Skip to main content
Email Header Analyzer BETA

Email Header Analyzer

Did this email actually come from who it claims?

Paste a header, upload an .eml, or drop a JSON export from any major email API — we auto-detect the format, check SPF, DKIM, and DMARC authentication, trace the delivery route, and flag anything suspicious. If you include the body, we’ll scan it for phishing indicators and then discard it

or
Accepts .eml (full emails), .json (Gmail API, Microsoft Graph, Postmark, SendGrid, Mailgun), .mbox, .txt, and header exports. We’ll auto-detect the format and extract headers.
Everything is analyzed in memory and never stored. If you include the email body, it’s scanned for phishing indicators and immediately discarded. Authentication results are verified against live DNS records via open-standard protocols.
SPF / DKIM / DMARC Delivery Route Spoofing Detection Alignment Check OpenPhish Phishing Feed

Two Ways to Use This

Whether you’re testing your own setup or investigating a suspicious message

Verify Your Domain

Send an email from your custom domain to a Gmail or Outlook account. Copy the header and paste it here. We’ll tell you if your SPF, DKIM, and DMARC are working correctly.

Investigate Suspicious Email

Got an email that looks fishy? Copy its header and paste it here. We’ll check if the sender is who they claim to be and trace the delivery path for anomalies.

Straight talk about your data.

We use two cookies, both essential:

  • _csrf — Prevents cross-site request forgery. Required for form submissions. Security-only.
  • _dns_session — Only exists if you choose to sign in. No account required to use DNS Tool.

We log your IP address for two reasons: rate limiting (so nobody abuses the service) and security (identifying malicious actors and complying with legal obligations). We check source geography for analysis accuracy — DNS responses vary by region, and knowing which resolver answered from where makes the science better.

No tracking cookies. No analytics cookies. No ad networks. No data brokers. Our code is open-core — the application framework is publicly available under BUSL-1.1 with timed Apache-2.0 conversion. Verify it yourself.

If you create an account and want out, account deletion removes your login and scan history. Public domain analyses remain available because they contain only public DNS records, already hashed. Full details: Privacy Pledge.