they may be landing in spam folders. Here’s how to fix the most common issues.
❌ How to Fix SPF Failures
The Problem:
The server that sent the email is not listed in your domain's SPF record. This is common when using third-party services (like Mailchimp, SendGrid, etc.) to send emails.
The Solution:
- Identify all your sending services. Make a list of every platform that sends email for your domain (e.g., Google Workspace, Microsoft 365, your marketing platform, your CRM).
- Find their SPF values. Each service will provide an SPF record to add, usually in the format `include:servicename.com`.
- Update your DNS record. Add an `include` for each service in your single SPF (TXT) record in your domain's DNS settings.
Example SPF Record:
v=spf1 include:_spf.google.com include:sendgrid.net ~allPro Tip: An SPF record cannot have more than 10 DNS lookups. If you have many services, you may need an SPF flattening service.
❌ How to Fix DKIM Failures
The Problem:
The email's digital signature is missing or invalid. This means the email might have been tampered with, or DKIM is not configured correctly on the sending platform.
The Solution:
- Log into your email sending service's admin panel (e.g., Google Workspace Admin, Microsoft 365 Defender).
- Navigate to the email authentication or DKIM section.
- Generate a new DKIM key. The service will provide you with a unique TXT or CNAME record.
- Publish this record in your domain's DNS settings. It can take up to 48 hours to propagate.
❌ How to Implement DMARC
The Problem:
Your domain has no DMARC policy, leaving it vulnerable to direct impersonation. Without it, you have no visibility into who is sending email using your domain and can't tell receiving servers to block fraudulent emails.
The Solution (The DMARC Journey):
- Start with a monitoring policy (`p=none`). This will not affect your email delivery but will start sending you reports. Add the following TXT record to your DNS at `_dmarc.yourdomain.com`:
Starter DMARC Record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;- Analyze the reports. Use a DMARC report analysis tool to make sense of the XML reports. Identify all legitimate senders and fix their SPF/DKIM alignment.
- Strengthen your policy. Once you are confident that all legitimate mail is aligned, update your policy to `p=quarantine` and eventually `p=reject` to block spoofing attacks.
At a Glance: SPF vs. DKIM vs. DMARC
| Protocol | What It Verifies | Simplified Analogy |
|---|---|---|
| SPF | Checks if the email came from an **approved server**. | A security guard checking the delivery truck's license plate against an approved list. |
| DKIM | Ensures the email **wasn't tampered with** in transit. | A tamper-proof wax seal on a physical letter. If the seal is broken, you can't trust the contents. |
| DMARC | **Enforces SPF and DKIM**, and tells servers what to do with fakes. | The company policy that requires both the license plate and the seal to be valid, and instructs the guard to reject any suspicious mail. |
The Goal: To have all three protocols working together. DMARC at an enforcement policy of `p=reject` is the gold standard for preventing email spoofing. The reward? Better security, improved deliverability, and the ability to use **BIMI** to display your logo in the inbox.
Understanding Email Headers and Authentication
Email headers contain crucial information about an email's journey from sender to recipient. They include authentication results that help identify legitimate emails and detect potential spoofing attempts. Our email header analyzer tool helps you decode these headers and understand SPF, DKIM, and DMARC authentication results.
How to Use the Email Header Analyzer
Get Email Headers: Open your email client and locate the "Show Original" or "View Source" option to access raw headers.
Copy Headers: Select and copy all the header information, including Received, Authentication-Results, and other metadata.
Paste and Analyze: Paste the headers into our tool and click "Analyze Headers" to see authentication results.
Review Results: Check SPF, DKIM, and DMARC status. Green means pass, red means fail, yellow indicates warnings.
Email Authentication Explained
SPF (Sender Policy Framework)
Verifies that the sending server is authorized to send emails for the domain. Prevents basic email spoofing.
DKIM (DomainKeys Identified Mail)
Uses cryptographic signatures to verify email integrity and authenticity. Ensures emails haven't been tampered with.
DMARC (Domain-based Message Authentication)
Builds on SPF and DKIM to provide domain alignment and policy enforcement against spoofing.
Common Email Authentication Issues
SPF Failures
Often caused by email forwarding, missing SPF records, or sending from unauthorized servers. Check your domain's SPF record includes all legitimate sending sources.
DKIM Issues
May result from missing DKIM signatures, invalid keys, or email modification during transit. Ensure your email service provider has DKIM properly configured.
DMARC Alignment Problems
Occurs when the From domain doesn't align with SPF or DKIM domains. This is common with forwarded emails or third-party sending services.
Frequently Asked Questions
How do I get email headers in Gmail?
In Gmail, open the email, click the three dots menu (⋮), select "Show original", then copy the raw message content including headers.
How do I get email headers in Outlook?
In Outlook, open the email, go to File > Properties (or Message > Actions > Other Actions > View Source), then copy the Internet headers section.
Why does my SPF fail?
SPF fails when the sending server's IP is not authorized in the domain's SPF record, or when emails are forwarded through unauthorized servers.
What does DMARC alignment mean?
DMARC alignment requires either SPF or DKIM to pass AND the domain to align with the From header domain for authentication to succeed.
Is this tool safe to use with sensitive emails?
Yes, all analysis is performed locally in your browser. No email content is sent to external servers or stored anywhere.