Free tool
Email header analyzer
Trace every hop and read the SPF / DKIM / DMARC verdict the receiver reported. Your headers stay in your browser: parsing runs locally, nothing is uploaded.
We couldn't find any headers in the first 256 KB of the file. Paste them directly into the box instead.
Analysis
Authentication verdict
SPF
DKIM
DMARC
Overall
Phishing triage
Compare the identities that appear in this message. Mismatches between From, Reply-To, Return-Path, and the signing domains are a common phishing signal — not proof, but a tell worth checking.
Organizational domains for the alignment column are estimated from the Public Suffix List; RFC 9989 receivers may determine them with the DNS tree walk instead.
| Field | Value | Aligned with From? |
|---|
Complaint feedback readiness
Checks message-level headers that help Gmail, RFC 9477 CFBL, and list managers route spam complaints. Provider enrollment itself is external and cannot be proven from one delivered email.
Overall status
Signals found
| Signal | Value | Meaning |
|---|
Provider readiness
Hop timeline
Each row is a Received header, in delivery order. Timestamps are normalized to UTC before computing the gap to the next hop, so timezone-mixed traces do not produce negative delays.
ARC chain
ARC headers record what each intermediary observed and let a downstream receiver vouch for forwarded mail. We parse what the chain claims; we do not validate the seals ourselves.
| i= | Sealed by | Reported cv= | Authentication-Results it claims |
|---|
Microsoft 365 anti-spam decoder
Microsoft 365 stamps inbound mail with X-Forefront-Antispam-Report and X-Microsoft-Antispam. The codes are documented but cryptic. Below: each code's raw value and what it means.
| Code | Value | Meaning |
|---|
DKIM signatures
Every DKIM-Signature header in the message, broken into its tags. We do not verify the signatures — that requires a DNS lookup of the public key at s._domainkey.d.
All headers
Every header in source order.
| Header | Value |
|---|
Monitor your domains automatically
You analyzed one message by hand. A free account collects the DMARC reports for your domain every day and flags spoofing and alignment drift, so you don't read headers one at a time.
What is in an email header?
Every email comes in two parts: the body you read, and a stack of headers that record how the message was built and how it travelled. Those headers are the message's audit trail, defined by RFC 5322. They sort into three families. Routing headers (Received) log each server the message passed through, newest at the top. Authentication headers (Authentication-Results, DKIM-Signature, the ARC-* set) record what the receiving server checked and what it found. Receiver-diagnostic headers, such as Microsoft 365's X-Forefront-Antispam-Report, record what the inbox provider's own filter observed. This analyzer reads these headers and explains them field by field, in your browser. Nothing is uploaded.
When should you analyze a header?
A message looks suspicious
Compare From, Reply-To, Return-Path, and the DKIM signer. If they disagree, the message deserves a closer look before anyone clicks the link inside.
A legitimate message landed in junk
Read the Authentication-Results header from the receiver. If DMARC failed, the hop trace and ARC chain often show whether a forwarder broke alignment.
An admin asks you for headers
Microsoft support and email deliverability teams routinely ask for raw headers. Pasting them into the analyzer gives you a verdict, a hop timeline, and an X-Forefront-Antispam-Report decode in one place.
How DMARCTrust's analyzer is different
Honest about verification
Most tools print SPF=pass / DKIM=pass without telling you who reported it. We label every verdict with its source: per Authentication-Results, signature present (unverified), or unknown.
Privacy you can verify
Parsing runs in your browser. Headers are not uploaded by the analyzer. You can open DevTools and confirm before pasting.
Phishing triage and M365 decoder built in
The phishing triage card and the X-Forefront-Antispam-Report / X-Microsoft-Antispam decoder ship in v1 — the two things mailbox admins ask for most.
How to read each header
Here are the headers you will meet in a typical message, with what each one is and how to read it. This analyzer decodes the routing, authentication, and Microsoft 365 headers below. The rest it shows you in the raw header table. Receiving servers add these headers as the message arrives, so the order and exact spelling vary by provider. The RFC next to each one is the specification that defines it.
Received
RFC 5322
Each Received header logs one hop, the handoff from one mail server to the next. Read them bottom-up: the lowest one is the first server that touched the message, the top one is the server that handed it to you. The line records which host sent it (from), which host received it (by), the protocol used (with), and a timestamp. A long gap between two timestamps points to a queue delay at that hop.
Authentication-Results
RFC 8601
The receiving server writes this header to record what its own checks found. It opens with an authserv-id (the server's name, such as mx.google.com), then lists each method and its result: spf=pass, dkim=pass, dmarc=pass. Each result names the identity it judged, written as ptype.property: smtp.mailfrom for SPF, header.d for the DKIM signing domain, header.from for DMARC. This is the only place the SPF, DKIM, and DMARC verdict actually lives. The analyzer quotes it. It does not re-run the checks.
DKIM-Signature
RFC 6376
The sender adds this header and signs part of the message with a private key. The receiver verifies it against a public key published in DNS. The tags that matter: d= is the signing domain, s= is the selector (so the public key is found at s._domainkey.d), h= lists which headers the signature covers, bh= is the body hash, and b= is the signature itself. The analyzer shows you the tags. Verifying the signature needs a DNS lookup, which it does not do.
Received-SPF
RFC 7208
A human-readable note some receivers add next to the SPF result, naming the connecting IP (client-ip=) and the envelope sender it was checked against. Treat the spf= value inside Authentication-Results as the authoritative result. Received-SPF is a convenience copy.
ARC-Seal, ARC-Message-Signature, ARC-Authentication-Results
RFC 8617
The Authenticated Received Chain lets a forwarder record the authentication result it saw, so a later receiver can still trust mail that broke SPF or DKIM in transit. Each link carries an instance number i= (1 for the first hop, counting up). The ARC-Seal reports a chain-validity value cv=: none means this is the first link, pass means the chain so far validated, fail means it did not. The analyzer reports the cv= each seal claims. It does not validate the seals itself. Read more on DMARC alignment.
Return-Path, From, Reply-To, Sender
RFC 5322
Four addresses that usually agree. From is who the message says it is from, and the identity DMARC judges. Return-Path is the envelope sender, where bounces go, and the identity SPF judges. Reply-To is where a reply is sent. Sender names who actually submitted the message when that differs from From. When these point at unrelated domains, it can be a sign of spoofing. The phishing triage card above compares them for you. Read more on DMARC alignment.
Message-ID
RFC 5322
A globally unique identifier the sending server stamps on the message. Its domain part usually matches the sending system, which is a quick sanity check, and it is the value support teams ask for when they trace a single message through the logs.
Date
RFC 5322
The time the message was composed, as the sender's system reported it. Compare it with the timestamps in the Received headers. A Date far from the first hop's time can signal a misconfigured clock or a replayed message.
X-Forefront-Antispam-Report, X-Microsoft-Antispam
Microsoft 365
Microsoft 365 stamps these on inbound mail to record what its filter observed: the connecting IP and country, the spam and bulk confidence levels, the filter verdict, and any safety tips. They are the first thing to read when legitimate mail lands in Junk on Microsoft 365. The codes are decoded in the next section and in the Microsoft 365 card above.
How to get the raw headers from your email client
Every analysis starts with the raw headers. Here is where to find them in the common email clients. Copy everything from the first line down to the blank line before the message body, or save the message as an .eml file and drop it on the box above.
Gmail
Open the message, click the three-dot menu next to the reply arrow, and choose Show original. Gmail opens a new tab with the full source. Click Copy to clipboard, or click Download Original to save the .eml file and drop it on the analyzer.
Outlook on the web
Open the message, click the three-dot menu at the top of the message, choose View, then View message source. Select all of the text and copy it.
Classic Outlook for Windows
Open the message in its own window by double-clicking it, then choose File, then Properties. The headers sit in the Internet headers box at the bottom. Select all and copy.
New Outlook and Outlook for Mac
Open the message, click the three-dot menu, and choose View, then View source. Copy the text that appears.
Apple Mail
Open the message, then in the menu bar choose View, then Message, then All Headers. You can also press Shift-Command-H. The full headers appear above the body.
Mozilla Thunderbird
Open the message, then in the menu bar choose View, then Headers, then All. Or save the message with File, then Save As, and drop the .eml file on the analyzer.
Reading the Microsoft 365 anti-spam codes
When mail flows through Microsoft 365, Exchange Online Protection stamps the X-Forefront-Antispam-Report and X-Microsoft-Antispam headers with its filtering decision. The codes are documented but terse. Here is what the common ones mean. The analyzer decodes them for you in the Microsoft 365 card above; this table is a reference for reading them by hand.
| Code | What it means |
|---|---|
SCL |
Spam Confidence Level, from -1 to 9. -1 means filtering was bypassed (a safe sender or a mail-flow rule). 0 to 4 counts as not spam. 5 to 6 is spam. 7 to 9 is high-confidence spam. A message scoring 5 or higher usually lands in Junk. |
BCL |
Bulk Complaint Level, from 0 to 9. 0 means the message is not bulk. 4 and above counts as bulk by default. 7 and above is high-confidence bulk. A high BCL is the usual reason a legitimate newsletter gets filtered. |
SFV |
Spam Filter Verdict, the reason for the decision. NSPM not spam, SPM spam, SKN skipped because the source is trusted, SKS sender allow-listed, SKB blocked by a tenant policy, SKQ quarantined, BLK blocked sender. |
CIP |
Connecting IP, the host that opened the SMTP session into Microsoft 365. This is the IP that SPF and IP reputation were evaluated against. |
CTRY |
Country of the connecting IP, as an ISO 3166-1 two-letter code, as Microsoft geolocated it. |
SFTY |
Safety code for the safety tip Microsoft attached. For example, 9.19 marks a phishing tip and 9.20 marks an impersonation tip. |
IPV |
IP reputation result. NLI means the IP is on no reputation list. CAL means it is on a connection allow-list. |
H |
The HELO or EHLO name the sending server presented when it connected. |
PTR |
The reverse-DNS (PTR) record of the connecting IP at delivery time. |
SRV |
Service tag. BULK marks the message as bulk; BULK;OL combines bulk with an outbound flag. |
Microsoft revises these headers from time to time. For the full current list, see Microsoft's anti-spam message headers documentation.
Frequently asked questions
Does this tool upload my headers?
No. The analyzer does not upload your headers. Parsing runs entirely in your browser. You can open DevTools and watch the Network tab while you click Analyze; no request carries your header text. The page itself loads the standard site scripts (analytics, chat) before you paste anything; those scripts never see your header content.
Does it independently verify SPF, DKIM, DMARC, and ARC?
No. The tool reports what the Authentication-Results header says the receiving server verified. To re-verify a DKIM signature or check a published DMARC policy we would need DNS lookups, which would defeat the privacy guarantee. Verdicts are labelled with their provenance: per Authentication-Results, signature present (unverified), or unknown.
How do I view headers in Gmail?
Open the message, click the three-dot menu in the top right of the message, and choose Show original. Gmail opens a new tab with the full source. Copy everything above the first blank line, or click Download Original to save the .eml file.
How do I view headers in Outlook?
Outlook on the web: open the message, click the three-dot menu, choose View, then View message source. Classic Outlook for Windows: open the message in its own window, choose File > Properties, and copy the Internet headers box. New Outlook and Outlook for Mac: open the message, click the three-dot menu, and choose View source.
How do I view headers in Apple Mail?
Open the message, then in the menu bar choose View > Message > All Headers (or press Shift+Cmd+H). The full headers appear above the body.
How do I view headers in Thunderbird?
Open the message, then in the menu bar choose View > Headers > All. You can also save the message as .eml from File > Save As, and drop the .eml on the analyzer.
What does X-Forefront-Antispam-Report mean?
It is a Microsoft 365 header that records what the inbound mail-flow filter observed. The analyzer decodes the codes it carries: CIP (the connecting IP), CTRY (its country), SCL (spam confidence level, -1 to 9), BCL (bulk confidence level 0-9), SFV (the spam filter verdict), SFTY (phishing safety tip), IPV (sender IP allow-list status), and the override flags SOR / SOT / SOI. Each row in the M365 section shows the raw value and a plain-English explanation.
Is it safe to paste a sensitive production header?
Parsing happens locally, so the header text itself is not sent anywhere by the analyzer. If your organisation forbids pasting any production data into a third-party page, follow that policy: it is the safer rule, and you can still verify the privacy claim by watching DevTools while you click Analyze.
Can you tell if an email is spoofed from the header?
Often, though not always with certainty. The header shows tells, not proof. The strongest signal is a DMARC fail in the Authentication-Results header, which means the From domain did not authenticate. The phishing triage card adds more: a From display name that names a brand its address does not match, or a Reply-To and Return-Path on unrelated domains. Any one of these is worth a second look. None of them on its own proves the message is malicious, and a well-built phishing message can still pass the basic checks, so treat the header as one input, not a final verdict. DMARC passes but spoofing continues.
Why does my legitimate email show DMARC=fail?
Almost always because of alignment, not because the message is fake. DMARC passes only when SPF or DKIM authenticates a domain that matches the From domain. When you send through a third-party service (a marketing platform, a help desk, a payroll tool) and have not set up your own domain inside it, SPF passes for the provider's domain and DKIM signs with the provider's domain, so neither aligns with your From. A forwarder breaks alignment the same way. Read the Authentication-Results header and the phishing triage card here to see which identity failed to align, then fix it inside the sending service. ESP mail fails DMARC: per-provider fixes.
Does a DMARC pass mean the email is safe?
No. A DMARC pass tells you one thing: the message genuinely came from the domain in the From address, and was not spoofed. It says nothing about whether that domain is trustworthy or whether the content is safe. An attacker who controls a domain, or who registered a look-alike domain, can send mail that passes DMARC for that domain. Authentication answers "is this really from this domain?", not "should I trust this domain?". Use the pass as a starting point, then judge the sender and the content on their own.
Want continuous DMARC monitoring?
One-off header analysis tells you what happened to one message. DMARCTrust collects your aggregate reports daily and flags spoofing, alignment regressions, and DNS drift across every domain you own.
Want continuous monitoring?
Inbox Inspector watches the real authentication verdict on every campaign your domain sends. Add one address to your sending tool and we'll show you which campaigns pass DMARC.
See pricing →Stop reading headers one at a time
DMARCTrust ingests your DMARC aggregate reports daily, tracks every sender, and tells you when something changes.