Email Header Analyzer

Advanced email authentication checker - Verify SPF, DKIM, DMARC & trace sender IP

Drag & drop .eml file here

or

Supports .eml and .txt files

How to Extract Email Headers

Email headers contain critical metadata about the message's journey from sender to recipient. Learning how to extract these headers is essential for email authentication, security analysis, and fraud investigation.

Gmail

  1. 1. Open the email
  2. 2. Click the three-dot menu (More)
  3. 3. Click "Show original"
  4. 4. Click "Download Original" to save as .eml — or copy the headers

Outlook (Web)

  1. 1. Open the email
  2. 2. Click the three-dot menu (Actions)
  3. 3. View > View message source
  4. 4. Select all and copy — or use "Save as" (.eml) if available

Outlook (Desktop)

  1. 1. Drag the email from your inbox to a folder to save as .eml
  2. 2. Or: double-click the email > File > Save As > choose .msg or .eml
  3. 3. Upload the saved file here for best results

Yahoo Mail

  1. 1. Open the email
  2. 2. Click the three-dot menu (More actions)
  3. 3. "View raw message"
  4. 4. Select all and copy — or right-click the page and "Save As" to save the raw source

Apple Mail

  1. 1. Select the email
  2. 2. File > Save As… > choose "Raw Message Source" format
  3. 3. Or: View > Message > All Headers, then select all and copy

Thunderbird

  1. 1. Select the email
  2. 2. File > Save As > File (.eml)
  3. 3. Upload the saved .eml file here — or use View > Message Source (Ctrl+U) and copy

What Email Headers Reveal for Open Source Intelligence

Email headers are a goldmine of intelligence for Open Source Intelligence investigations. They contain crucial metadata that can help identify senders, trace email routes, and detect fraudulent activities.

Sender Information

  • Sender's IP Address: Reveals the geographic location and ISP of the sender
  • Email Client: Identifies the software or service used to send the email
  • Return-Path: Shows the actual email address where bounces are sent
  • Reply-To Address: May differ from the sender, indicating potential spoofing

Authentication & Security

  • SPF Records: Verifies if the sender is authorized to send from that domain
  • DKIM Signature: Confirms the email hasn't been tampered with in transit
  • DMARC Policy: Shows the domain's email authentication policy
  • ARC Authentication: Tracks authentication results through forwarding chains

Routing & Delivery Path

  • Received Headers: Complete path showing every server the email passed through
  • Timestamps: Exact times when the email was processed at each hop
  • Mail Servers: Identifies all intermediate servers and their locations
  • Delivery Delays: Time taken at each hop can reveal processing issues

Technical Metadata

  • Message-ID: Unique identifier for tracking and correlation
  • Content-Type: Reveals email format and encoding methods
  • X-Headers: Custom headers that may contain additional tracking data
  • MIME Version: Email structure and attachment information

How It Works Without Sending Your Data

Your privacy and security are our top priorities. Our email header analyzer is designed with a privacy-first approach that ensures your sensitive data never leaves your control.

Client-Side Processing

All analysis happens in your browser using JavaScript

No Data Storage

We don't store, log, or save any email headers you analyze

100% Secure

Your data stays on your device throughout the entire process

Technical Details

  • Local Parsing: Email headers are parsed entirely in your browser using JavaScript, with no server-side processing
  • No External Requests: The analysis doesn't make any external API calls or send data to third parties
  • Memory Only: Data exists only in your browser's memory and is cleared when you close the tab
  • Open Source: Our code is transparent and can be audited for security verification

Red Flags to Look For

When analyzing email headers, certain indicators can reveal potential phishing attempts, spoofing, or other malicious activities. Here are the critical red flags to watch for:

Authentication Failures

  • SPF Fail: Sender's IP is not authorized to send from this domain
  • DKIM Fail: Email signature is invalid or missing, indicating tampering
  • DMARC Fail: Email doesn't meet the domain's authentication requirements
  • Multiple Failures: Combination of failed checks is a strong phishing indicator

Suspicious Sender Information

  • Mismatched Domains: From address domain differs from Return-Path domain
  • Reply-To Mismatch: Reply-To address is different from the sender
  • Look-alike Domains: Domain names that mimic legitimate companies (e.g., paypa1.com)
  • Free Email Services: Corporate emails sent from Gmail, Yahoo, etc.

Unusual Routing Patterns

  • Unexpected Geographic Route: Email from US company routing through foreign countries
  • Too Many Hops: Excessive number of mail servers in the delivery path
  • Suspicious Servers: Unknown or untrusted mail servers in the chain
  • Time Anomalies: Timestamps that don't make logical sense

Technical Red Flags

  • Missing Headers: Critical headers like Message-ID or Date are absent
  • Malformed Headers: Improperly formatted or invalid header syntax
  • Suspicious X-Headers: Custom headers with tracking or malicious code
  • Encoding Issues: Unusual character encoding that may hide malicious content

What to Do If You Find Red Flags

Don't Click Links: Avoid clicking any links or downloading attachments
Delete the Email: Remove suspicious emails immediately
Report It: Report phishing attempts to your IT department or email provider

For Cybersecurity & Criminal Investigators

Email header analysis is a critical skill for cybersecurity professionals and law enforcement. Our tool provides the forensic-grade analysis needed for investigations, incident response, and legal proceedings.

Investigation Use Cases

  • Phishing Investigations: Trace the origin of phishing campaigns and identify threat actors
  • Business Email Compromise (BEC): Detect email spoofing in corporate fraud cases
  • Threat Intelligence: Gather IOCs (Indicators of Compromise) from malicious emails
  • Incident Response: Analyze email-based attacks during security incidents
  • Digital Forensics: Collect evidence for legal proceedings and court cases

Forensic Features

  • IP Geolocation: Identify sender's geographic location and ISP information
  • Timeline Analysis: Reconstruct email delivery timeline with precise timestamps
  • Authentication Verification: Validate SPF, DKIM, and DMARC for legitimacy
  • Server Chain Analysis: Map complete routing path through mail infrastructure
  • Anomaly Detection: Identify suspicious patterns and inconsistencies

Legal & Compliance

Evidence Collection

Generate detailed reports suitable for legal proceedings and court submissions

Chain of Custody

Maintain forensic integrity with timestamped analysis and documentation

Compliance Auditing

Verify email security compliance with industry standards and regulations

Frequently Asked Questions

What is an email header and why is it important?

An email header is the metadata section of an email that contains technical information about the message's origin, route, and authentication. It includes details like sender IP address, mail servers, timestamps, and authentication results (SPF, DKIM, DMARC).

Email headers are crucial for:

  • Verifying the legitimacy of an email sender
  • Detecting phishing and spoofing attempts
  • Tracing the origin of suspicious emails
  • Troubleshooting email delivery issues
  • Conducting cybersecurity investigations
Is it safe to analyze email headers on this website?

Yes, it's completely safe. Our email header analyzer uses client-side processing, meaning all analysis happens directly in your browser using JavaScript. Your email headers never leave your device or get sent to our servers.

We prioritize your privacy:

  • No data is stored, logged, or transmitted to external servers
  • All processing occurs locally in your browser
  • Data exists only in browser memory and is cleared when you close the tab
  • No cookies or tracking mechanisms are used for analysis
What do SPF, DKIM, and DMARC mean?

These are email authentication protocols that help verify the legitimacy of email senders:

SPF (Sender Policy Framework):

Verifies that the sending mail server is authorized to send emails on behalf of the domain. It checks if the sender's IP address is listed in the domain's SPF record.

DKIM (DomainKeys Identified Mail):

Uses cryptographic signatures to verify that the email content hasn't been tampered with during transit. It ensures the message integrity and authenticity.

DMARC (Domain-based Message Authentication, Reporting & Conformance):

Builds on SPF and DKIM to provide a policy framework for email authentication. It tells receiving servers what to do if authentication checks fail.

How can I tell if an email is a phishing attempt?

Look for these red flags in the email header analysis:

  • Failed Authentication: SPF, DKIM, or DMARC checks show "Fail" status
  • Mismatched Domains: The "From" address domain doesn't match the Return-Path or Reply-To domain
  • Suspicious IP Addresses: Sender IP is from an unexpected country or known malicious source
  • Look-alike Domains: Domain names that mimic legitimate companies (e.g., paypa1.com instead of paypal.com)
  • Unusual Routing: Email passes through unexpected countries or too many mail servers
  • Free Email Services: Corporate emails sent from Gmail, Yahoo, or other free services

If you find multiple red flags, do not click any links or download attachments. Delete the email and report it to your IT department.

Can I use this tool for legal or forensic investigations?

Yes, absolutely. Our email header analyzer provides forensic-grade analysis suitable for:

  • Cybersecurity incident response and investigation
  • Digital forensics and evidence collection
  • Law enforcement investigations
  • Corporate fraud and BEC (Business Email Compromise) cases
  • Threat intelligence gathering

The tool provides detailed information including IP geolocation, authentication results, routing paths, and timestamps that can be used as evidence. However, we recommend:

  • Documenting your analysis process and findings
  • Preserving the original email headers as evidence
  • Following proper chain of custody procedures
  • Consulting with legal counsel for court proceedings
What should I do if I find a suspicious email?

If the email header analysis reveals red flags, follow these steps:

  1. Don't Interact: Do not click any links, download attachments, or reply to the email
  2. Document: Take screenshots of the email and save the header analysis results
  3. Report: Forward the email to your IT security team or email provider's abuse department
  4. Delete: Remove the email from your inbox after reporting
  5. Alert Others: If it's a targeted attack, warn colleagues who might receive similar emails
  6. Change Passwords: If you clicked any links or provided information, change your passwords immediately
  7. Monitor Accounts: Watch for unusual activity in your email and financial accounts

For Organizations: Report to your Security Operations Center (SOC) or IT security team immediately. They can investigate further and implement protective measures.

Why do some emails show "Not specified" for domain information?

"Not specified" appears when the email header doesn't contain explicit domain information in certain fields. This can happen for several reasons:

  • Missing Authentication Records: The sending domain hasn't configured SPF, DKIM, or DMARC
  • Incomplete Headers: Some email clients or servers may strip certain header information
  • Legacy Systems: Older email systems may not include modern authentication headers
  • Forwarded Emails: Email forwarding can sometimes obscure original sender information

While "Not specified" doesn't automatically mean the email is malicious, it does mean you should be extra cautious and look for other verification methods, such as:

  • Verifying the sender's email address directly
  • Checking the sender's IP address and location
  • Looking for other red flags in the routing path
  • Contacting the supposed sender through a known, trusted channel
Can I analyze emails from mobile devices?

Yes! Our email header analyzer is fully responsive and works on mobile devices, tablets, and desktops. However, extracting email headers on mobile can be more challenging:

iOS Mail:

Tap and hold the email, select "Forward", then look for the header information in the forwarded message. Alternatively, use the "View Headers" option if available.

Gmail App:

Tap the three dots menu → "Show original" → Copy the displayed headers.

Outlook Mobile:

This can be challenging on mobile. We recommend using the desktop version for easier header extraction.

Tip: For the best experience and easier header extraction, we recommend using a desktop or laptop computer when possible.