Free Email Header Analyzer
Instantly trace email origins, detect spam, and verify sender authenticity. No signup required.
Trace Email Source
Find the real sender's IP address and geographic location
Security Analysis
Check SPF, DKIM, DMARC authentication status
Interactive Map
Visualize email routing path on world map
Instant Results
Get comprehensive analysis in seconds
How to Read Email Headers
Email headers are read from bottom to top. The bottom-most Received: line is the originating mail server. Each line above it represents a server that relayed the message until it reached your inbox. Here are the fields that matter most:
Received: from mail-sor-f41.google.com (209.85.220.41)
by mx.example.com with ESMTPS
Tue, 18 Feb 2026 09:14:32 -0500 ← When your server received it
Authentication-Results: mx.example.com;
spf=pass ← Server is authorized to send
dkim=pass ← Message wasn't altered
dmarc=pass ← Domain policy verified
From: John Smith <[email protected]> ← Claimed sender (can be faked)
Return-Path: <[email protected]> ← Actual bounce address (harder to fake)
X-Originating-IP: 73.162.45.118 ← Sender's real IP (not always present)
Message-ID: <[email protected]> ← Unique message identifier
Check the Received: chain
Start at the bottom. The first Received: line shows the originating server's IP address and hostname. Each subsequent line is a relay point. An unusually long chain or servers in unexpected countries can indicate the email was routed through compromised infrastructure.
Compare From: and Return-Path:
The From: field is what you see in your email client — but it's trivially easy to fake. The Return-Path: is the actual address where bounces are sent. If these two domains don't match, the email may be spoofed. For example, a "From: [email protected]" with a Return-Path of "[email protected]" is almost certainly phishing.
Read the Authentication-Results:
This is the verdict line. Look for SPF, DKIM, and DMARC results. All three should say "pass" for a legitimate email. Any "fail" or "none" is a warning sign. Our analyzer checks these automatically and highlights failures in red.
Look for X-Originating-IP:
Some mail servers include this field, which reveals the sender's actual IP address. You can trace this IP to get the sender's approximate geographic location, ISP, and whether they're using a VPN. Major webmail providers (Gmail, Outlook.com, Yahoo) strip this field for privacy — you'll only see Google's or Microsoft's server IPs instead.
Check the timestamps
Each Received: line includes a timestamp. Compare them sequentially — large gaps between hops (more than a few seconds) can indicate the email was queued on a server, which sometimes happens with bulk spam. Timestamps that go backwards are a sign of forged headers.
How to Spot Phishing & Spoofed Emails
The email body can look perfectly legitimate — the real evidence is in the headers. These are the red flags that indicate an email is forged, spoofed, or sent from a compromised account:
If spf=fail appears in Authentication-Results, the sending server wasn't authorized by the domain owner. This is the most common sign of a spoofed sender address. A legitimate company's email will virtually always pass SPF.
A dkim=fail result means the email's cryptographic signature doesn't match. Either the message was altered after being sent (man-in-the-middle attack) or the DKIM signature was forged. Legitimate emails from major providers always pass DKIM.
A "From: [email protected]" with a Return-Path of "[email protected]" is classic spoofing. The From field is cosmetic and easily faked; the Return-Path reveals the actual sending infrastructure. Some legitimate email services (e.g., Mailchimp, SendGrid) have different Return-Path domains, but random unrelated domains are a clear red flag.
If the email claims to be from a US company but the originating IP traces to a hosting provider in Eastern Europe or Southeast Asia, that's suspicious. Use our IP Tracker to geolocate any IP address you find in the headers.
A legitimate email from your bank goes through your bank's mail servers and perhaps a spam filter. If the Received chain includes random hostnames, IP addresses belonging to residential ISPs, or servers in countries unrelated to the sender, the email likely originated from a compromised machine or botnet.
Each hop in the Received chain should have a later timestamp than the one below it. If timestamps go backwards or have impossible gaps, someone has manually added fake Received lines to make the email appear to come from a different origin.
Email Authentication Explained: SPF, DKIM & DMARC
These three protocols work together to verify that an email actually came from who it claims to be from. Think of them as three layers of ID verification for email:
SPF
Sender Policy Framework
What it does: Checks if the sending mail server's IP address is on the domain's authorized list.
Analogy: Like a guest list at a building entrance. The domain owner publishes a list of IP addresses allowed to send on their behalf. If the sending server isn't on the list, SPF fails.
Pass means: The server is authorized to send email for that domain.
Fail means: An unauthorized server sent the email — likely spoofed.
DKIM
DomainKeys Identified Mail
What it does: Adds a cryptographic signature to the email that proves the message body wasn't tampered with after sending.
Analogy: Like a wax seal on a letter. If the seal is broken, you know someone opened and potentially modified it. DKIM uses public-key cryptography instead of wax, but the principle is the same.
Pass means: The email content is exactly what the sender sent.
Fail means: The message was altered in transit or the signature is forged.
DMARC
Domain-based Message Authentication
What it does: Ties SPF and DKIM together and tells receiving mail servers what to do when authentication fails (reject, quarantine, or allow).
Analogy: Like a security policy posted at the entrance. It says: "If someone fails the guest list check AND doesn't have the right seal, reject them." DMARC is the enforcement layer.
Pass means: Both SPF and DKIM align with the From: domain.
Fail means: The email failed authentication and may be fraudulent.
This can happen when an email is forwarded or modified by a mailing list. SPF checks the last sending server (which may be the forwarder's server), but DKIM checks the original signature. If only DKIM fails, the email may be legitimate but was relayed through an intermediary that altered it. Check the Received chain for forwarding hops. If SPF fails but DKIM passes, the email was likely relayed through an unauthorized server but the content is intact.
Our email header analyzer checks all three protocols automatically. Paste any email header above to see the full authentication breakdown with pass/fail results for each check.
Frequently Asked Questions
What is an email header?
An email header contains routing information and metadata about an email message, including sender details, recipient information, timestamps, and the path the email took through various mail servers. It's like a digital envelope that shows where your email came from and how it reached you.
How do I find email headers?
In Gmail: Open email > Click 3 dots > "Show original". In Outlook: Open email > File > Properties > Internet headers. In Apple Mail: View > Message > All Headers. See detailed instructions for all email clients.
What can email header analysis reveal?
Email header analysis reveals the sender's real IP address, geographic location, email authentication status (SPF/DKIM/DMARC), mail server path, timestamps, potential spoofing attempts, and security threats. It's essential for investigating suspicious emails and verifying sender authenticity.
Is this email header analyzer free?
Yes, our email header analyzer is 100% free with no signup required. You get unlimited analyses, instant results, and full access to all features including IP geolocation, security checks, and interactive mapping.
How accurate is the IP location?
Our tool provides city-level accuracy for most IP addresses, typically within 25-50 miles of the actual location. However, VPNs, proxies, and corporate networks may show the server location rather than the sender's physical location.
How do I read an email header?
Read email headers from bottom to top. The bottom-most "Received:" line is the origin server. Each "Received:" line above it is a relay point. Key fields to check: "From:" (claimed sender), "Return-Path:" (actual bounce address), "Authentication-Results:" (SPF/DKIM/DMARC verification), and "X-Originating-IP:" (sender's IP if present). See our step-by-step guide above for a full walkthrough.
What are SPF, DKIM, and DMARC?
SPF verifies that the sending server is authorized by the domain owner. DKIM adds a cryptographic signature proving the email wasn't altered in transit. DMARC ties both together and tells receiving servers what to do when authentication fails. All three should show "pass" in a legitimate email. See our detailed explanation above.
Can you trace who sent an email?
You can trace an email to the sending server's IP address and approximate geographic location using header analysis. However, major providers like Gmail, Outlook.com, and Yahoo strip the sender's original IP for privacy, showing only their own server IPs. For emails sent through corporate servers, ISPs, or smaller providers, the originating IP is usually visible and can be geolocated to a city-level location.
Why doesn't Gmail show the sender's IP address?
Gmail, Outlook.com, Yahoo, and other major webmail providers strip the sender's original IP address from email headers as a privacy protection. When someone sends email through Gmail's web interface, the headers only show Google's mail server IPs. The originating IP is still visible in emails sent through desktop clients (Outlook, Thunderbird), corporate mail servers, or smaller hosting providers.
How can I tell if an email is spoofed?
Check three things in the email header: (1) SPF result — "fail" means the sending server wasn't authorized by the domain. (2) DKIM result — "fail" means the message was altered or the signature is forged. (3) From vs Return-Path mismatch — if the domains don't match, the sender is likely spoofed. Our analyzer checks all three automatically. See our phishing detection guide above for more red flags.