Trace Email (Header Analyzer)
Paste the raw headers of any email and reconstruct its full delivery path hop by hop, geolocate the true sending server, and check whether SPF, DKIM and DMARC actually passed.
About Trace Email (Header Analyzer)
Every email carries a hidden audit trail. As a message travels from the sender's outbox to your inbox, each mail server that touches it stamps a `Received:` header on top of the previous ones. Those headers are recorded newest-first, so the server closest to you appears at the top and the originating server at the bottom. The Trace Email header analyzer reverses that stack back into chronological order, so you read the journey the way it actually happened: from the first submission server through every relay to final delivery.
For each hop the analyzer extracts the announcing host (`from`), the receiving host (`by`), the transport protocol used (`with`, for example ESMTPS), the timestamp, and the IP address the connection came from. It then computes the delay between consecutive hops so you can see exactly where a message stalled, and it geolocates every public IP in the chain against our self-hosted geo databases. The first public IP in the chronological path is flagged as the origin and mapped, which is usually the closest thing to the real sending machine that the headers reliably expose.
Beyond routing, the tool surfaces the authentication verdicts that decide whether a message is trusted. It reads the `Authentication-Results` header to report the SPF, DKIM and DMARC outcomes, and falls back to `Received-SPF` when needed. It also pulls out the human-readable essentials: Subject, From, To, Date and Message-ID. Because `Received:` headers are added by receiving servers and cannot be edited by a sender after the fact, a chain that ends in trusted infrastructure is hard to forge, while spoofed messages often show a mismatch between the claimed origin and the first genuine public hop, or an authentication result of fail or softfail.
This tool runs on our EU servers rather than in your browser, because geolocating hop IPs requires server-side lookups. The headers you paste are parsed to produce the report and are not stored or shared. Nothing else about the message, no body content or attachments, is needed or requested; headers alone contain the entire delivery story.
How to use it
- 1Open the original message in your mail client and choose the option to view the raw source or message headers (for example "Show original" in Gmail, "View source" in Thunderbird, or "View message source" in Outlook on the web).
- 2Copy the full header block, from the first `Received:` or `Return-Path` line down to the blank line that precedes the message body.
- 3Paste the raw headers into the input field and run the analysis.
- 4Read the delivery path from top (first sender) to bottom (final delivery), checking the origin IP and its geolocation, the per-hop delays, and the SPF, DKIM and DMARC verdicts.
- 5Compare the geolocated origin and the authentication results against what you expect from the claimed sender to judge whether the message is legitimate.
Common use cases
- -Investigating a suspected phishing or spoofing attempt by confirming whether the real sending server matches the claimed brand or domain.
- -Diagnosing slow email delivery by reading the timestamp delays between hops to find which relay introduced the lag.
- -Verifying that legitimate mail from your own domain passes SPF, DKIM and DMARC before you tighten your DMARC policy.
- -Locating the approximate country and network of an anonymous or harassing sender from the origin IP.
- -Building a record of an email's provenance for an abuse report, security ticket or incident timeline.
Frequently asked questions
- How do I find the raw headers of an email?
- In most mail clients you open the message and choose an option such as "Show original" (Gmail), "View source" (Thunderbird) or "View message source" (Outlook on the web). That reveals the full header block, which you then copy and paste into the analyzer.
- Which server in the headers is the real origin?
- The originating server is the bottom-most `Received:` header, the last one added before the message left the sender's network. The analyzer reverses the header stack into chronological order and flags the first public IP in that chain as the origin, then geolocates it.
- Can email headers be faked?
- A sender can forge the visible From address and can inject fake `Received:` lines at the bottom of the chain, but they cannot alter the `Received:` headers added by legitimate downstream servers. That is why a mismatch between the claimed sender and the first genuine public hop, or a failed SPF/DKIM/DMARC result, is a strong sign of spoofing.
- What do SPF, DKIM and DMARC results in the headers mean?
- SPF checks whether the sending IP is authorized to send for the domain, DKIM verifies a cryptographic signature on the message, and DMARC ties the two to the visible From domain and sets a policy. A pass on all three indicates the message is authenticated; a fail or softfail warrants caution.
- Does the tool read my email body or store the headers?
- No. The analyzer only needs the header block to reconstruct the delivery path, and no message body or attachment is required. Headers are parsed on our EU servers to generate the report and are not retained or shared.
- Why is the geolocation of the sending server only approximate?
- IP geolocation maps an address to the network that announces it, which reflects the hosting or ISP location rather than a person's physical position. It reliably shows the country and network operator of the sending server but should not be read as a precise street-level location.