What email headers reveal

Email headers show the delivery path from sender to recipient. The most useful lines are usually Received, Authentication-Results, Received-SPF, DKIM signatures, message IDs, and timestamps.

How to read Received hops

Read Received headers from bottom to top. The lower entries are closer to the origin, while the upper entries were added later by receiving systems such as Postfix, Exim, Microsoft 365, or Google Workspace.

Authentication and spoofing checks

Look for SPF, DKIM, and DMARC pass or fail results, alignment with the visible From domain, unexpected sending IPs, and mismatched hostnames. A single pass result is useful, but it does not guarantee the message is safe.

Privacy warning

Raw headers can contain private IP addresses, public sender IPs, recipient addresses, internal hostnames, anti-spam scores, and routing details. Remove sensitive data before sharing headers externally.

Related tools

Combine this analyzer with Email Auth Checker, SMTP Tester, Blacklist Checker, and Reverse DNS Lookup.

Reading Authentication Results in Email Headers

Modern email headers include Authentication-Results from each receiving server in the delivery chain. Key fields: spf=pass (envelope sender authorized), dkim=pass (signature valid, domain matches), dmarc=pass (SPF or DKIM domain aligns with header From).

When analyzing headers for delivery problems, trace Received headers from bottom (origin) to top (final destination). Look for ARC (Authenticated Received Chain) seals when mail passes through mailing lists or forwarding services — ARC preserves the original authentication results even when SPF and DKIM are broken by forwarding.