Free Email Header Analyzer

Instantly trace email origins, detect spam, and verify sender authenticity. No signup required.

TRACE

Trace Email Source

Find the real sender's IP address and geographic location

VERIFY

Security Analysis

Check SPF, DKIM, DMARC authentication status

MAP

Interactive Map

Visualize email routing path on world map

FAST

Instant Results

Get comprehensive analysis in seconds

Start Your Analysis

How to extract email headers from your email client

Analyzing email header...

How to Read Email Headers

Email headers are read from bottom to top. The bottom-most Received: line is the originating mail server. Each line above it represents a server that relayed the message until it reached your inbox. Here are the fields that matter most:

← Read from bottom to top

Received: from mail-sor-f41.google.com (209.85.220.41)
    by mx.example.com with ESMTPS
    Tue, 18 Feb 2026 09:14:32 -0500 ← When your server received it

Authentication-Results: mx.example.com;
    spf=pass ← Server is authorized to send
    dkim=pass ← Message wasn't altered
    dmarc=pass ← Domain policy verified

From: John Smith <[email protected]> ← Claimed sender (can be faked)
Return-Path: <[email protected]> ← Actual bounce address (harder to fake)
X-Originating-IP: 73.162.45.118 ← Sender's real IP (not always present)
Message-ID: <[email protected]> ← Unique message identifier
1

Check the Received: chain

Start at the bottom. The first Received: line shows the originating server's IP address and hostname. Each subsequent line is a relay point. An unusually long chain or servers in unexpected countries can indicate the email was routed through compromised infrastructure.

2

Compare From: and Return-Path:

The From: field is what you see in your email client — but it's trivially easy to fake. The Return-Path: is the actual address where bounces are sent. If these two domains don't match, the email may be spoofed. For example, a "From: [email protected]" with a Return-Path of "[email protected]" is almost certainly phishing.

3

Read the Authentication-Results:

This is the verdict line. Look for SPF, DKIM, and DMARC results. All three should say "pass" for a legitimate email. Any "fail" or "none" is a warning sign. Our analyzer checks these automatically and highlights failures in red.

4

Look for X-Originating-IP:

Some mail servers include this field, which reveals the sender's actual IP address. You can trace this IP to get the sender's approximate geographic location, ISP, and whether they're using a VPN. Major webmail providers (Gmail, Outlook.com, Yahoo) strip this field for privacy — you'll only see Google's or Microsoft's server IPs instead.

5

Check the timestamps

Each Received: line includes a timestamp. Compare them sequentially — large gaps between hops (more than a few seconds) can indicate the email was queued on a server, which sometimes happens with bulk spam. Timestamps that go backwards are a sign of forged headers.

How to Spot Phishing & Spoofed Emails

The email body can look perfectly legitimate — the real evidence is in the headers. These are the red flags that indicate an email is forged, spoofed, or sent from a compromised account:

×
SPF fails or is missing

If spf=fail appears in Authentication-Results, the sending server wasn't authorized by the domain owner. This is the most common sign of a spoofed sender address. A legitimate company's email will virtually always pass SPF.

×
DKIM signature fails

A dkim=fail result means the email's cryptographic signature doesn't match. Either the message was altered after being sent (man-in-the-middle attack) or the DKIM signature was forged. Legitimate emails from major providers always pass DKIM.

×
From: and Return-Path: domains don't match

A "From: [email protected]" with a Return-Path of "[email protected]" is classic spoofing. The From field is cosmetic and easily faked; the Return-Path reveals the actual sending infrastructure. Some legitimate email services (e.g., Mailchimp, SendGrid) have different Return-Path domains, but random unrelated domains are a clear red flag.

×
Originating IP in a different country than the claimed sender

If the email claims to be from a US company but the originating IP traces to a hosting provider in Eastern Europe or Southeast Asia, that's suspicious. Use our IP Tracker to geolocate any IP address you find in the headers.

×
Received: chain passes through unexpected servers

A legitimate email from your bank goes through your bank's mail servers and perhaps a spam filter. If the Received chain includes random hostnames, IP addresses belonging to residential ISPs, or servers in countries unrelated to the sender, the email likely originated from a compromised machine or botnet.

×
Timestamps are out of order

Each hop in the Received chain should have a later timestamp than the one below it. If timestamps go backwards or have impossible gaps, someone has manually added fake Received lines to make the email appear to come from a different origin.

Quick phishing check: Paste any suspicious email's header into the analyzer above. If SPF, DKIM, or DMARC show "fail," or if the originating IP is in an unexpected location, do not click any links or download any attachments in the email.

Email Authentication Explained: SPF, DKIM & DMARC

These three protocols work together to verify that an email actually came from who it claims to be from. Think of them as three layers of ID verification for email:

SPF

Sender Policy Framework

What it does: Checks if the sending mail server's IP address is on the domain's authorized list.

Analogy: Like a guest list at a building entrance. The domain owner publishes a list of IP addresses allowed to send on their behalf. If the sending server isn't on the list, SPF fails.

Pass means: The server is authorized to send email for that domain.

Fail means: An unauthorized server sent the email — likely spoofed.

DKIM

DomainKeys Identified Mail

What it does: Adds a cryptographic signature to the email that proves the message body wasn't tampered with after sending.

Analogy: Like a wax seal on a letter. If the seal is broken, you know someone opened and potentially modified it. DKIM uses public-key cryptography instead of wax, but the principle is the same.

Pass means: The email content is exactly what the sender sent.

Fail means: The message was altered in transit or the signature is forged.

DMARC

Domain-based Message Authentication

What it does: Ties SPF and DKIM together and tells receiving mail servers what to do when authentication fails (reject, quarantine, or allow).

Analogy: Like a security policy posted at the entrance. It says: "If someone fails the guest list check AND doesn't have the right seal, reject them." DMARC is the enforcement layer.

Pass means: Both SPF and DKIM align with the From: domain.

Fail means: The email failed authentication and may be fraudulent.

What if an email passes SPF but fails DKIM?

This can happen when an email is forwarded or modified by a mailing list. SPF checks the last sending server (which may be the forwarder's server), but DKIM checks the original signature. If only DKIM fails, the email may be legitimate but was relayed through an intermediary that altered it. Check the Received chain for forwarding hops. If SPF fails but DKIM passes, the email was likely relayed through an unauthorized server but the content is intact.

Our email header analyzer checks all three protocols automatically. Paste any email header above to see the full authentication breakdown with pass/fail results for each check.

Frequently Asked Questions

What is an email header?

An email header contains routing information and metadata about an email message, including sender details, recipient information, timestamps, and the path the email took through various mail servers. It's like a digital envelope that shows where your email came from and how it reached you.

How do I find email headers?

In Gmail: Open email > Click 3 dots > "Show original". In Outlook: Open email > File > Properties > Internet headers. In Apple Mail: View > Message > All Headers. See detailed instructions for all email clients.

What can email header analysis reveal?

Email header analysis reveals the sender's real IP address, geographic location, email authentication status (SPF/DKIM/DMARC), mail server path, timestamps, potential spoofing attempts, and security threats. It's essential for investigating suspicious emails and verifying sender authenticity.

Is this email header analyzer free?

Yes, our email header analyzer is 100% free with no signup required. You get unlimited analyses, instant results, and full access to all features including IP geolocation, security checks, and interactive mapping.

How accurate is the IP location?

Our tool provides city-level accuracy for most IP addresses, typically within 25-50 miles of the actual location. However, VPNs, proxies, and corporate networks may show the server location rather than the sender's physical location.

How do I read an email header?

Read email headers from bottom to top. The bottom-most "Received:" line is the origin server. Each "Received:" line above it is a relay point. Key fields to check: "From:" (claimed sender), "Return-Path:" (actual bounce address), "Authentication-Results:" (SPF/DKIM/DMARC verification), and "X-Originating-IP:" (sender's IP if present). See our step-by-step guide above for a full walkthrough.

What are SPF, DKIM, and DMARC?

SPF verifies that the sending server is authorized by the domain owner. DKIM adds a cryptographic signature proving the email wasn't altered in transit. DMARC ties both together and tells receiving servers what to do when authentication fails. All three should show "pass" in a legitimate email. See our detailed explanation above.

Can you trace who sent an email?

You can trace an email to the sending server's IP address and approximate geographic location using header analysis. However, major providers like Gmail, Outlook.com, and Yahoo strip the sender's original IP for privacy, showing only their own server IPs. For emails sent through corporate servers, ISPs, or smaller providers, the originating IP is usually visible and can be geolocated to a city-level location.

Why doesn't Gmail show the sender's IP address?

Gmail, Outlook.com, Yahoo, and other major webmail providers strip the sender's original IP address from email headers as a privacy protection. When someone sends email through Gmail's web interface, the headers only show Google's mail server IPs. The originating IP is still visible in emails sent through desktop clients (Outlook, Thunderbird), corporate mail servers, or smaller hosting providers.

How can I tell if an email is spoofed?

Check three things in the email header: (1) SPF result — "fail" means the sending server wasn't authorized by the domain. (2) DKIM result — "fail" means the message was altered or the signature is forged. (3) From vs Return-Path mismatch — if the domains don't match, the sender is likely spoofed. Our analyzer checks all three automatically. See our phishing detection guide above for more red flags.

Need more lookups? View Pricing