Why analyze email headers?
Email headers (also called "message headers", "email source", "raw headers", or "original message") record every step of your message's journey: sending server, routing, security checks (SPF/DKIM/DMARC), anti-spam verdicts. This free message header analyzer (RFC 822 parser) lets you view and decode the email source code for a complete deliverability diagnostic. Without analysis, you're working blind.
Three main use cases:
- Emails in spam → Discover if it's SPF, DKIM, DMARC or content
- Email not delivered → Find where it stopped and why
- Verify email authenticity → Detect phishing and spoofing attempts
How to use the analyzer in 3 steps
Step 1: Extract raw header
Gmail / Google Workspace:
- Open the email
- Click the 3 dots (⋮) → "Show original"
- Copy all text
Outlook / Microsoft 365:
- Open the email
- Click "Actions" (⋯) → "View message details"
- Copy the content
Apple Mail:
- Open the email
- Menu "Message" → "Show all headers"
- Copy the text
Step 2: Paste in analyzer
Paste the complete raw header in the form above. The tool automatically analyzes:
- ✅ SPF, DKIM, DMARC, BIMI authentication
- ✅ Anti-spam verdicts (Gmail, Microsoft, etc.)
- ✅ Routing and intermediate servers
- ✅ Anomalies and spoofing risks
Step 3: Read results
You get a clear report with:
- Authentication status (pass/fail for each protocol)
- Failure reason (if applicable)
- Recommended actions to fix
What is an email header?
An email header (also called "message header", "email source code", "raw header", "original message") is the complete history of a message: who sent it, through which server, what checks were performed, and what verdict was issued. Knowing how to show original email in Gmail or view message source in Outlook helps you understand exactly what happened.
Unlike the email body (which you see), the header is immutable: it cannot be forged once sent. That's why security investigators and email administrators use it to verify email authenticity and identify phishing attempts.
Simplified example:
From: alice@captaindns.com
To: bob@captaindns.com
Date: 19 Jan 2026 10:30:00 +0000
Authentication-Results: pass spf=pass dkim=pass dmarc=pass
X-Spam-Score: 2.1 (LOW)
Received: from mail.captaindns.com (203.0.113.5) by mail.captaindns.com
What does the tool analyze exactly?
Email authentication (SPF, DKIM, DMARC, BIMI)
| Protocol | Checks | Result |
|---|---|---|
| SPF | Is the sending server authorized? | ✅ Pass / ❌ Fail |
| DKIM | Was the email modified in transit? | ✅ Pass / ❌ Fail |
| DMARC | Is sender aligned with SPF/DKIM? | ✅ Pass / ❌ Fail |
| BIMI | Brand logo authenticated? | ✅ Present / ❌ Absent |
Anti-spam verdicts
The analyzer displays verdicts from:
- Gmail (spam score, final verdict)
- Microsoft 365 (Outlook, Exchange)
- Other providers (detected in headers)
Routing and servers
Complete trace of email path:
- Original sending server
- Intermediate servers (relays)
- Final receiving server
- Delays and timestamps
Anomaly detection
The tool automatically flags:
- ⚠️ Potential spoofing (From ≠ real domain)
- ⚠️ Failed DMARC alignment
- ⚠️ Invalid DKIM certificate
- ⚠️ Suspicious routing (too many relays)
Why do my emails go to spam?
This is the most common question. Header analysis usually reveals one of these causes:
| Cause | What the header shows | Solution |
|---|---|---|
| Failed SPF | spf=fail or spf=softfail | Add the sending server to your SPF record |
| Invalid DKIM | dkim=fail or dkim=none | Configure or repair the DKIM signature |
| Failed DMARC | dmarc=fail with p=reject or p=quarantine | Fix SPF/DKIM to align the domain |
| High spam score | X-Spam-Score: 8.5 or similar | Review content (links, images, keywords) |
| Blacklisted IP | RBL or blocklist mentions in headers | Check your sending IP reputation |
Tip: Paste your headers in the analyzer above to identify exactly which cause is affecting your emails.
Real-world use cases
Incident 1: All your emails land in spam
Symptom: You send newsletters, but 80% land in spam.
Diagnosis: Paste a spam email in the analyzer.
- SPF = ❌ Fail → Your server is not authorized
- DKIM = ✅ Pass
- DMARC = ❌ Fail (SPF failed)
Action: Add your server to your SPF record.
Incident 2: A specific email doesn't arrive
Symptom: You send an important email, recipient doesn't receive it.
Diagnosis: Ask recipient to check headers.
- Routing = ✅ Delivered to Microsoft
- Verdict = ❌ Rejected by anti-spam filter
- Spam Score = 8.5 (VERY HIGH)
Action: Check links, attachments, or content triggering the filter.
Incident 3: You suspect phishing
Symptom: An email claims to come from your bank, but something seems off.
Diagnosis: Paste header in analyzer.
- From =
noreply@captaindns.com - SPF = ❌ Fail (unauthorized domain)
- DKIM = ❌ Fail (invalid signature)
- DMARC = ❌ Fail
Conclusion: It's phishing. Email doesn't really come from your bank.
Incident 4: Forwarding fails
Symptom: You forward emails to a colleague, but they land in spam.
Diagnosis: Analyzer shows:
- Routing = 3 servers (original → your server → colleague's server)
- DKIM = ❌ Fail (signature broken after forwarding)
- SPF = ✅ Pass (but DMARC fails)
Action: Configure DMARC with p=none or use ARC (Authenticated Received Chain).
FAQ - Frequently asked questions
Q: What exactly is an email header?
A: It's the complete history of an email: sender, recipient, servers crossed, security checks (SPF/DKIM/DMARC), anti-spam verdicts. The header cannot be forged.
Q: How do I extract headers from my email?
A: It depends on your client:
- Gmail: Open email → 3 dots (⋮) → "Show original"
- Outlook: Open email → "Actions" → "View message details"
- Apple Mail: Menu "Message" → "Show all headers"
Q: Why does my email land in spam?
A: Most common reasons:
- Failed SPF: Your sending server is not authorized
- Invalid DKIM: Email was modified or signature is broken
- Failed DMARC: SPF or DKIM failed + domain not aligned
- Content: Suspicious links, attachments, or "spam" keywords
- Reputation: Your IP or domain has poor reputation
Q: What's the difference between SPF, DKIM and DMARC?
A:
- SPF: "Who can send from my domain?" (whitelist of IPs/servers)
- DKIM: "Was this email modified?" (cryptographic signature)
- DMARC: "Are SPF and DKIM aligned?" (authentication policy)
Analogy: SPF = list of authorized couriers, DKIM = seal on package, DMARC = verify seal and courier match.
Q: Is the tool free?
A: Yes, the header analyzer is 100% free with no signup. Paste your headers and get instant results.
Q: Are my headers secure?
A: Yes. Headers never contain sensitive data (no passwords, no private content). They only contain technical information (servers, domains, verdicts). We don't store your data.
Q: What should I do after analysis?
A: It depends on results:
- SPF failed → Add your server to your SPF record
- DKIM failed → Check your DKIM key or regenerate it
- DMARC failed → Configure DMARC with appropriate policy
- High spam → Check content
Complementary tools
| Tool | Purpose |
|---|---|
| SPF Inspector | Verify and fix your SPF record |
| DKIM Inspector | Validate your DKIM signature |
| DMARC Inspector | Configure and test your DMARC policy |
| DNS Propagation Checker | Confirm your DNS records are propagated globally |
| IP Blacklist Checker | Check if your IP is blacklisted |
| Domain Blacklist Checker | Check if your domain is blacklisted |
Useful resources
- RFC 5322 - Internet Message Format (official header specification)
- Google - Authenticate emails (Gmail guide)
- Microsoft - Email authentication (Outlook/Microsoft 365 guide)