Every email carries hidden Received headers stamped by each mail server it passed through, plus authentication results that show whether the sender is who they claim to be. This free email and message header analyzer reads them for you: paste the raw source and get the likely sender IP address, the full hop-by-hop delivery path, SPF, DKIM, and DMARC verdicts, and the classic phishing warning signs. Everything is parsed locally in your browser - your email never leaves your device.
Every mail app hides the raw headers behind a menu. Open the message you want to trace, then:
| Mail app | Steps to the raw headers |
|---|---|
| Gmail (web) | Open the email, click the three-dot menu at the top right of the message, choose Show original, then copy everything on that page. |
| Outlook.com / new Outlook | Three-dot menu on the message, then View and View message source. |
| Outlook (classic desktop) | Open the message in its own window, then File, Properties, and copy the Internet headers box. |
| Apple Mail | Select the message, then View, Message, All Headers (or Raw Source). |
| Yahoo Mail | Three-dot menu on the message, then View raw message. |
| Thunderbird | Open the message and press Ctrl+U (View Source), or use More, View Source. |
| Proton Mail | Three-dot menu on the message, then View headers. |
Paste the whole raw source if you are unsure - the analyzer stops reading at the first blank line, so the message body is ignored automatically.
Received headers are stacked newest first: the top entry is your own mail provider accepting the message, and the bottom entry is closest to the sender. To find the origin, read from the bottom up and look for the first public IP address - private addresses like 10.x.x.x or 192.168.x.x are internal mail-room hops, not the sender.
One honest caveat: a sender controls the earliest lines and can forge extra Received entries. Only the hops stamped by servers you trust - your own provider at the top of the chain - are guaranteed genuine. That is also why the authentication results (SPF, DKIM, DMARC) matter more than any single header line.
Modern email is authenticated three ways, and the Authentication-Results header records the verdicts your mail provider reached when the message arrived:
All three passing does not make an email safe - phishers can authenticate mail from their own throwaway domains perfectly. But a fail on a domain you know, such as your bank, is a strong signal the message is spoofed. Combine the verdicts with the delivery path and a blacklist check on the sending IP before trusting anything the email asks you to do.