Email Header Analyzer

Paste raw email headers to trace the complete relay chain, verify authentication results, and identify the true origin of any email — expose forged headers and spoofed senders.

How to Use the Email Header Analyzer

  1. Open the suspicious email and copy the full raw headers.

  2. Paste the headers into the Email Header Analyzer tab in the Email Trust Console.

  3. Review the parsed relay chain, originating IP, and SPF/DKIM/DMARC results.

  4. Use the findings to determine if the email is legitimate or spoofed.

Email Header Analyzer — Frequently Asked Questions

How do I get raw email headers?
In Gmail: open the email, click the three-dot menu, select 'Show original'. In Outlook: open the email, go to File > Properties, find the Internet headers section. In Apple Mail: View > Message > All Headers.
What does the Received chain tell me?
The Received headers show every mail server that handled the email, in reverse chronological order. The bottom-most Received header is the originating server (where the email was first injected).
What is the X-Originating-IP header?
The X-Originating-IP header shows the IP address of the device that sent the email. It's not always present (some providers strip it for privacy) but when present, it can reveal the true sender location.
What does 'SPF: pass' mean in email headers?
It means the sending mail server's IP address is listed in the sender domain's SPF record. An SPF pass indicates the email claims to come from an authorized server.
Can email headers be forged?
Yes, some headers can be forged. However, Received headers added by mail servers you trust (like your own mail provider) cannot be forged. Authentication results (SPF/DKIM/DMARC) from your mail server are reliable indicators.