🔒 Analysed entirely in your browser — nothing is uploaded or stored.
Every email carries a paper trail
Behind the From line and subject, each message hides a stack of headers that record exactly how it travelled and whether it was trusted. Reading them by hand is painful — they’re written newest-first, timestamps are scattered, and the authentication verdicts are buried. This analyzer turns that raw block into a clear timeline, in your browser, so nothing sensitive leaves the page.
The checks a message passes through — the analyzer shows the verdict your receiver actually recorded.
The delivery path (Received hops)
The most useful part is the Received chain: every mail server that handled the message adds one, stamped with the time it took custody. Because each server prepends its header, the list reads bottom-to-top — so we reverse it and show the journey origin → destination, with the gap between each hop. A 30-second total is normal; a single hop sitting for minutes points to greylisting, a queue, or a misconfigured relay.
What the authentication results tell you
The receiver records its SPF, DKIM and DMARC verdicts in the Authentication-Results header (defined in RFC 8601). Those are the real outcomes for this specific message — not a general domain config — which is what you need when diagnosing why a particular email landed in spam or was rejected. To fix the domain-level cause, jump to the Email Security Checker or the dedicated DMARC and SPF tools.
🛡️ Email going missing or to spam? Servnet diagnoses deliverability end-to-end — authentication, routing and sending reputation. Get help →
Email headers — common questions
What is an email header analyzer?
Email headers are the hidden metadata at the top of every message — who relayed it, when, and whether it passed authentication. This tool parses that raw block into a readable timeline: the chain of mail servers (“Received” hops) the message passed through, the SPF/DKIM/DMARC verdicts, the delay at each hop, and the key fields (From, Subject, Message-ID, originating IP).
How do I get the raw headers from my email?
In Gmail, open the message → the three-dot menu → “Show original”. In Outlook (desktop), open the message → File → Properties → Internet headers. In Apple Mail, View → Message → Raw Source. In Outlook on the web, open the message → ⋯ → View → View message source. Copy the whole block and paste it in.
How do I read the “Received” chain?
Each Received header is one hop. They’re written newest-first (top = the last server, your mailbox), so the journey reads bottom-to-top. This tool reverses them for you, showing origin → destination with the time spent at each hop, so a slow or suspicious relay stands out.
What do the SPF, DKIM and DMARC results mean here?
Those come from the receiving server’s Authentication-Results header (RFC 8601), which records the verdict it reached: pass means the check succeeded for this specific message, fail means it didn’t, and none/neutral means it wasn’t evaluated. They reflect what actually happened to this message — complementing a domain-level check with the Email Security Checker.
Why is one hop much slower than the others?
Large per-hop delays usually mean greylisting (a deliberate “try again later” to deter spam), a queue on a busy server, or a misconfigured relay. The timeline flags the slowest hop so you can see where a delayed email actually got stuck.
Is it safe to paste my headers here?
Yes — the analysis runs entirely in your browser with JavaScript. Nothing is uploaded or stored, which matters because headers contain email addresses and IPs. You can paste sensitive headers safely.
Can it tell me where a suspicious email really came from?
It shows the originating IP from the earliest Received hop and the authentication results, which together expose most spoofing — but a determined sender can forge lower hops, so treat the origin as strong evidence, not absolute proof. Pair it with a DMARC check on the From domain.