Free tool

Trace the origin of a suspicious email

Paste raw email headers to identify the real sender, authentication results and the path taken. 100% client-side analysis - nothing leaves your browser.

How it works

How to read email headers?

Email headers are metadata added by each server along the way. They reveal the true sender, authentication checks and the path the message took.

Open the suspicious email in your mail client and look for "Show original" or "View headers" (Gmail: ⋮ menu → Show original).

Copy all headers and paste them in the field above. Our analyzer automatically identifies each server hop.

Review the results: origin IP, SPF/DKIM/DMARC results, suspicious delays between servers and any signs of tampering.

Frequently asked questions

What do email headers contain?

Headers are metadata added by each server the email passes through. They include the originating IP address, authentication results (SPF, DKIM, DMARC), timestamps from each relay, the message ID and any modifications made in transit. This information is hidden in the normal email view.

How do I view headers in Gmail or Outlook?

In Gmail: open the email, click the ⋮ menu at the top right, then 'Show original'. In Outlook desktop: open the email, go to File → Properties, headers are in the 'Internet Headers' field. In Outlook on the web: open the email, click ⋯ → 'View message source'.

What do SPF, DKIM and DMARC results mean in headers?

'pass' means the check succeeded - the sending server is authorized and the message is authentic. 'fail' means it failed - the email may be spoofed. 'softfail' is a partial failure (often tolerated). 'none' means no policy is published for that domain. A legitimate email should show SPF pass, DKIM pass and DMARC pass.

Are my headers sent to a server?

No. The analysis runs entirely in your browser using client-side JavaScript. No data leaves your machine, nothing is transmitted to our servers or any third party. You can verify this by inspecting network requests in your browser's developer tools.

How can I spot a fraudulent email using headers?

Look for these signals: SPF or DKIM failure (authentication-results: fail), a 'From' address that doesn't match the domain in 'Return-Path', relay servers in unusual countries, abnormally long delays between hops (may indicate interception), and a 'Reply-To' that differs from 'From'. If several of these signals are present, the email is likely fraudulent.

Train your teams to analyze suspicious emails

Reading headers is a good start. Training your entire team to spot phishing signals before they click is even better.

Start for free