Question 1

How do I get email headers from my email client?

Accepted Answer

In Gmail: open the email, click the three-dot menu, select 'Show original'. In Outlook: open the email, click File > Properties, and look in the 'Internet Headers' box. In Apple Mail: View > Message > All Headers. In Thunderbird: View > Message Source. Each client puts it in a slightly different place, but they all have the option somewhere.

Question 2

What do SPF, DKIM, and DMARC results in headers mean?

Accepted Answer

The Authentication-Results header shows whether each check passed or failed. 'pass' means the check succeeded. 'fail' means it definitively failed. 'softfail' (SPF only) means the sender isn't authorized but the domain owner hasn't set a hard policy. 'none' means no record was found. You want all three to show 'pass' — anything else increases your spam risk.

Question 3

Why is there a big delay between two hops?

Accepted Answer

Each server in the chain adds a Received header with a timestamp. Large gaps usually mean the receiving server held the message for processing — spam filtering, greylisting (intentionally delaying first-time senders), virus scanning, or rate limiting. If you consistently see delays at the same hop, it's likely a policy on that specific server, not a network issue.

Question 4

What's the difference between From and Return-Path?

Accepted Answer

The From header is what the recipient sees in their inbox — it's the display address. The Return-Path (also called envelope sender) is where bounces go, and it's what SPF checks against. They're often different, especially when using an ESP. For example, your From might be you@yourdomain.com while the Return-Path is bounce-123@esp.sendgrid.net. DMARC alignment requires that at least one of SPF or DKIM matches the From domain.

Question 5

Can headers tell me why my email went to spam?

Accepted Answer

Headers give you strong clues but not always the complete answer. They'll show authentication failures (SPF/DKIM/DMARC), spam filter scores (X-Spam-Status), and whether the sending IP is flagged. But some spam decisions are based on content analysis, recipient engagement history, or sender reputation — those don't appear in headers. Start with headers for authentication issues, then check your domain reputation and content separately.

Question 6

What does 'greylisting' mean in headers?

Accepted Answer

Greylisting is a spam prevention technique where the receiving server temporarily rejects the first delivery attempt from an unknown sender with a 'try again later' response. Legitimate mail servers retry after a few minutes and succeed. Spammers typically don't retry. You'll see it as a delay of 5-15 minutes between the first and second Received headers from the same server. It's annoying but normal for first-time senders.

Question 7

How do I read the Received headers in order?

Accepted Answer

Received headers are added top-down, so the newest (last server to handle the email) is at the top and the oldest (the originating server) is at the bottom. Read them bottom-to-top to trace the message's journey chronologically. Our analyzer automatically sorts them into a timeline for you, so you don't have to read them backwards.

Question 8

What's a normal number of hops for an email?

Accepted Answer

Most emails pass through 3-6 servers (hops). A typical path: your mail client to your outgoing server, to any intermediary filtering servers, to the recipient's MX server, to their spam filter, and finally to their mailbox. More than 8 hops is unusual and might indicate misconfigured routing or unnecessary relay servers.

Email Header Analyzer

What can you learn from email headers?

About this tool

What's actually in email headers

Debugging authentication failures

Finding delivery delays

Common header analysis mistakes

Frequently Asked Questions

More Free Tools

SPF Record Checker

DKIM Record Checker

DMARC Record Checker

MX Record Lookup