Free Tool

Sherlock Forensics Email Header Analyzer Trace Email Origins

Free browser-based email header analysis with SPF, DKIM and DMARC verification. Trace the true source of any email. Built by CISSP, ISSAP and ISSMP certified forensic examiners.

Sherlock Forensics Email Header Analyzer is a free browser-based tool that parses email headers to trace message origins. It extracts Received header chains, identifies originating IP addresses, verifies SPF, DKIM and DMARC authentication and detects spoofing indicators. Header text is parsed locally in your browser. The public IP addresses in the Received chain are queried client-side against ip-api.com to plot the geographic journey of each hop.

Phishing Investigation

Phishing Email Investigation: What Forensic Analysis Reveals

Phishing analysis on a suspicious email follows a repeatable four-step workflow: header forensics, SPF DKIM DMARC authentication review, URL extraction with threat scoring and attachment metadata surfacing. Phishing analysis at this layer is the practical core of email forensics for IT-admin spam triage and security-team incident response and a complete phishing analysis pass takes minutes per message once the workflow is familiar. The phishing analysis output feeds the downstream email evidence chain. Each step surfaces a different signal class. Together they answer the buyer's two questions: is this phishing email legitimate and if not, what attack does it represent. The same email investigation workflow covers IT-admin spam triage, security-team incident response and forensic examiner work for compliance audits.

Header forensics cross-correlates RFC-5322 fields: From, Reply-To, Return-Path and the Received chain. A spoofed phishing email typically shows mismatches between these fields (legitimate sender domain in From and attacker-controlled domain in Return-Path or the inverse pattern). SPF DKIM DMARC authentication results in the Received headers confirm whether the claimed sending domain actually authorized the message. SPF DKIM DMARC checks bypass attempts (typo squatting, lookalike domains, Unicode homoglyphs) show up in the header forensics output as authentication failures and visible header-field drift.

URL extraction collects every link inside the suspicious email, unwraps link-shorteners (bit.ly, t.co, ow.ly) and traces redirect chains. Phishing analysis at this layer often catches the malicious URL even when the email body looks legitimate. Attachment metadata surfacing reads the filename, claimed MIME type, declared size and attachment count from the email headers. For the actual file-byte inspection (file-type validation against magic bytes, embedded macro detection, JavaScript or VBA payload analysis, PDF threat scanning) hand the attachment to the appropriate downstream Sherlock tool. PDF attachments go to Sherlock Forensics PDF Editor for PDF threat scanning. Image attachments go to Sherlock Forensics Metadata Inspector for EXIF and embedded-payload checks. The combined phishing email investigation output drops into the incident response workflow as a documented timeline.

Forensic + Legal-Tech Uses

Email Forensics for Incident Response, Legal Hold and Compliance

Email forensics covers four high-leverage use cases beyond casual phishing triage. Incident response email analysis processes the suspicious email from a compromised user's mailbox to determine initial-access vector: header forensics tells you whether the attacker spoofed an existing partner, the URL extraction tells you what landing page or payload the user was directed to and the attachment metadata surfaces what file types arrived for downstream byte-level analysis. Incident response email analysis at the inbox edge typically saves hours of downstream forensic work because it scopes the compromise immediately.

Email forensics for legal hold preserves the email evidence with chain of custody documentation suitable for litigation. Sherlock's email analyzer surfaces every authentication result, every header drift signal and every URL/attachment artifact in a structured output that downstream review platforms ingest as email evidence. Email chain of custody at this stage covers the authenticity proof that opposing counsel will challenge: the From-field signature path, the Received chain, the SPF DKIM DMARC verification results. For the cross-product PST + email forensic workflow see our PST Viewer and the deleted email recovery guide.

Compliance audit email forensics work covers HIPAA, SOX, GDPR and FINRA regulated environments where email authentication enforcement matters. The same SPF DKIM DMARC authentication results that catch phishing email attempts also document whether the organization's outbound email is properly authenticated for regulatory reporting. Phishing campaign attribution is the final email forensics use case: correlate header artifacts (Received chain signatures, X-Mailer strings, time-zone anomalies) across multiple suspicious emails to identify the same threat actor across multiple targets. The combined email forensics workflow feeds incident response email investigations, legal hold productions and compliance reporting from one tool. Background on the mid-market vs enterprise tier positioning that applies here as well is in our Cellebrite vs Magnet AXIOM 2026 comparison.

Authentication Forensics

SPF, DKIM and DMARC Explained: What Each Field Tells a Forensic Examiner

SPF DKIM DMARC is the email authentication trifecta that determines whether a claimed sender is actually who the From header says it is. Each of the three protocols answers a different question and the SPF DKIM DMARC results in the email headers tell a forensic examiner exactly which authentication path passed and which failed. SPF DKIM DMARC bypass attempts are common in phishing email campaigns, so reading these results correctly is the practical core of email forensics.

SPF (Sender Policy Framework)

The SPF record at the claimed sender's domain lists the IP addresses or hostnames authorized to send mail on that domain's behalf. Email Analyzer reads the SPF record check result from the Received-SPF header: pass, fail, softfail, neutral or none. A pass means the sending IP matches the domain's SPF record. A fail means the IP is explicitly not authorized; this is a strong phishing signal. Softfail is a weaker negative signal (the domain publishes but does not enforce). Neutral and none indicate the domain has not configured SPF, which is itself a red flag for a regulated industry sender.

DKIM (DomainKeys Identified Mail)

DKIM signature verification proves the email content was signed by the claimed sending domain's private key. The DKIM signature in the email header includes the signing domain, the selector (which DKIM key) and a cryptographic hash of the relevant headers and the body. A passing DKIM signature means the email was not tampered with in transit and was authorized by the sending domain. A failing DKIM signature can mean the content was modified (forwarded, edited or rewritten in transit) or the signature was never valid (signing domain mismatch, common in phishing). Email forensics treats DKIM signature failures as high-signal evidence.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC combines SPF and DKIM with a published policy at the claimed sender's domain. The DMARC record specifies p=reject (drop failing messages), p=quarantine (route to spam) or p=none (monitor only, take no action). DMARC report aggregate data flows back to the sender's listed reporting address so the domain owner can see who is sending mail in their name. The DMARC report stream is the long-term phishing-attribution evidence channel for organizations enforcing DMARC across their domains. Email Analyzer surfaces the DMARC policy and the pass/fail authentication result from the Authentication-Results header. A DMARC pass with strict alignment is the strongest authentication signal; a DMARC fail with p=reject and the message still arrived means the recipient mail server did not honor the policy, which is its own forensic finding.

Honest scope on SPF DKIM DMARC authentication forensics: Sherlock Forensics Email Analyzer surfaces the SPF DKIM DMARC results from the email header that the recipient mail server already computed. It does not re-run the SPF DKIM DMARC queries against current DNS (that requires network access and a synchronized point in time with the original delivery). For forensic work this matters: if the suspect domain's SPF, DKIM or DMARC record has been changed since the email was received, the header forensics still reflects the state at delivery. That is the right forensic posture.

Overview

What Email Header Analysis Reveals

Every email carries a hidden technical record of its journey from sender to recipient. The visible "From" field can be set to anything by anyone. The headers tell the truth. Sherlock Forensics Email Header Analyzer reads this technical record and presents it in a structured format that reveals the actual origin of any email.

What Headers Contain

Received Header Chain
Each mail server that handles an email adds a Received header with its identity, the previous server's identity, a timestamp and the protocol used. Reading bottom to top traces the complete path from origin to inbox. The originating IP address at the bottom of the chain identifies where the email actually came from.
SPF Authentication
Sender Policy Framework records whether the sending server was authorized by the claimed domain's DNS records to send mail on its behalf. A "fail" result means the message came from an unauthorized server, a strong indicator of spoofing. RFC 7208 defines the standard (ietf.org).
DKIM Signatures
DomainKeys Identified Mail uses cryptographic signatures to verify that the message content was not altered after the sending domain signed it. A valid DKIM signature confirms both the domain identity and message integrity. A failed or missing signature warrants further investigation.
DMARC Policy
Domain-based Message Authentication, Reporting and Conformance combines SPF and DKIM results against the domain owner's published policy. DMARC tells receiving servers whether to accept, quarantine or reject messages that fail authentication. The DMARC result indicates whether the sender domain's owner approved this message.
Originating IP Address
The IP address of the first non-internal server in the Received chain. This identifies the network from which the email was actually sent. Geolocation and WHOIS lookup on this IP reveals the sending organization, ISP and country of origin.
Timestamps and Delays
Each Received header includes a timestamp. Comparing timestamps between hops reveals routing delays and can identify messages that were held, retried or routed through unusual paths.

Use Cases

Who Uses Email Header Analysis

Phishing Detection

Verify whether a suspicious email actually came from the claimed sender. SPF and DKIM failures combined with an unfamiliar originating IP confirm a spoofed message. Document findings for security incident reports and user awareness training.

HR Investigations

When employees receive threatening or harassing emails, header analysis traces the source. Originating IP addresses, sending server identity and authentication results establish whether the message came from within the organization or an external source.

Legal Proceedings

Email evidence in civil and criminal cases requires authentication. Header analysis documents the sending server, routing path and authentication status. Pair with our expert witness services for formal forensic examination and court testimony.

Business Email Compromise

BEC attacks impersonate executives or vendors to redirect payments. Header analysis reveals whether a wire transfer request actually originated from the claimed sender's mail system or from an attacker's infrastructure. Time-critical analysis can prevent financial losses.

IT Security Teams

Investigate reported phishing attempts, verify email delivery issues and troubleshoot SPF/DKIM/DMARC configuration. Header analysis is a daily tool for security operations centers and email administrators managing domain reputation.

Fraud Investigation

Trace the origin of fraudulent communications. Email headers provide technical evidence that links messages to specific infrastructure, time zones and service providers. This data supports forensic investigations and law enforcement referrals.

Guide

How to Get Email Headers

Gmail
Open the email. Click the three-dot menu in the top right. Select "Show original." Copy the full header text from the top of the page.
Microsoft Outlook (Desktop)
Open the message. Click File, then Properties. The Internet Headers appear in the bottom text box. Select all and copy.
Outlook on the Web
Open the email. Click the three-dot menu. Select "View message source" or "View message details." Copy the header text.
Apple Mail
Open the email. Select View from the menu bar, then Message, then All Headers. Copy the displayed header text.
Yahoo Mail
Open the email. Click the three-dot menu. Select "View raw message." Copy the header text from the top of the display.

After copying the headers, paste them into the Sherlock Forensics Email Header Analyzer for instant analysis.

Privacy

How Your Data Is Handled

Browser-Based Processing with Honest Disclosure

Your email header text is parsed locally in your browser. We do not collect, store or transmit your analysis. To show you where each sender mail server is located geographically, the public IP addresses in the Received chain are queried against ip-api.com, a public geolocation service. Public IP addresses are public by design. Anyone with the headers can look them up. The ip-api.com lookup happens client-side from your browser. We do not proxy or log these queries.

Questions

Email Analyzer FAQ

What is email header analysis?
Email header analysis examines the technical metadata attached to every email message. Headers contain the complete routing path from sender to recipient, IP addresses of every mail server that handled the message, timestamps at each hop, authentication results for SPF, DKIM and DMARC and the true originating server. This data reveals where an email actually came from regardless of what the From field displays.
Can you trace where an email came from?
Yes. The Received headers in an email document every mail server that processed the message from origin to delivery. By analyzing these headers bottom to top, you can identify the originating IP address, the sending mail server and the geographic region. SPF, DKIM and DMARC results further verify whether the claimed sender domain actually authorized the message.
What does a suspicious email header look like?
SPF (Sender Policy Framework) verifies that the sending server is authorized to send email for the claimed domain. DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify the message was not altered in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) combines SPF and DKIM results to enforce a domain owner's anti-spoofing policy. Failures in any of these indicate potential spoofing.
Is the email analyzer free?
Yes. The Sherlock Forensics Email Header Analyzer is completely free and runs entirely in your browser. No installation, no account required. Header text is parsed locally in your browser. The public IP addresses in the Received chain are queried client-side against ip-api.com to plot each hop on a map. Public IP addresses are public by design. Anyone with the headers can look them up. We do not collect, store or transmit your analysis.
How do I get email headers?
In Gmail, open the email, click the three-dot menu and select Show Original. In Outlook, open the message, click File then Properties and copy the Internet Headers. In Apple Mail, select View then Message then All Headers. Copy the full header text and paste it into the Sherlock Forensics Email Header Analyzer.
Can email headers be faked?
The From field can be trivially spoofed by anyone. However, Received headers added by legitimate mail servers are much harder to forge because each server in the chain adds its own entry. SPF, DKIM and DMARC authentication provide additional verification. A skilled analyst can identify forged headers by examining inconsistencies in timestamps, IP addresses and header ordering.
Is this tool suitable for legal proceedings?
The Sherlock Forensics Email Header Analyzer provides a structured view of email header data suitable for preliminary analysis. For court proceedings, engage a qualified forensic examiner to analyze the original email source files, document chain of custody and produce a formal forensic report. Contact Sherlock Forensics at 888.883.4550 for expert witness and forensic analysis services.
What is email forensics?
Email forensics is the discipline of analyzing email messages as digital evidence: header forensics on the Received chain, SPF DKIM DMARC authentication review, URL extraction with threat scoring and attachment metadata surfacing. Email forensics supports phishing investigation, incident response, legal hold preservation, compliance audits and phishing campaign attribution. Sherlock Forensics Email Analyzer is the free browser-based email forensics tool for the header-analysis and SPF DKIM DMARC layer; for the full deep email forensics chain see our PST Viewer for mailbox-level work and PDF Editor for attachment threat scanning.
How do I investigate a phishing email forensically?
Phishing email investigation follows a four-step forensic workflow. Step 1 header forensics: cross-correlate the From, Reply-To, Return-Path and Received chain fields for spoofing signatures. Step 2 SPF DKIM DMARC authentication: read pass/fail results to see whether the claimed sender domain actually authorized the message. Step 3 URL extraction: collect every link in the body, unwrap shorteners and trace redirect chains. Step 4 attachment metadata: surface filename, claimed MIME type, declared size and attachment count from the headers. Sherlock Forensics Email Analyzer covers steps 1-3 inline and attachment-metadata surfacing. For the actual file-byte inspection (magic-byte validation, embedded macros, JavaScript or VBA payloads, PDF threat scanning) hand the attachment to the appropriate downstream Sherlock tool.
What is the difference between SPF, DKIM and DMARC?
SPF validates the sending IP against the claimed domain's authorized-sender list (the SPF record). DKIM validates the email content via a cryptographic DKIM signature using the sending domain's published public key. DMARC combines SPF and DKIM results with a published policy (p=reject, p=quarantine or p=none) that tells recipient mail servers what to do when SPF and DKIM both fail. The three authentication protocols answer different questions: SPF asks "is this IP allowed?", DKIM asks "is this content unchanged?", DMARC asks "what should I do if SPF or DKIM say no?"
Can Sherlock Forensics Email Analyzer detect spoofed sender addresses?
Yes. Sherlock surfaces three spoofing-detection signals: From-field versus Return-Path mismatches (the most common spoofing tell), SPF DKIM DMARC authentication failures from the claimed sending domain and Received chain anomalies (unexpected hop counts, geographic drift, time-zone inconsistencies). Header forensics on a spoofed phishing email typically lights up multiple signals simultaneously, which is the practical detection pattern. A skilled examiner reading the email analyzer output can distinguish a properly authenticated legitimate sender from a spoofed phishing email in under a minute.
Is email header analysis admissible as evidence in court?
Email header analysis output is regularly used as evidence in civil and criminal litigation, but admissibility depends on procedure. The forensic posture matters: preserve the original email source file (not just the rendered message), document the email chain of custody from acquisition through analysis, surface the SPF DKIM DMARC authentication results from the headers as delivered (not re-queried against current DNS) and produce the analysis output as a forensic report with examiner attestation. Sherlock Forensics Email Analyzer provides the analysis surface; for court-ready email chain of custody documentation engage a qualified forensic examiner at 888.883.4550 for a formal forensic report.
How do I check if an email is legitimately from the claimed sender?
Read the Authentication-Results header. A legitimate email from a properly configured sender shows SPF=pass, DKIM=pass with the signing domain matching the From-field domain and DMARC=pass with strict alignment. Any of these failing is a phishing email warning signal. Then check the Received chain: legitimate transactional mail typically hops through the claimed sender's own mail infrastructure and the recipient's; a phishing email often shows intermediate hops through unrelated bulk-mail providers or attacker-controlled servers. The combined signal classes give you a fast yes/no on sender legitimacy.
What is the difference between DMARC p=reject and p=quarantine?
A DMARC policy of p=reject tells recipient mail servers to drop messages that fail both SPF and DKIM authentication (or fail DMARC alignment); the message never arrives at the recipient mailbox. A DMARC policy of p=quarantine tells recipient mail servers to route failing messages to the spam or junk folder rather than the inbox. A DMARC policy of p=none means monitor only (no enforcement action), useful for measuring SPF DKIM DMARC implementation before enforcement. From a forensic perspective: a phishing email that arrives in the inbox with a DMARC p=reject result is itself a finding (either the recipient mail server did not honor the policy or the message bypassed the check).
Can Sherlock Forensics Email Analyzer analyze email attachments?
Sherlock Forensics Email Analyzer surfaces attachment metadata (filename, claimed MIME type, declared size, attachment count) from the email headers. For deeper attachment inspection (file-type validation against magic bytes, embedded macro detection, JavaScript or VBA payload analysis, PDF threat scanning) hand the attachment to the appropriate downstream Sherlock tool: PDF attachments go to Sherlock Forensics PDF Editor for PDF JavaScript and PDF embedded action analysis, image attachments go to Sherlock Forensics Metadata Inspector for EXIF and embedded payload checks. The email forensics workflow chains naturally from the email analyzer through these cross-product tools.

Related Sherlock Tool

Sherlock Forensics iPhone and iPad Analyzer at $599 one-time handles iOS logical acquisition alongside the sibling Sherlock tools. Logical MobileBackup2 acquisition with RFC 3394 keybag decryption, iMessage and SMS chat.db reconstruction with attribution timeline, WhatsApp and Signal conversations, photo library with EXIF and geotag artifacts, browser history and application data. Windows 10/11. Court-ready chain of custody documentation.

See Sherlock iPhone and iPad Analyzer

Get Started

Trace Any Email to Its Source

Free browser-based email header analysis. No installation, no uploads, no account required. Need a formal forensic examination for legal proceedings? Contact our CISSP, ISSAP and ISSMP certified team.

Since 2006CISSP, ISSAP, ISSMP certified888.883.4550

Sherlock Forensics Email Header Analyzer is provided for lawful use. Terms of Service