Email Header Analyzer - Decoding Digital Anomalies

Paste raw .eml headers or an Authentication-Results: line

Upload .eml file

DoH provider:

Paste a raw .eml header block or an Authentication-Results: line above to begin.

About Email Header Analyzer

Email Header Analyzer parses raw .eml headers or an Authentication-Results block and instantly displays the parsed SPF, DKIM, DMARC, and ARC results, with plain-language explanations for every tag, a hop-by-hop Received timeline, and a mismatch panel that flags inconsistencies between From, Return-Path, DKIM-d, and SPF mailfrom.

The four standards

SPF (Sender Policy Framework) — the receiving server's check that the IP is allowed to send for the domain.
DKIM (DomainKeys Identified Mail) — the cryptographic signature that the message body and selected headers have not been altered in transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) — the policy that ties SPF and DKIM alignment to a published action: none, quarantine, or reject.
ARC (Authenticated Received Chain) — the chain of trust that mailing lists and forwarders use to preserve authentication results across intermediaries.

When the algorithms disagree, the tool tells you

Each parsed tag is paired with a plain-language explanation, a "what a good value looks like" hint, and a longer description with the relevant RFC reference. The mismatch panel surfaces inconsistencies: "From domain does not match Return-Path domain" (a common spoof pattern), "DKIM d= does not match From domain" (a misaligned signature), and "subdomain case — would be a mismatch under strict alignment" (an educational note about DMARC alignment modes).

Common use cases

Phishing triage: determine if a suspicious message is actually from who it claims to be from.
Mail-server config validation: confirm your SPF / DKIM / DMARC records are correctly published and aligned.
Mailing list debugging: verify that ARC chains are correctly preserved across intermediaries.
Verifying that two spellings of a name map to the same SPF / DKIM / DMARC verdict.

All parsing is client-side. No header text, parsed value, or other user-supplied data ever leaves your machine, except user-triggered DoH lookups (which by design must reach a DNS resolver).

Comments

Please accept the "Functionality" cookie category to view and post comments.