Trace Email Headers
Paste the full raw headers of any email to trace each server hop, extract IP addresses, and identify the true sending origin. Email headers can be spoofed - Treat results as indicative, not definitive.
How to Read Email Headers
Raw email headers contain a detailed audit trail of every server that processed your message. Reading them from bottom to top gives you the chronological path the email took - From the original sender to your inbox.
How to Find Email Headers
| Email Client | How to access raw headers |
|---|---|
| Gmail | Open email → three-dot menu → "Show original" → Copy to clipboard |
| Outlook | File → Properties → Internet Headers box |
| Apple Mail | View → Message → All Headers (or Cmd+Shift+H) |
| Thunderbird | View → Message Source (Ctrl+U) |
| Yahoo Mail | More → View Raw Message |
Email Header Fields Reference
| Header | Forgeable? | What it contains |
|---|---|---|
Received | Partially | Each server that handled the email, in reverse order (most recent first) |
From | Yes | Claimed sender address - Easy to forge, always verify with DKIM/DMARC |
Return-Path | Harder | Where bounces are sent - More reliable than From but still spoofable |
Message-ID | Yes | Unique identifier assigned by the originating mail server |
X-Originating-IP | Sometimes | Webmail client's IP for the sender - Added by some providers |
DKIM-Signature | No | Cryptographic signature verifying the sending domain - Tamper-evident |
Authentication-Results | No (if set by receiver) | SPF, DKIM, and DMARC pass/fail results added by the receiving server |
X-Spam-Score | N/A | Spam confidence score assigned by the receiving server's filter |
Email Authentication Standards
Modern email relies on three authentication standards working together to prevent spoofing, phishing, and spam. Together, SPF, DKIM, and DMARC form the industry standard for email security.
| Standard | Full Name | What It Does | DNS Record Type |
|---|---|---|---|
| SPF | Sender Policy Framework | Lists IP addresses authorized to send email for a domain | TXT |
| DKIM | DomainKeys Identified Mail | Adds a cryptographic signature to outgoing messages that receivers can verify | TXT |
| DMARC | Domain-based Message Authentication | Ties SPF and DKIM together and tells receivers what to do when they fail (quarantine or reject) | TXT |
Email Fraud Prevention by Authentication Method
Estimated reduction in phishing email delivery with each authentication layer
Frequently Asked Questions
Not usually. Email headers reveal the IP addresses of the servers that relayed the message - Not the sender's home IP. Webmail users (Gmail, Outlook.com) send via the provider's servers, so the origin IP you see belongs to Google or Microsoft, not the individual. Some desktop email clients do expose the sender's IP in Received headers.
Each mail server prepends its own Received header as the email passes through. Because each server adds to the top, the most recent hop appears first and the original sending server appears last. Read from bottom to top to follow the chronological path.
DKIM pass means the email body and key headers were not altered in transit - The cryptographic signature matches the public key published in the sender's DNS record. A DKIM fail means the message was modified after signing (possibly in transit) or the signature is fraudulent. It does not necessarily mean the email is spam, but combined with SPF failure it is a strong spam/phishing indicator.