Why do I see multiple Received headers in an email?

Each server that handles a message adds a Received header. A typical email touches 3-5 servers (sender's outbound, internal relay, receiving MX, spam filter, mailbox server). Headers are added to the top, so reading down goes from most recent to oldest. The analyzer reverses this for chronological display.

What does a long delay between email hops mean?

Most hops complete in under a second. Seconds-to-minutes delays are normal for spam filtering. 5+ minute delays indicate retry queueing — temporary deliverability problems like greylisting or rate limits. Delays of an hour or more are red flags suggesting persistent deliverability issues or misconfigured outbound queues.

What is ARC (Authenticated Received Chain)?

ARC (RFC 8617) preserves authentication results when email is forwarded through mailing lists or other intermediaries that would otherwise break SPF and DKIM signatures. Each forwarder cryptographically attests to the auth results it observed. ARC headers appear when messages have been forwarded through Google Groups, Microsoft mailing lists, or corporate forwarding setups.

Free. Pure-browser parsing — nothing leaves your device.

Email Header Analyzer

Q: What information can I learn from email headers?

Email headers reveal the message's complete journey: originating server and IP, every server it passed through, authentication results (SPF, DKIM, DMARC), delivery delays at each hop, the sender's claimed domain versus the actual sending server, the message's unique ID, and vendor-specific anti-spam scores. They're essential for deliverability troubleshooting, phishing investigation, and compliance verification.

Q: What's the difference between SPF, DKIM, and DMARC?

SPF validates that the sending server's IP is authorized for the sender's domain. DKIM uses cryptographic signatures to prove the message wasn't tampered with. DMARC ties them together and tells receivers what to do on failure (reject, quarantine, monitor), plus requires alignment between the authenticated domain and the visible From: domain.

Q: Can email headers be spoofed?

The From: header and most informational headers can be trivially spoofed. Received headers added by intermediate servers and Authentication-Results added by the receiving server are much harder to spoof. When investigating suspicious email, trust the most recent Received headers and Authentication-Results over what appears in From:.

Paste raw email headers and see SPF, DKIM, and DMARC results, hop-by-hop delivery path with delays, originating server, and any red flags at a glance. Useful for diagnosing deliverability problems, investigating phishing, and verifying email authentication. Built by Datastrive, a Chicago managed IT and email security provider.

Visual delivery timeline
SPF / DKIM / DMARC / ARC results
Automatic red-flag detection

How to find raw headers in your mail client

Every mail client has a different path to the raw headers. Here are the most common ones:

Gmail (web) Open the message. Click the three-dot menu (⋮) at the top right of the message. Select Show original. A new tab opens with the raw message. Copy the entire block of headers (everything above the message body).
Outlook (desktop) Open the message in its own window (double-click). Go to File → Properties. The “Internet headers” box at the bottom contains everything you need — click inside, Ctrl+A to select all, Ctrl+C to copy.
Outlook on the web (OWA) Open the message. Click the three-dot menu (⋯) at the top of the message. Select View → View message source. Copy the entire block.
Apple Mail (macOS) Open the message. From the menu bar: View → Message → All Headers (or press Shift+Cmd+H). The headers will appear above the message body. Select and copy them.
Thunderbird Open the message. Go to View → Headers → All. Then View → Message Source (Ctrl+U) for the full raw text. Copy everything before the blank line that separates headers from body.
iOS / Android Gmail or Outlook apps Mobile mail clients generally don’t expose raw headers. Open the same message on the web or desktop version of your client to retrieve them.

Frequently asked questions

What information can I learn from email headers?

Email headers are metadata attached to every message that show its complete journey from sender to recipient. They reveal: the originating server and IP, every server the message touched on its way, authentication results (SPF, DKIM, DMARC), how long delivery took at each hop, the sender’s claimed domain versus the actual sending server, the message’s unique ID, and a host of vendor-specific anti-spam scores and flags.

For deliverability troubleshooting, headers tell you where messages are getting stuck. For phishing investigation, they reveal whether a sender’s claimed identity matches the actual source. For compliance, they prove a message’s path and authenticity.

What’s the difference between SPF, DKIM, and DMARC?

SPF (Sender Policy Framework) validates that the IP address that sent the message is authorized to send for the sender’s domain. Looks up a TXT record on the sender’s domain to check.

DKIM (DomainKeys Identified Mail) uses a cryptographic signature on the message itself to prove it hasn’t been tampered with in transit and was actually signed by the sender’s domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do when they fail (reject, quarantine, or just monitor). DMARC also adds the “alignment” requirement — the SPF or DKIM authenticated domain must match the visible From: domain.

Modern email security uses all three. Want to verify your own domain has them set up correctly? Try our Email Security Checker.

Why do I see multiple “Received” headers?

Each server that handles the message adds a Received header as it passes through. A typical email touches 3–5 servers: the sender’s outgoing mail server, possibly an internal relay or anti-spam gateway, the receiving organization’s MX server, possibly an inbound spam filter, and finally the mailbox server. Each adds its own Received header.

The headers are added to the top of the list, so reading down the list goes from most recent (final delivery) to oldest (originating server). The analyzer reverses this and shows the path in chronological order so it reads naturally.

What does a long delay between hops mean?

Most hops complete in well under a second. Delays in the seconds-to-minutes range are normal for spam filtering or anti-malware scanning. Delays of 5+ minutes usually indicate the receiving server placed the message in a retry queue — either because of a temporary deliverability problem (greylisting, rate limits) or because the sending server had connectivity issues.

Delays of an hour or more are red flags. They typically indicate persistent deliverability problems, spam-related rate limiting at the destination, or a misconfigured outbound queue at the sender’s end. The analyzer highlights significant delays automatically.

Can email headers be spoofed?

The From: header and most “informational” headers can be spoofed trivially — they’re just text the sender writes. The Received headers added by intermediate servers, however, are added by those servers themselves and are difficult to spoof beyond the originating hop. SPF, DKIM, and DMARC results are added by the receiving server and reflect what that server actually verified.

So when investigating suspicious email, trust the Received headers added by the recipient’s own infrastructure (the most recent ones at the top) and the Authentication-Results header more than what’s in the From: line. If From: says one domain but the SPF and DKIM-checked sending domain are different, that’s a strong phishing indicator.

What’s ARC and why might it matter?

ARC (Authenticated Received Chain) is a relatively new standard (RFC 8617) that solves a specific problem: when an email is forwarded through a mailing list or other intermediary, the original SPF and DKIM signatures often break, causing legitimate forwarded messages to fail DMARC.

ARC lets each forwarder cryptographically attest “I received this message and these were the auth results when I got it.” The final destination can then trust the chain even if the original SPF doesn’t match anymore. If you see ARC headers, the message has been forwarded through one or more ARC-aware intermediaries — common with Google Groups, Microsoft mailing lists, and corporate forwarding setups.

Tired of losing email to deliverability problems?

Datastrive helps Chicago-area businesses fix email deliverability, set up SPF/DKIM/DMARC properly, and investigate phishing incidents. We’re a managed IT and cybersecurity provider for small and mid-sized businesses.

Talk to Datastrive →

Email Header Analyzer

How to find raw headers in your mail client

Frequently asked questions

Tired of losing email to deliverability problems?

Solutions

Company

Free Tools

Service Areas

LinkedIn

Twitter

Facebook

Discover Our Story and Values.

Platform partnerships

Cloud

Industry Focus

Cyber Security

Industry Focus

Discover Our Story and Values.

Platform partnerships

IT Services

Industry Focus