Email Header Analyzer
Paste your email headers to detect spoofing, authentication failures, and suspicious routing — 100% client-side, no data stored.
Disclaimer
This tool is provided for educational and informational purposes only. Nocturne Information Security Inc. is not responsible for any decisions, actions, or outcomes resulting from the use of this analyzer. Analysis results should be verified by a qualified security professional before taking any action. This tool performs best-effort parsing and may not detect all threats. Never rely solely on automated analysis for security decisions.
How to Get Email Headers
Open the email in your browser
Go to mail.google.com and open the email you want to analyze. This must be done in a web browser — the Gmail mobile app does not expose email headers.
Click the three dots menu (More options)
In the top-right corner of the email (next to the Reply button), click the three vertical dots icon.
Select "Show original"
Click "Show original" from the dropdown menu. A new tab will open showing the raw email source with SPF, DKIM, and DMARC results displayed at the top.
Copy the headers
Click the "Copy to clipboard" button at the top, or select all the text (Ctrl+A) and copy (Ctrl+C). Then paste it into the analyzer below.
Authentication-Results: mx.google.com; spf=pass...
DKIM-Signature: v=1; a=rsa-sha256; c=...
Open the email
Open the email you want to analyze in the new Outlook for Windows app (the modern, simplified Outlook that replaced Windows Mail).
Click the More actions button (three dots)
At the top of the open message, click the More actions button — the three dots (…) icon in the message toolbar.
Select View → View message details
From the dropdown, click View, then View message details. A side panel or pop-up window will open showing the full message headers.
Copy the headers
Select all the text in the message details window (Ctrl+A), copy it (Ctrl+C), and paste it into the analyzer below.
Authentication-Results: spf=pass (sender IP is...);
dkim=pass (signature was verified);
dmarc=pass action=none header.from=...
Open the email in its own window
Double-click the email to open it in a separate window — not just the reading pane. This is required to access the File menu for that message.
Go to File → Properties
In the opened message window, click File in the top ribbon, then click Properties.
Find and copy the Internet Headers
In the Properties dialog, scroll down to find the "Internet headers" text box at the bottom. Click inside the box, press Ctrl+A to select all, then Ctrl+C to copy.
Authentication-Results: spf=pass;
dkim=pass header.d=example.com;
X-MS-Exchange-Organization-SCL: 1...
Paste into the analyzer
Paste the copied headers (Ctrl+V) into the text area below and click Analyze.
Open the email
Go to outlook.office.com, outlook.live.com, or your Microsoft 365 web mail and open the email you want to analyze.
Click the More actions button (three dots)
At the top-right of the open message, click the three dots (…) — the "More actions" button.
Select "View message details"
Click View → View message details (or View message source in some versions). A popup window will appear showing the full email headers and message source.
Copy and paste
Select all the text in the popup (Ctrl+A), copy it (Ctrl+C), and paste into the analyzer below. Microsoft recommends pasting headers into a text editor first for easier reading.
Open the email
Select or open the email you want to analyze in Apple Mail on your Mac.
View → Message → All Headers
In the top menu bar, go to View → Message → All Headers (or press Cmd+Shift+H). This will display all header fields directly in the message view.
Alternatively: View Raw Source
For the full raw source, go to View → Message → Raw Source. This opens a new window with the complete email including all headers and the body.
Copy the headers
Select the header portion (everything above the email body content), press Cmd+C to copy, and paste into the analyzer below.
Open the email in your browser
Go to mail.yahoo.com and open the email you want to analyze. Headers are only accessible via the web interface.
Click the More actions button
Click the three dots (…) or "More" button at the top of the email message.
Select "View raw message"
Click "View raw message". A new browser tab will open displaying the full raw email source, with headers at the top.
Copy the headers
Select all text (Ctrl+A), copy (Ctrl+C), and paste into the analyzer. The headers are everything before the first blank line that separates them from the message body.
Pro Tips
Best Way to Copy Headers
- Once the headers window is open, select all text and copy it
- Paste into Notepad or a text editor first for easier reading
- Microsoft recommends pasting into a text editor to view full content clearly
- You can paste the full raw message — our analyzer will extract the headers automatically
Key Headers to Look For
From— Who the email claims to be fromReturn-Path— Where bounces go (compare with From)Reply-To— Where replies are directed (phishing red flag if different)Received— The route the email took (read bottom to top)Authentication-Results— SPF, DKIM, and DMARC verdicts
Analyze Email Headers
Paste the full email headers below. All analysis is performed in your browser — nothing is sent to any server.
Findings & Anomalies
Authentication Results
Message Route (Hops)
| # | From | To | Delay | Protocol |
|---|
Key Headers
Found Something Suspicious?
Our security experts can help you investigate phishing campaigns, compromised email accounts, and email infrastructure weaknesses.
Talk to an Expert