Email Header Analyzer

Paste raw email headers below to trace the real sender, view relay hops, and check SPF/DKIM/DMARC authentication results.

100% private — your email headers never leave your browser
Please paste email headers to analyze.

PhishClean scans every page you visit for phishing signals — not just emails.

The browser extension monitors web pages in real time, catching threats that email header analysis alone cannot detect.

Real-time phishing page detection
Password fields on suspicious pages
Hidden iframes stealing credentials
Domain spoofing and lookalike URLs
HTTPS downgrade attacks
API keys and tokens exposed in URLs
Install PhishClean Free

How to find email headers

Gmail

  1. Open the email you want to analyze.
  2. Click the three-dot menu (top-right of the email).
  3. Select Show original.
  4. Copy everything in the text box that appears and paste it above.

Outlook (Desktop)

  1. Open the email, then click File > Properties.
  2. In the Properties dialog, find Internet headers at the bottom.
  3. Select all the text in that box, copy it, and paste it above.

Outlook (Web)

  1. Open the email, then click the three-dot menu (top-right).
  2. Select View > View message source.
  3. Copy the headers from the new window and paste them above.

Apple Mail

  1. Open the email in Apple Mail.
  2. Go to View > Message > All Headers (or press Cmd + Shift + H).
  3. Copy the displayed headers and paste them above.

Frequently asked questions

How do I find email headers?

Every email client stores headers differently. In Gmail, open the email and select "Show original" from the three-dot menu. In Outlook, open the message properties to find Internet headers. In Apple Mail, go to View > Message > All Headers. The headers contain routing, authentication, and metadata that reveals how the email traveled to your inbox.

What do SPF, DKIM, and DMARC mean?

SPF (Sender Policy Framework) checks whether the sending server is authorized by the domain owner. DKIM (DomainKeys Identified Mail) verifies the email has not been tampered with using a cryptographic signature. DMARC (Domain-based Message Authentication, Reporting and Conformance) combines SPF and DKIM and tells receiving mail servers how to handle messages that fail these checks. Together, they are the backbone of email authentication and help prevent spoofing.

Can this tool tell if an email is phishing?

This tool flags common indicators of spoofed or suspicious emails: failed authentication (SPF/DKIM/DMARC), mismatched sender addresses (From vs Return-Path), and unusual relay paths. However, sophisticated phishing emails can pass all authentication checks. Use this as one data point — also watch for urgency language, unexpected requests, and suspicious links in the email body.

Are my email headers stored anywhere?

No. Everything runs entirely in your browser using JavaScript. The headers you paste are never sent to PhishClean or any third-party server. You can verify this yourself by opening your browser's developer tools (Network tab) while running an analysis — you will see zero outbound requests.