How to Trace Email Headers and Analyze Email Routing
Every email carries a set of hidden headers that document its journey from sender to recipient. These headers reveal the servers the message passed through, authentication check results (SPF, DKIM, DMARC), and timestamps that expose delivery delays. Understanding how to read email headers is essential for diagnosing deliverability issues, investigating phishing attempts, and verifying that your email authentication is working.
Try It Now
Paste your raw email headers into our free Email Header Analyzer to get an instant, human-readable breakdown of the routing path and authentication results.
Step 1: Find the Raw Headers in Your Email Client
Raw headers are hidden by default in every email client. Here is how to access them in the most popular clients:
- Gmail — Open the email, click the three-dot menu (top right), and select "Show original".
- Outlook (web) — Open the email, click the three-dot menu, select "View" → "View message source".
- Apple Mail — Open the email, go to View → Message → All Headers, or press
⌘⇧H. - Thunderbird — Open the email, go to View → Message Source, or press
Ctrl+U.
Step 2: Copy the Full Headers
Select all the header text — everything above the email body. The headers typically start with lines like Delivered-To: or Return-Path: and end just before the message content or MIME boundary. Copy the entire block to your clipboard. Make sure you do not accidentally truncate any lines, as incomplete headers can lead to incorrect analysis.
Step 3: Paste the Headers into the Email Header Analyzer
Open the Email Armory Email Header Analyzer and paste the full headers into the text area. Click "Analyze" to parse them. The tool will break the headers into a structured, easy-to-read format showing each hop, timestamps, and authentication results.
Step 4: Read the Received Chain
The Received: headers form a chain that documents every mail server the message passed through. They are added in reverse chronological order — the topmost Received:header is the last server that handled the message (usually your own mail provider), and the bottommost is the originating server.
Read from bottom to top to trace the email's actual path. Each header includes the server name or IP, the protocol used (SMTP, ESMTPS), and a timestamp. This chain helps you verify the email actually originated from the claimed sender's infrastructure.
Step 5: Check Authentication Results
Look for the Authentication-Results: header, which is added by the receiving mail server. It shows the outcomes of SPF, DKIM, and DMARC checks:
- SPF —
passmeans the sending server is authorized by the sender's SPF record.failorsoftfailmeans it is not. - DKIM —
passmeans the cryptographic signature is valid and the message was not altered in transit.failmeans the signature does not match. - DMARC —
passmeans the message satisfies the domain's DMARC policy.failmeans it does not, and the policy action (none, quarantine, reject) will be applied.
Step 6: Identify Delivery Delays
Compare the timestamps in consecutive Received: headers. A large gap between two hops indicates a delay at that server. Common causes include greylisting (where the server temporarily rejects the message to deter spam), overloaded mail queues, DNS resolution issues, or spam filtering processing time. If you see consistent delays at a specific hop, investigate that server's configuration and load.
Frequently Asked Questions
Where do I find raw email headers in Gmail?
In Gmail, open the email, click the three-dot menu in the top-right corner, and select "Show original". This opens a new tab with the full raw headers and message source. You can copy the headers from there.
What does the Received header tell me?
Each Received header represents one hop the email took on its way from sender to recipient. They are added in reverse order, so the topmost Received header is the last server that handled the message. By reading them bottom to top, you can trace the exact route the email traveled and spot where delays occurred.
Can email headers be forged?
Some headers like From, Reply-To, and Subject can be forged by the sender. However, Received headers added by each mail server along the route are much harder to fake. Authentication headers (SPF, DKIM, DMARC results) added by the receiving server are trustworthy because they are generated after verification checks.