Free Forensic Tool
Email Header Analyzer
Paste email headers. See where the email came from, how it got to you and whether it is legitimate.
Free email header analysis tool from Sherlock Forensics. Parses Received headers into a visual hop-by-hop timeline, checks SPF, DKIM and DMARC authentication, identifies originating IP and geographic route, flags sender mismatches and produces a legitimacy verdict. Used by IT admins, security teams, lawyers and HR departments to trace email origins and detect spoofing.
Paste Email Headers
Paste the full headers from the email you want to analyze. The tool runs entirely in your browser. Headers are not sent to any server.
Since 20064.8/5 ratingCISSP, ISSAP, ISSMP certified
Overall Assessment
Analyzing...
Authentication Results
Sender Analysis
Routing Trace (0 hops)
Questions
About Email Header Analysis
How do I get email headers?
Gmail: open email, click three dots, "Show original". Outlook: File > Properties > Internet Headers. Apple Mail: View > Message > All Headers.
What does the analyzer check?
Received headers (hop trace), SPF/DKIM/DMARC authentication, sender mismatches, originating IP, routing delays and overall legitimacy verdict.
How can I tell if an email is spoofed?
Key indicators: SPF fails, DKIM fails, From address mismatch with Return-Path, unexpected originating IP location. Multiple failures strongly indicate spoofing.
What are SPF, DKIM and DMARC?
SPF verifies the sending server is authorized. DKIM verifies the email was not modified. DMARC tells receivers what to do when SPF/DKIM fail. Together they prevent spoofing.
What if the analyzer says "Likely Spoofed"?
Do not click links or download attachments. Report to IT. If it involves money or legal matters, contact Sherlock Forensics at 604.229.1994 for forensic analysis.