Free Email Header Analyzer — Parse & Decode Headers

How Email Header Analysis Works

Every email message carries a set of headers that record its journey from sender to recipient. These headers are added by each mail server that processes the message, creating a chronological trace of the delivery path. When you paste raw headers into this tool, it parses each header field according to RFC 5322 standards, identifying standard fields like From, To, Subject, Date, Message-ID, and Received headers. The Received headers are particularly important because they are prepended by each server in the delivery chain, creating a bottom-to-top record of every hop the message took from origin to destination.

The analyzer extracts timestamps from each Received header and calculates the time delay between consecutive hops, helping you identify bottlenecks in the delivery pipeline. It also parses the Authentication-Results header to display SPF, DKIM, and DMARC verification outcomes as determined by the receiving mail server. The originating IP address is extracted from the earliest Received header, which can be used to determine the geographic origin of the message and check whether the sender's IP is blacklisted. Additionally, the tool decodes MIME-encoded header values, identifies custom X-headers added by spam filters and security gateways, and flags suspicious patterns that may indicate header forgery or message manipulation.

When to Use This Tool

• Investigating suspicious or phishing emails — Examine the delivery path and originating IP to determine whether an email truly came from the claimed sender or was spoofed. Forged headers often contain inconsistencies in timestamps, server names, or authentication results that this tool highlights.
• Diagnosing email delivery delays — If messages are arriving late, the hop-by-hop delay analysis pinpoints exactly which server in the delivery chain introduced the delay, whether it is the sender's outbound server, a security gateway, or the recipient's inbound server.
• Verifying email authentication results — Check whether your outgoing emails pass SPF, DKIM, and DMARC authentication as seen by the recipient's mail server. This is essential for troubleshooting deliverability issues and confirming that your authentication records are working correctly.
• Understanding spam filter decisions — Many spam filters add X-headers with spam scores and classification details. The analyzer surfaces these headers so you can understand why a message was marked as spam or delivered to the inbox.

Understanding Your Results

The results are organized into several sections for easy reading. The delivery path section shows each server hop in chronological order with the server name, IP address, timestamp, and delay from the previous hop. Total delivery time is calculated from the first hop to the last. Delays exceeding a few seconds on any single hop are highlighted as potential issues. The authentication section shows pass, fail, or neutral results for SPF, DKIM, and DMARC checks as reported by the receiving server, along with the specific domain and selector that were evaluated.

The message details section displays the key identifying headers including the sender address, recipient, subject line, message ID, and content type. The originating IP section shows the IP address of the server that first injected the message into the mail system, which is the most reliable indicator of the true sender. If this IP does not match the expected sending infrastructure for the claimed sender domain, it may indicate spoofing. Custom X-headers from spam filters, antivirus scanners, and email security gateways are listed separately, providing insight into how automated systems evaluated the message before delivery.