Email Header Analyzer

Built for operators & agencies
Live DNS - no cached APIs
No login required
No data retention
Privacy first diagnostics
Prevents blacklisting - not causes it

Paste raw email headers and extract SPF, DKIM and DMARC results (runs locally in your browser).

Tip: in Gmail use “Show original” then copy the headers block (NOT the HTML body).

warning Emergency Scan
Reality check: This runs locally in your browser. Nothing is uploaded.

Fast workflow

  1. Paste headers → read pass/fail
  2. Run /check to confirm alignment + DNS
  3. Apply FixKit if anything is failing
warning Emergency scan cards_stack See plans

What this tool is really doing

Your email client is not guessing. It’s reading authentication results added by mail servers as the message travels. The fastest way to debug deliverability is to look at the headers and extract the three signals that matter: SPF, DKIM, and DMARC.

This analyzer pulls those results out of common header lines like Authentication-Results and Received-SPF so you can see what the recipient actually saw.

When you should use it

  • You’re landing in spam and need proof of what failed.
  • Someone says “SPF is fine” but Gmail shows otherwise.
  • DMARC fails even when SPF or DKIM seems to pass (usually alignment).
  • You’re testing a new sender (SES, Mailgun, SendGrid, Microsoft 365, Google Workspace) and want to verify authentication quickly.

How to get the right headers

  • Gmail: open the email → three dots menu → “Show original” → copy the header block.
  • Outlook (web): open email → “View message source” or “View headers”.
  • Apple Mail: View → Message → All Headers.

Tip: paste only the header section. You don’t need the HTML email body.

What to look for in the output

  • spf=pass / spf=fail tells you if the sending IP was allowed by the domain SPF record.
  • dkim=pass / dkim=fail tells you if the message was signed and validated.
  • dmarc=pass / dmarc=fail tells you if SPF or DKIM aligned with the visible From domain.

Common real-world scenarios

1) SPF passes but DMARC fails

This is classic alignment. SPF might pass for the return-path/bounce domain, but DMARC checks alignment with the visible From domain. Fix is usually: make sure the service is configured to align the MAIL FROM domain, or rely on DKIM alignment.

2) DKIM fails only on forwarded mail

Forwarders sometimes modify the message and break DKIM. The fix depends: DMARC + DKIM alignment is still best, but you may also see ARC results in Gmail that explain why the receiver trusted it anyway.

3) SPF fails even though you “added SES/SendGrid/Mailgun”

Usually one of these: multiple SPF records, too many DNS lookups, or the include is wrong. Use the SPF generator to build a clean single record.

Next steps

  1. If SPF looks wrong, generate a clean record with SPF generator.
  2. If DMARC fails, run DMARC analyzer to spot alignment and policy mistakes.
  3. Then confirm everything with a full scan on InboxGreen checker.

Fast workflow:

plagiarism Run The Free Checker auto_awesome_motion Generate SPF multimodal_hand_eye Analyze DMARC