Email headers contain a complete audit trail of how a message traveled from sender to recipient. Tracing these headers lets you find the true origin, check authentication, and detect spoofing.
Step-by-Step Email Header Analysis
- Get the full headers. In Gmail, open the email, click the three-dot menu, and select "Show original." Copy all the raw header text.
- Paste into our Email Trace tool. It parses the header automatically and displays the route in a readable format.
- Read the Received: chain from bottom to top. The bottom entry is the oldest (origin). Each entry above adds a hop as the email travels.
- Note the originating IP. The bottommost Received: line often contains the sender's IP or their mail server's IP. Look it up with our IP Lookup.
- Check authentication results. Look for Authentication-Results showing SPF, DKIM, and DMARC pass or fail.
Reading a Received: Header
Received: from mail.example.com (mail.example.com [198.51.100.42])
by mx.recipient.com with ESMTPS id abc123
for [email protected]; Wed, 29 Apr 2026 08:00:00 -0700
This shows the message came from mail.example.com at IP 198.51.100.42, was accepted by mx.recipient.com, and arrived at the given timestamp.
Red Flags in Email Headers
- The From: domain does not match the Return-Path domain
- SPF or DKIM failed in Authentication-Results
- Large time gaps between hops (possible queueing or intentional delay)
- Received: IPs belonging to countries inconsistent with the claimed sender
- Missing X-Originating-IP when expected (webmail usually includes this)
People Also Ask
- Where is my email header?
- In Gmail: open the message, click the three-dot menu (top right), select "Show original." In Outlook: File > Properties. In Apple Mail: View > Message > All Headers.
Related: Email headers explained | SPF records | Email Trace tool