Email & Delivery 5 min read

How to Read Email Headers

Guide to email headers — how to trace the path, check SPF/DKIM/DMARC results and identify spam indicators.

What Are Email Headers?

Every email you receive contains hidden headers — metadata that records the entire journey of the email from sender to recipient. These headers are invisible in the normal view, but contain critical information for troubleshooting.

Headers are written from bottom to top — the first one added is at the bottom, the last at the top.

How to View Email Headers

  • Gmail: Open email → "⋮ More" → "Show original"
  • Outlook: File → Properties → "Internet headers"
  • Apple Mail: View → Message → All Headers
  • Thunderbird: View → Headers → All

The Most Important Headers — What They Mean

Received: headers

Each mail server that handled the email adds a Received: header. Reading them from bottom to top shows you the path:

Received: from mail.sender.com (203.0.113.1)
  by mx.gmail.com with ESMTPS; Mon, 20 May 2026 10:00:01 +0000

Check the timestamps — a large difference between two consecutive Received: headers indicates a delay at that hop.

Authentication-Results:

The recipient writes SPF/DKIM/DMARC results here:

Authentication-Results: mx.google.com;
  spf=pass (google.com: domain of user@sender.com designates 203.0.113.1 as permitted sender)
  dkim=pass header.d=sender.com
  dmarc=pass (p=REJECT) header.from=sender.com
ValueMeaning
passSuccessful verification ✅
failFailure — possible forgery ❌
softfailSPF ~all — soft fail, flagged ⚠️
noneNo record found
neutralSPF makes no statement (rare)

X-Spam-* headers

Spam filters (SpamAssassin, Barracuda, Proofpoint) add their own headers with spam scores:

X-Spam-Status: No, score=1.2 required=5.0
X-Spam-Score: 1.2

Score below 5 usually passes. A high score indicates content or authentication problems.

From: vs Return-Path: vs Reply-To:

  • From: — What the user sees. Can be spoofed.
  • Return-Path: — Where bounces go. This is what SPF uses for verification.
  • Reply-To: — Where replies are sent. Often used in phishing.
⚠️ Phishing indicator: If the From: domain differs from the Return-Path: domain, it's a strong signal of phishing or email spoofing.

Message-ID:

Unique email identifier — useful for tracking in logs. Has the form <unique-string@sending-domain.com>. If missing or malformed, it's a spam indicator.

Analyse email headers automatically — SPF/DKIM/DMARC, hop delays, spam indicators:

→ Email Headers Analyzer

Step-by-Step: Read Headers for Troubleshooting

  1. Check Authentication-Results first — if SPF/DKIM/DMARC fail, that explains the spam.
  2. Read Received: headers from bottom to top — find where the email stopped or was delayed.
  3. Compare From: with Return-Path: — difference = phishing suspicion.
  4. Check X-Spam-Score — if >3 there are content or auth problems.
  5. Check Message-ID format — malformed = possible spam.

Frequently Asked Questions

Why is my email delayed?
Look at the Received: headers and compare timestamps between consecutive hops. A large gap (e.g. 10+ minutes) at one hop means there was a delay there — usually greylisting or an overloaded server.
How do I know where an email really came from?
Look at the last (bottommost) Received: header — that is the originating server. The sender cannot forge this header because it is written by the recipient, not the sender.
SPF pass but DMARC fail — why?
DMARC requires alignment: the domain in From: must match the domain verified by SPF or DKIM. If you use a third-party sender (Mailchimp, Sendgrid) with their own Return-Path domain, SPF pass alone is not enough for DMARC alignment.
Can email headers be forged?
Some headers (From:, Subject:, Reply-To:) can be easily forged. This is why DKIM and DMARC exist — to prove authenticity despite the possibility of forgery.

Try it now

Mail Headers Analyzer Email headers & hop delays

Related guides

How to Set Up SPF, DKIM and DMARC Why Are My Emails Going to Spam?
← All guides