Email Header Analyzer

What this tool does

Every delivered message carries headers describing how it was routed and authenticated. This analyzer reads the Authentication-Results header that the receiving server stamps on, along with Received-SPF, DKIM-Signature, and any ARC-* headers, and summarizes whether SPF, DKIM, and DMARC passed for that message.

Unlike a record checker that reads your live DNS, this reflects one specific message exactly as a receiver saw it — which is what you need when a particular email lands in spam despite a correct setup.

Where to find the raw headers

Gmail: open the message, click the ⋮ menu, choose “Show original”, then copy the text. Outlook on the web: open the message, ⋯ menu → “View” → “View message source”. Apple Mail: View → Message → Raw Source. In most desktop clients look for “Show original”, “View source”, or “Message source”.

Copy everything from the very first header line downward (the Received: and Authentication-Results: lines near the top are the important ones) and paste it above.

How to read the results

We show the pass/fail outcome for SPF, DKIM, and DMARC as recorded by the receiver, the DKIM signing domain (d=), and whether ARC headers are present (which matters for forwarded mail). A failure here points at the real problem for that message — for example an SPF that does not list the actual sending IP, or a DKIM signature broken by a forwarder.

Frequently asked questions

My DNS records check out, but a message failed here — why?

This tool reports one message as the receiver evaluated it, which can differ from your current DNS. Common causes: the message was sent from an IP not covered by your SPF, it was forwarded and the signature or path broke, DKIM alignment failed, or your records changed after the message was sent. The header verdict is the ground truth for that email.

Is my pasted data sent anywhere or stored?

The headers are parsed on our server in-process to produce the result and are not stored or logged. We only record anonymous usage metrics (which tool ran and how long it took), never the header content. Still, redact anything sensitive before sharing headers anywhere.

What does ARC tell me?

ARC (Authenticated Received Chain) preserves the original SPF/DKIM/DMARC results when a message is forwarded, so the final receiver can see that it authenticated before the forwarder. If a message was forwarded and ARC headers are present, a downstream DMARC failure may still be trusted on the strength of the ARC chain.

There is a DKIM-Signature but no DKIM result — what does that mean?

A DKIM-Signature header only means the message was signed; it does not prove the signature verified. The pass/fail comes from the receiver’s Authentication-Results. If a signature is present but there is no DKIM result, the receiving server it passed through may not have verified it, or that header was not included in what you pasted.