New: Post-Quantum Cryptography tools — is your domain quantum-safe? Check now
EP Cybertools Logo EP Cybertools

email

Email Header Analyzer

Parse and analyze email headers for diagnostics

What You Need to Know

What This Tool Does

Email Header Analyzer parses the raw headers of an email message to trace its delivery path, identify authentication results (SPF, DKIM, DMARC), measure delivery delays, and detect spam indicators.

Why It Matters

  • Spam Detection: Identify forged or suspicious sender information
  • Deliverability: Diagnose why emails land in spam
  • Authentication: Verify SPF, DKIM, DMARC pass/fail results
  • Path Tracing: See exact route an email took from sender to recipient

How to Read the Results

  • Received headers: Read bottom-to-top (earliest server first)
  • Authentication-Results: Shows SPF/DKIM/DMARC pass or fail status
  • X-Spam headers: Mail server spam scoring (X-Spam-Score, X-Spam-Flag)
  • Message-ID: Unique identifier for tracking a specific email

Technical Background

Email headers are defined in RFC 5322 (Internet Message Format) and RFC 7001 (Authentication-Results header). Each mail server that handles an email prepends a "Received:" header containing: from (originating host), by (receiving host), via (protocol), with (transport security), id (message identifier), and timestamp. Reading Received headers from bottom to top reconstructs the complete delivery path from sender to recipient. The Authentication-Results header (prepended by the final receiving server) summarizes SPF, DKIM, and DMARC verification outcomes. "spf=pass" means the sending IP is authorized in the domain's SPF record. "dkim=pass" means the cryptographic signature verified correctly. "dmarc=pass" means the message is aligned with the domain's DMARC policy. DKIM-Signature headers contain the selector (s=), signing domain (d=), hashing algorithm (a=), and the base64-encoded signature (b=). Key headers for forensic analysis: Return-Path specifies the bounce address (envelope sender, which differs from From:). X-Originating-IP may reveal the actual client IP behind webmail portals. Reply-To sets a different address for replies, commonly manipulated in phishing. Date header timezone can hint at sender location. X-Mailer or User-Agent reveals the email client or sending platform. X-Spam-Score and X-Spam-Report headers (added by SpamAssassin and similar) explain why a message was flagged. Phishing and email fraud detection focuses on discrepancies: From: domain vs SPF/DKIM signing domain mismatch, Received chain showing unexpected geographic origins, authentication failures combined with domain lookalikes, and homograph attacks using Unicode characters in domain names. Analysts correlate Message-ID format, X-Mailer signatures, and IP geolocation to attribute emails to specific threat actors or sending infrastructure. In corporate security incident response, email header analysis is used to investigate phishing attacks, business email compromise (BEC), and account takeover attempts. Security teams extract indicators of compromise (IOCs) from headers: sending IP ranges, mail server fingerprints, unusual routing paths, and authentication failures. These IOCs are fed into SIEM systems and threat intelligence platforms. Automated email security gateways (SEGs) like Proofpoint, Mimecast, and Microsoft Defender for Office 365 use header analysis at scale to block threats before delivery. Manual header analysis remains an important skill for security analysts investigating emails that bypass automated filters.

Command-Line Usage

Run equivalent checks directly from your terminal on macOS, Windows, or Linux.

🍎 macOS

# View raw email headers in Apple Mail
# View > Message > All Headers (Shift+Cmd+H)
# Fetch email headers via curl (IMAP)
curl -s --url "imap://mail.example.com/INBOX" -u user:pass --request "FETCH 1 RFC822.HEADER"
# Show MTA delivery path
grep "Received:" email.eml | tac

🪟 Windows (PowerShell / CMD)

# Outlook: File > Properties to see Internet headers
# PowerShell - parse headers from saved .eml
Get-Content email.eml | Select-String "Received:|Authentication-Results:|DKIM"
# Extract Authentication-Results
(Get-Content email.eml) -match "Authentication-Results"

🐧 Linux

# Parse headers from .eml file
grep "Received:\|Authentication-Results:\|DKIM" email.eml
# Count relay hops
grep -c "^Received:" email.eml
# Show delivery path in order
grep "^Received:" email.eml | tac

Input Parameters

Paste the full email headers (View Source in your email client)

Tool Status: Ready

Developer

API & CLI Usage

API Endpoint

POST /api/tools/email-header

Platform-Specific Examples

Bash (curl)
curl -X POST https://epcybertools.com/api/tools/email-header \
  -H "Content-Type: application/json" \
  -d '{"headers":"Received: from mail.example.com\nDate: Mon, 1 Jan 2024 12:00:00 +0000\nFrom: [email protected]\nTo: [email protected]\nSubject: Test Email"}'
wget
wget --method=POST \
  --header="Content-Type: application/json" \
  --body-data='{"headers":"Received: from mail.example.com\nDate: Mon, 1 Jan 2024 12:00:00 +0000\nFrom: [email protected]\nTo: [email protected]\nSubject: Test Email"}' \
  -O - https://epcybertools.com/api/tools/email-header
HTTPie (apt install httpie)
http POST https://epcybertools.com/api/tools/email-header \
  headers="Received: from mail.example.com Date: Mon, 1 Jan 2024 12:00:00 +0000 From: [email protected] To: [email protected] Subject: Test Email"
View full API documentation →