Sign In
Access your IPWhois.net account
No account? Create one

Email Header Analyzer

Paste the full raw email headers below. In Gmail: open the email, click the three dots, select Show original.

What Are Email Headers?

Raw email headers are the paper trail every message leaves behind. Every server that touches an email adds a Received: line recording its own hostname, the IP it received the message from and a timestamp. Reading those lines from bottom to top gives you the actual delivery path, from the sender's outbox to your inbox. The full journey is usually over in a few seconds, but the headers preserve every step of it permanently.

Beyond the routing information, headers also carry the authentication verdict: whether SPF, DKIM and DMARC passed or failed, which mail server software sent the message, what spam score any filters assigned, and whether the message was modified in transit. When an email lands in spam, looks suspicious or arrives with a forged sender, the headers are where you look first.

How to Get the Raw Headers

Gmail

Open the email. Click the three-dot menu in the top right corner of the message body, then select "Show original". A new tab opens with the complete raw headers at the top. Select all the text from that section and paste it here.

Outlook and Microsoft 365

Open the email, then go to File and click Properties. The "Internet headers" box at the bottom of the window contains the full headers. Click inside the box, press Ctrl+A to select everything and copy it.

Apple Mail

Select the email in your list, then from the View menu choose Message and then All Headers. The full header block appears above the message body. You can also use the keyboard shortcut Shift+Cmd+H.

Thunderbird

Right-click the message in your list and choose View Source. The entire raw email opens in a new window, headers included. Copy everything before the first blank line.

Frequently Asked Questions

Can I trace a spam email back to the real sender?

The originating IP shown here is the first public IP address in the Received chain, which is usually the sender's mail server or their ISP's outgoing relay. That will point you to a hosting provider or ISP you can report the abuse to. If the sender used Gmail, Outlook or another webmail service, the originating IP will be that provider's server, not anything personal. VPNs and Tor exit nodes will similarly mask the real location.

What do SPF, DKIM and DMARC pass and fail actually mean?

SPF pass means the server that sent the email was listed in the domain's SPF record as authorised to do so. DKIM pass means the message body and key headers carry a valid cryptographic signature, verifiable against a public key published in DNS, confirming the message was not altered after leaving the sender. DMARC pass means at least one of SPF or DKIM aligned with the From header domain and the domain's policy was satisfied. When all three pass together it is a strong indicator the email is genuine.

What does a high hop count mean?

Legitimate email typically passes through two to five servers: the sender's client, their outgoing relay, possibly a spam filter gateway and finally the recipient's mail server. Ten or more hops is unusual and could indicate a misconfigured mail server looping, a spam relay chain or aggressive filtering. High hop counts also add delivery time, which you can see in the delay column for each hop.

Why does the delay between hops matter?

Most hops should take under a second. Delays of several minutes at a single hop usually mean a server was temporarily rejecting the message and retrying, or that it was queued behind a backlog. A delay at the very first hop sometimes indicates the sender's server had trouble connecting to the next relay in the chain.