Home/Email Header X-Ray

📧 Email Header X-Ray

Paste raw email headers to reveal the full routing path, detect spoofing & phishing, validate SPF/DKIM/DMARC, and see hop-by-hop delivery timing. Works on Gmail, Outlook, Yahoo — any email.

How to Get Your Email Headers

Gmail: Open email → three-dot menu (⋮) → "Show original" → Copy headers

Outlook: Open email → File → Properties → "Internet headers"

Apple Mail: Open email → View → Message → Raw Source

SPF verifies the sending server is authorized. DKIM cryptographically signs the email content. DMARC enforces what happens when SPF/DKIM fail — all three passing is the gold standard for legitimate email.

Forensic Email Header Analysis: Trace Senders, Verify Authentication, and Detect Spoofing

Email Header X-Ray is a professional email forensics tool that decodes the full routing history and authentication chain of any email message. Email headers contain a wealth of information that most email clients hide from view — original sender IP addresses, the servers an email passed through, authentication results, and timestamps that can expose sender identity even when display names are forged.

The tool verifies SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC records — the three email authentication standards that together prevent email spoofing. A message that fails all three checks is highly likely to be a phishing attempt or spam. The tool explains each authentication result in plain English, not just pass/fail.

Sender IP analysis cross-references the originating IP address against geolocation databases and abuse reputation scores, revealing whether the email was sent from the claimed country, a known malicious IP, or a suspicious hosting provider. Timezone fingerprinting analyzes the Date header timezone against the claimed sender location as an additional consistency check.

How to Use

  1. 1Open the suspicious email in your email client and copy the full raw headers.
  2. 2In Gmail: click the three dots → "Show original". In Outlook: File → Properties.
  3. 3Paste the entire header block into the analysis field.
  4. 4Click "Analyze Headers" — the tool parses and visualizes all hops and authentication results.
  5. 5Review the SPF/DKIM/DMARC section first: green = authenticated, red = potential spoofing.

🎯 Who Uses This

  • IT security teams investigating phishing emails reported by employees
  • Fraud investigators tracing the origin of threatening or harassing emails
  • System administrators diagnosing email delivery failures and routing issues
  • Individuals verifying whether a suspicious email is genuinely from the claimed sender
  • Legal teams documenting email evidence for harassment or fraud cases
  • Email deliverability engineers debugging authentication configuration

Frequently Asked Questions

Q: Can someone completely fake an email's origin?
Without SPF, DKIM, and DMARC in place, anyone can forge the From header to show any address. However, the server routing headers (Received lines) are added by each mail server along the delivery path and are much harder to forge. Careful examination of Received headers usually reveals the true origin IP.
Q: What does "SPF pass" mean?
SPF (Sender Policy Framework) checks whether the sending mail server's IP address is listed in the domain's SPF DNS record as authorized to send email. A pass means the email genuinely came from a server the domain owner approved. A fail or softfail suggests spoofing.
Q: How do I get the raw email headers?
In Gmail: open the email → click the three-dot menu → "Show original". In Outlook: File → Info → Properties → Internet headers. In Apple Mail: View → Message → All Headers. Copy everything from the header section and paste it into the tool.