Email Header Analyzer

Every email contains two parts: the visible message body and a hidden block of metadata called headers. Headers are key-value pairs prepended to the message that record the complete technical history of how the email was composed, authenticated, routed, and delivered. They are invisible to most email clients by default, but they contain the information mail servers use to make delivery decisions.

Headers are written in RFC 5322 format and fall into two categories: originating headers set by the sender (From, To, Subject, Date, Message-ID) and transit headers added by each server along the delivery path (Received, Authentication-Results, DKIM-Signature). Because each mail server prepends its own Received header, the chain reads chronologically from bottom to top — the oldest hop is at the bottom, the most recent is at the top.

Email headers are the primary diagnostic tool for investigating delivery failures, spam misclassification, authentication errors, phishing analysis, and routing problems. Understanding them is essential for anyone managing a mail server or investigating email security incidents.

The method for viewing raw headers varies by email client. In all cases, you are looking for an option labeled something like "Show original", "View source", "All headers", or "Internet headers".

You do not need to copy the entire email source — just the header block. Headers end at the first completely blank line. However, pasting the full raw source is also fine; this tool will extract the headers automatically.

Each Received header corresponds to one mail server handoff. A typical email passes through 2-5 hops: the sender's mail client submits to their outbound SMTP server, which relays to the recipient's MX server, which may pass through internal filtering or relay servers before final delivery. Complex setups (mailing lists, forwarding, third-party relays) can add many more hops.

The delay between consecutive hops is calculated by subtracting the timestamp of one Received header from the next. Sub-second delays are normal. Delays in the range of 1-30 seconds usually indicate queue processing or greylisting. Delays over a minute can indicate temporary failures with retry, rate limiting, or spam filtering queues. This tool highlights the slowest hop so you can immediately identify where time is being lost.

The Authentication-Results header is added by the receiving mail server and summarizes the outcome of all authentication checks performed on the incoming message.

Use the SPF Record Checker, DKIM Record Checker, and DMARC Record Checker to verify your DNS records are correctly configured for each of these authentication methods.

Email delivery delays are one of the most common complaints from both senders and recipients. Headers are the only reliable way to pinpoint exactly where in the delivery chain time is being lost.

• Under 1 second — Normal. Accounts for DNS lookups, TLS handshake, and queue handoff.
• 1–5 seconds — Slightly elevated but acceptable. May indicate light rate limiting or a brief connection retry.
• 5–30 seconds — Noticeable delay. Common causes: greylisting (first-time sender rejection requiring retry), content scanning, or spam filter queues.
• Over 30 seconds — Significant delay. Investigate this hop for: temporary delivery failures (4xx), DNS resolution problems, blacklist-based rate limiting, or an overloaded relay server.

Note that server clocks are not always perfectly synchronized. Small negative delays (the next hop appears to arrive before the previous one) are an artifact of clock skew and can be safely ignored. Large negative values may indicate header injection or a misconfigured server.

Email header analysis is one part of a complete email deliverability diagnosis. These tools on DNS Checker cover the full stack: