Free Email Header Analyzer — Spot Spoofed & Phishing Emails
Paste a suspicious email's raw headers for a plain-English verdict — legitimate, suspicious or inconclusive — plus who really sent it. Processed in the moment, never stored.
What your analysis shows
Every email carries hidden headers that record how it travelled and what checks it passed. This tool reads the results your mail provider already stamped into the message — it doesn't look anything up or store what you paste — and translates them:
- The SPF, DKIM and DMARC results recorded when the message arrived.
- The originating server and the path the message took to reach you.
- Mismatches between the From, Return-Path and Reply-To addresses — a classic spoofing tell.
- A plain-English verdict: legitimate, suspicious or inconclusive.
How to get your email headers
Gmail
Open the message, click the three-dot menu (⋮) at the top right, choose Show original, then copy everything on that page.
Outlook (desktop)
Open the message in its own window, go to File → Properties, and copy the text in the Internet headers box.
Outlook on the web
Open the message, click the three-dot menu, choose View → View message details, and copy the text shown.
Apple Mail
Select the message, then View → Message → All Headers, and copy the header block.
What to do if the result looks suspicious
A suspicious verdict means the message may be impersonating a trusted sender. Don't click links or reply — report it to your IT or security team (or your manager) and delete it. Convincing phishing that slips past filters is exactly why organisations run regular simulations and awareness training: the habit of checking before acting is what stops these attacks.
Understanding SPF, DKIM & DMARC results
- SPF — whether the sending server was authorised for that domain. A fail means it wasn't.
- DKIM — whether the message's signature is valid and untampered. A fail can mean it was altered or forged.
- DMARC — whether the sender's domain told receivers to trust only authenticated mail. A fail is a strong spoofing signal.
Frequently asked questions
Does this tool store or transmit my email headers?
No. Your headers are processed in the moment to generate the report and are not retained. The tool reads what's already in the message — it doesn't look anything up.
How can I tell if an email has been spoofed?
The clearest signs are a failed SPF or DKIM result and a mismatch between the From address and the Return-Path or Reply-To. The analyzer flags all of these for you.
What does a failed SPF or DKIM result mean?
It means the message couldn't be confirmed as coming from the domain it claims — often a sign the sender is being impersonated. Treat the message with caution.
Why does the IP in the headers show my provider's server, not the sender?
Webmail services like Gmail often strip the sender's original IP for privacy, so the earliest address you see may be the provider's own server rather than the true origin. The analyzer shows the earliest origin it can read.
What's the difference between the From and Return-Path addresses?
The From address is what you see; the Return-Path is where bounces actually go. When they don't match, it can mean the visible sender has been forged.
What should I do after I find a suspicious result?
Don't click or reply. Report it to your IT or security team and delete it. If it targeted your workplace, your team should know it's circulating.
Analyze a suspicious email
Paste the headers for a verdict here — the full analysis lands in your inbox.