Email Header Analyzer

Introduction:

Email headers are structured text blocks defined by RFC 5322 that record routing, authentication, and content metadata for every message that travels through the Simple Mail Transfer Protocol. They reveal the servers that handled the message, the sender’s claimed identity, and numerous trust-signals used by spam filters and incident responders.

This tool unfolds line-wrapped fields, builds a canonical key-value map, and uses pattern matching to extract the “Received” chain, authentication outcomes, and salient envelope attributes. A lightweight charting layer visualises hop-to-hop delays, while export helpers transform each view into clipboard-ready or downloadable comma-separated values for further analysis.

For instance, a deliverability engineer can paste a problematic header, instantly confirm whether SPF or DKIM failed, and identify the longest transport delay within seconds, but always corroborate findings with server logs before escalating false-positive spoofing alerts.

Technical Details:

SMTP relays append a new “Received” header every time a message transits a server. Each record may include originating host, receiving host, protocol, timestamp, and IP address. Authentication headers summarise independent checks: Sender Policy Framework, DomainKeys Identified Mail, Domain-based Message Authentication Reporting and Conformance, and Authenticated Received Chain. By parsing these elements you can trace the full delivery path, measure cumulative latency, and judge whether the claimed sender aligns with policy.

1. Unfold header lines and split into key-value pairs.
2. Locate every received: block; extract from, by, with, timestamp, and IP.
3. Compute hop-to-hop and total transit delays by subtracting sequential timestamps.
4. Parse the authentication-results: field; record SPF, DKIM, DMARC, and ARC verdicts.
5. Derive convenience metrics such as domain alignment, selector, and maximum individual delay.

• header text – raw RFC 5322 string or uploaded .eml/.txt.
• receivedHops – ordered array of parsed relay records.
• authResults – map of SPF, DKIM, DMARC, ARC verdicts.
• summaryFields – curated set of headline attributes.
• hopChart – visual series of per-hop delays.

• Relies on monotonically increasing timestamps.
• Assumes header integrity; tampered headers distort path analysis.
• Ignores time-zone offsets if the date string is malformed.
• Authentication verdicts depend on sending domain policy.

• Messages relayed through local delivery agents without timestamps.
• Multiple “Authentication-Results” blocks from layered gateways.
• IPv6 literals lacking surrounding brackets.
• Malformed DKIM signature preventing selector extraction.

Concepts are grounded in RFC 5321, RFC 5322, RFC 7208, RFC 6376, RFC 7489, and RFC 8617, which collectively define SMTP transport and modern email authentication measures.

This analysis operates entirely in-browser and never transmits header data to external services.

Step-by-Step Guide:

Follow these steps to inspect a header.

1. Paste the complete header or upload a file with .eml or .txt extension.
2. Select Parse Header to generate the report.
3. Review the Summary tab for key identities and alignment.
4. Open Received Path to study the delay chart and hop table.
5. Switch to Auth Results to verify SPF, DKIM, DMARC, and ARC verdicts.
6. Copy or download CSVs from any tab for offline documentation.

FAQ:

Glossary:

SPF

Framework that authorises sending IPs for a domain.

DKIM

Cryptographic signature ensuring header and body integrity.

DMARC

Policy combining SPF and DKIM to instruct receivers.

ARC

Chain of custody for forwarded messages.

Hop delay

Seconds between sequential “Received” timestamps.