How do I view email headers in Gmail?

Open the message in Gmail, click the three-dot menu (⋮) in the top right of the message, select Show original, then copy the full header text and paste it into this tool.

What is the Authentication-Results header?

The Authentication-Results header is added by the receiving mail server and records the outcome of SPF, DKIM, and DMARC checks. It shows pass or fail for each authentication method so you can diagnose why a message landed in spam.

Why does DKIM fail after email forwarding?

DKIM signs the message body and certain headers. When a mailing list or forwarder modifies the message body or subject line, the DKIM signature becomes invalid. ARC headers are designed to handle this case by preserving the original authentication state.

Email Header Security Analyzer

Built for operators & agencies

Live DNS - no cached APIs

No login required

No data retention

Privacy first diagnostics

Prevents blacklisting - not causes it

Paste raw email headers to analyze SPF, DKIM, DMARC, ARC chain, and the full received hop trace. Identify authentication failures and routing anomalies.

How to get email headers

Gmail: Open message → three-dot menu (⋮) → Show original → Copy to clipboard
Outlook web: Open message → three-dot menu → View → View message source
Apple Mail: Open message → View menu → Message → All Headers
Thunderbird: Open message → View → Message Source (Ctrl+U)

What this tool checks

Authentication-Results — SPF, DKIM, DMARC pass/fail results added by the receiving server
DKIM-Signature — all DKIM signatures present, including from forwarding services
ARC headers — Authenticated Received Chain, used when email is forwarded through intermediaries
Received hops — the full delivery path from sender to inbox
From / Reply-To alignment — check if Reply-To differs from From (phishing signal)

Understanding email authentication headers

When a receiving mail server processes an incoming message, it adds an Authentication-Results header recording the outcome of SPF, DKIM, and DMARC checks. This is the most important header for diagnosing why an email landed in spam or failed authentication.

Authentication-Results explained

The Authentication-Results header is added by the receiving server and records:

spf=pass/fail — whether the sending IP was authorized by the envelope sender's SPF record
dkim=pass/fail — whether the DKIM signature verified against the published public key
dmarc=pass/fail — whether the message passed DMARC alignment (SPF or DKIM must align with the visible From domain)

What is ARC?

ARC (Authenticated Received Chain) is a set of headers that preserve the authentication state of a message as it passes through forwarding intermediaries like mailing lists or email forwarders. When SPF breaks during forwarding, ARC allows the final receiver to check the original authentication results.

Reading the Received chain

Received: headers are added by each server that handles the message, with the most recent at the top. The full chain shows the delivery path from the originating server to the inbox. Unusual hops, geographic anomalies, or unexpected relay servers can indicate phishing or routing misconfiguration.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.