Email headers: the DNA of every message
Every email contains two parts: the visible body (the text you read) and the hidden headers (the technical metadata). Email headers are like the postmark on a traditional letter, but far more detailed: they record every server the message passed through, the timestamps of each step, the authentication verification results, the server software, and dozens of other technical details. Being able to read headers is a fundamental skill for diagnosing email issues and identifying fraudulent messages.
Our Email Header Analyzer simplifies this analysis: just paste the raw headers and the tool automatically analyzes them, showing the message path in chronological order, delays between each hop, authentication results, and any anomalies. But to get the most out of the tool, it helps to understand what the main headers mean.
Key header fields
The Received fields are the most informative: each server that handles the email adds its own, in reverse order (the most recent is at the top). Reading from bottom to top, you reconstruct the chronological path of the message. Each Received field contains the server's IP, its hostname, and a timestamp. By comparing timestamps between consecutive Received entries, you can identify delays: a 30-second gap between two hops is normal, 30 minutes could indicate a problem.
Identifying phishing emails from headers
Headers are the most reliable tool for unmasking phishing emails. The main warning signs: the From field and Return-Path have different domains (the visible sender does not match the technical sender), the Authentication-Results show spf=fail or dkim=fail, the IPs in the Received fields come from unexpected countries, the Message-ID has a different domain than the sender, and the X-Mailer or User-Agent headers reveal unusual software.
For a complete verification, compare the From domain with the authentication results. Use SPF Lookup to check whether the sending server's IP is authorized by the SPF record of the claimed domain. If the Authentication-Results field shows dmarc=fail, the domain has an active DMARC policy and the email did not pass it — a strong indicator of spoofing. The DMARC Lookup shows you which policy is configured.
Diagnosing delivery delays
When emails arrive late, the headers reveal exactly where the slowdown occurred. Our Email Header Analyzer automatically calculates the time elapsed between each hop and highlights anomalous delays. The most common causes of delay are: active greylisting on the receiving server (intentional 5-15 minute delay to filter spam), full message queues on the server, DNS issues that slow down resolution, and antispam filters that take too long analyzing the content.
If delays are on the sending server side, there may be a performance or configuration problem. Use SMTP Diagnostics to measure server response times and verify that the connection is stable. If delays occur at the first hop (from the client to the first server), the problem is likely in the local network connection or the email client.
A special case is greylisting: the receiving server temporarily rejects the email (4xx code) and only accepts it on the second attempt, typically after 5-15 minutes. In the headers, this manifests as a significant delay between the first Received (sending) and the second (acceptance after retry). Greylisting is effective against spam but causes noticeable delays in the delivery of legitimate messages.