Email Header Analyzer

Paste email headers to trace the routing path, extract sender IPs with geolocation, and check SPF, DKIM, and DMARC authentication results. Free online email forensics tool.

How to Get Email Headers

  1. 1

    Gmail

    Open the email, click the three-dot menu (⋮) in the top right, and select 'Show original'. Copy the full headers from the popup.
  2. 2

    Outlook

    Open the email, go to File > Properties. The headers are in the 'Internet headers' box at the bottom. Select all and copy.
  3. 3

    Apple Mail

    Open the email, go to View > Message > All Headers. Copy the displayed headers.
  4. 4

    Paste and analyze

    Paste the copied headers into the text area above and click 'Analyze Headers' to see the routing path, authentication results, and IP geolocation data.

Common Use Cases

1

Phishing Detection

Verify if an email claiming to be from a trusted sender actually originated from their servers. Check SPF, DKIM, and DMARC results to detect spoofed messages.
2

Email Delivery Troubleshooting

Trace the routing path to identify where delays or bounces occur. Identify misconfigured mail servers causing delivery failures.
3

Security Investigations

Extract the sender's real IP address from headers to determine their geographic location and ISP. Useful for reporting abuse or identifying threat actors.
4

Compliance Auditing

Verify that emails are properly authenticated and routed through approved mail servers for compliance with organizational security policies.

Why Analyze Email Headers?

Email headers contain the complete routing history of a message, from sender to recipient. By analyzing these headers, you can trace the geographic path an email took, verify authentication (SPF, DKIM, DMARC) to detect spoofing, identify the sender's real IP address, and diagnose delivery issues. This is essential for security investigations, phishing detection, and email deliverability troubleshooting.

Email Header Analyzer is a free tool that parses raw email headers to reveal the complete routing history, sender authentication status, and geographic origin of any email. Every email carries hidden metadata in its headers, including the IP addresses of every server that handled the message, timestamps showing transit delays, and authentication results from SPF, DKIM, and DMARC checks.

This tool extracts and visualizes that data, geolocating each IP address to show where in the world the email traveled. It flags suspicious patterns like authentication failures, unusual routing paths, and geographic anomalies that may indicate phishing or spoofing attempts. Combine it with our IP Address Lookup for detailed analysis of specific sender IPs.

How It Compares

Most email header analyzers are basic text parsers that show raw header data without context. FindUtils Email Header Analyzer goes further by geolocating every IP address in the headers, visually displaying the hop-by-hop routing path with timing data, and automatically checking SPF/DKIM/DMARC authentication results. All processing happens in your browser for maximum privacy.

Tips for Email Header Analysis

1
Always copy the FULL headers, not just the visible portion. Partial headers may miss important routing information.
2
Read the Received headers from bottom to top. The bottom entry is the originating server, and each subsequent entry is a hop along the delivery path.
3
SPF, DKIM, and DMARC should all show 'pass' for legitimate emails. Any 'fail' result is a red flag.
4
Multiple IPs from different countries in the routing path can indicate email forwarding or relay chains, but can also indicate suspicious routing.
5
The sender's real IP is usually in the first (bottom-most) Received header. Headers added by intermediate servers are above it.

Frequently Asked Questions

1

What are email headers?

Email headers are metadata attached to every email message. They contain technical information about the sender, recipient, routing path, timestamps, and authentication results. Headers are normally hidden but can be viewed through your email client's settings.
2

Can email headers reveal the sender's real IP?

Yes, in many cases. The originating IP is typically in the first Received header. However, if the sender used a webmail service (Gmail, Outlook), the IP will be the mail service's server, not the sender's personal IP.
3

What do SPF, DKIM, and DMARC mean?

SPF verifies the sender's server is authorized to send email for that domain. DKIM verifies the message wasn't tampered with using a digital signature. DMARC combines both and tells receiving servers what to do when checks fail. All three should show 'pass' for legitimate email.
4

Is this tool safe to use with sensitive emails?

Yes. All processing happens locally in your browser. Email headers are not sent to our servers. The only external requests are IP geolocation lookups to our API, which only send the IP addresses found in the headers.
5

Why are there so many hops in my email?

Each hop represents a mail server that processed the email. Typical emails have 3-5 hops. More hops can indicate email forwarding, mailing list processing, or security filtering. While not necessarily suspicious, unusual routing should be investigated.

Related Tools

Ip Address Lookup

Network

Dns Lookup

Network

Dns Leak Test

Network

Email Validator

Security

Security Headers Analyzer

Network

Related Guides

What Is My IP Address? Free IP Lookup, Geolocation & Privacy Guide 12 min read
Understanding IP Addresses: A Complete Guide for 2026 8 min read

Rate This Tool

0/1000

Get Weekly Tools

Suggest a Tool