How to Read Email Headers: A Beginner's Guide

Every email carries a set of hidden metadata called headers. These headers record the message's journey from sender to recipient, including which servers handled it, what authentication checks it passed, and when each hop occurred. Learning to read email headers is an essential skill for diagnosing deliverability issues, investigating phishing attempts, and troubleshooting bounced messages.

Paste headers for instant analysis

Copy your raw email headers and paste them into our Email Header Analyzer for a human-readable breakdown of every hop, delay, and authentication result.

Where to Find Email Headers

Each email client hides raw headers in a different place. Here is how to access them in the three most popular clients:

Gmail

Open the email you want to inspect.
Click the three-dot menu in the top-right corner of the message.
Select Show original.
A new tab opens showing the full raw message, including all headers. You can copy them from here.

Outlook (Web)

Open the email.
Click the three-dot menu (…) at the top of the message.
Select View message source or View message details.
A panel or popup shows the raw headers.

Apple Mail (macOS)

Open the email.
Go to View > Message > All Headers in the menu bar.
Alternatively, use the keyboard shortcut Cmd + Shift + H to toggle the full header view.

Key Header Fields Explained

Email headers can be dense, but only a handful of fields matter for most troubleshooting tasks. Here are the ones you should focus on:

From: The sender's email address as displayed to the recipient. This field can be spoofed, so do not rely on it alone to determine legitimacy.
Return-Path: Also called the envelope sender. This is the address that bounces are delivered to and the address used for SPF checks.
Received: Each server in the delivery chain adds a Received header. Read them from bottom to top to trace the message's path. Each entry includes the server name, IP address, and timestamp.
Authentication-Results: Added by the receiving server, this header shows the results of SPF, DKIM, and DMARC checks. Look for spf=pass, dkim=pass, and dmarc=pass.
DKIM-Signature: Contains the cryptographic signature added by the sending server. The d= tag shows the signing domain and s= shows the selector.
X-Spam-Status / X-Spam-Score: Many servers add spam scoring headers. These tell you how close the message came to being flagged as spam.
Message-ID: A unique identifier for the message, useful when searching logs or reporting issues to your email provider.

Tracing Delivery Issues

To diagnose delays, compare the timestamps in consecutive Received headers. A large gap between two hops indicates where the message got stuck. To check authentication, scroll to the Authentication-Results header. If you see spf=fail or dkim=fail, the sending domain's authentication records may be misconfigured. Use the DKIM Checker or DMARC Checker to investigate further.

For complex headers, paste the entire raw header block into the Email Header Analyzer. The tool parses every field, visualizes the delivery chain, highlights delays, and summarizes authentication results in plain language.

Frequently Asked Questions

Can email headers be faked?

Some headers like From and Reply-To can be forged by spammers. However, the Received headers added by each mail server along the delivery path are much harder to fake. Authentication-Results headers are added by the receiving server and are trustworthy. This is why SPF, DKIM, and DMARC checks in the headers are the most reliable indicators of legitimacy.

Why are there multiple Received headers?

Each mail server that handles the message adds its own Received header at the top. Reading them from bottom to top traces the message's journey from the sender's server to your inbox. This chain helps diagnose where delays or failures occurred.

What does Authentication-Results: dkim=pass mean?

It means the receiving mail server verified the DKIM signature on the message and confirmed that the email was signed with a valid key belonging to the sending domain. A dkim=pass result, combined with spf=pass and dmarc=pass, is a strong signal that the email is legitimate.

Related Guides