Free tool
Email header analyzer
Trace every hop and read the SPF / DKIM / DMARC verdict the receiver reported. Your headers stay in your browser: parsing runs locally, nothing is uploaded.
We couldn't find any headers in the first 256 KB of the file. Paste them directly into the box instead.
Analysis
Authentication verdict
SPF
DKIM
DMARC
Overall
Phishing triage
Compare the identities that appear in this message. Mismatches between From, Reply-To, Return-Path, and the signing domains are a common phishing signal — not proof, but a tell worth checking.
| Field | Value | Aligned with From? |
|---|
Hop timeline
Each row is a Received header, in delivery order. Timestamps are normalized to UTC before computing the gap to the next hop, so timezone-mixed traces do not produce negative delays.
ARC chain
ARC headers record what each intermediary observed and let a downstream receiver vouch for forwarded mail. We parse what the chain claims; we do not validate the seals ourselves.
| i= | Sealed by | Reported cv= | Authentication-Results it claims |
|---|
Microsoft 365 anti-spam decoder
Microsoft 365 stamps inbound mail with X-Forefront-Antispam-Report and X-Microsoft-Antispam. The codes are documented but cryptic. Below: each code's raw value and what it means.
| Code | Value | Meaning |
|---|
DKIM signatures
Every DKIM-Signature header in the message, broken into its tags. We do not verify the signatures — that requires a DNS lookup of the public key at s._domainkey.d.
All headers
Every header in source order.
| Header | Value |
|---|
What is in an email header?
Every email carries a stack of headers that document its path from the sender's mail server to your inbox. Some of those headers record authentication results (SPF, DKIM, DMARC, ARC). Others trace the hops between servers. A few — like Microsoft 365's X-Forefront-Antispam-Report — record what the receiver's filter observed. The body of the message is what you read; the headers are the audit trail.
When should you analyze a header?
A message looks suspicious
Compare From, Reply-To, Return-Path, and the DKIM signer. If they disagree, the message deserves a closer look before anyone clicks the link inside.
A legitimate message landed in junk
Read the Authentication-Results header from the receiver. If DMARC failed, the hop trace and ARC chain often show whether a forwarder broke alignment.
An admin asks you for headers
Microsoft support and email deliverability teams routinely ask for raw headers. Pasting them into the analyzer gives you a verdict, a hop timeline, and an X-Forefront-Antispam-Report decode in one place.
How DMARCTrust's analyzer is different
Honest about verification
Most tools print SPF=pass / DKIM=pass without telling you who reported it. We label every verdict with its source: per Authentication-Results, signature present (unverified), or unknown.
Privacy you can verify
Parsing runs in your browser. Headers are not uploaded by the analyzer. You can open DevTools and confirm before pasting.
Phishing triage and M365 decoder built in
The phishing triage card and the X-Forefront-Antispam-Report / X-Microsoft-Antispam decoder ship in v1 — the two things mailbox admins ask for most.
Want continuous DMARC monitoring?
One-off header analysis tells you what happened to one message. DMARCTrust collects your aggregate reports daily and flags spoofing, alignment regressions, and DNS drift across every domain you own.
Stop reading headers one at a time
DMARCTrust ingests your DMARC aggregate reports daily, tracks every sender, and tells you when something changes.