How to Read Email Headers: Trace the Path of Any Email
Email headers contain a complete trail of every server an email passes through — plus authentication results that reveal whether the sender is legitimate. Here's how to read them.
What are email headers?
Every email contains hidden metadata called headers. While you see the From, To, Subject, and Date fields in your inbox, the full headers contain dozens of additional fields added by every server that handled the message.
Headers are read bottom-to-top — the oldest entries are at the bottom, and each server adds its own "Received" header on top as the message passes through.
How to find raw email headers
Gmail
Open the email → click the three dots (⋮) → "Show original" → copy the headers
Outlook
Open the email → File → Properties → "Internet headers" box
Apple Mail
Open the email → View → Message → All Headers
Key headers to look at
Received headers
The most important headers for tracing. Each server adds one as the email passes through. They show the IP address, hostname, and timestamp of each hop. Read bottom to top to trace the complete path.
Authentication-Results
Shows whether the email passed SPF, DKIM, and DMARC checks — the three pillars of email authentication:
- SPF (Sender Policy Framework) — verifies the sending server is authorized by the domain's DNS records
- DKIM (DomainKeys Identified Mail) — verifies the message hasn't been tampered with using a cryptographic signature
- DMARC (Domain-based Message Authentication) — combines SPF and DKIM with a policy (none, quarantine, reject)
If all three pass, the email is very likely legitimate. If they fail, it may be spoofed.
Return-Path / Envelope-From
The actual sender address used in the SMTP transaction. If this doesn't match the visible "From" address, the email may be spoofed or forwarded.
X-Mailer / User-Agent
Shows the email client or software used to send the message. Legitimate businesses typically use known services (Google Workspace, Microsoft 365, SendGrid). Phishing emails sometimes show unusual or outdated mailers.
Spotting phishing with headers
Common red flags in email headers:
- SPF/DKIM/DMARC failures — the sender isn't who they claim to be
- Mismatched From and Return-Path — the reply address is different from the displayed sender
- Suspicious originating IPs — the first "Received" header shows an IP from an unexpected country or hosting provider
- Excessive delays — large time gaps between hops can indicate message queuing on compromised servers
- Missing or incomplete authentication — legitimate services always have proper SPF/DKIM setup
Analyze headers automatically
Reading raw headers manually is tedious. Our Email Header Analyzer parses raw headers automatically — showing the message route, hop-by-hop delays, SPF/DKIM/DMARC results, and potential red flags.
Paste email headers and analyze instantly
Trace message routes, check authentication, and spot phishing indicators.
Open Email Header Analyzer