Free Tool

Sherlock Email Header Analyzer Trace Email Origins

Free browser-based email header analysis with SPF, DKIM and DMARC verification. Trace the true source of any email. Built by CISSP, ISSAP and ISSMP certified forensic examiners.

Sherlock Email Header Analyzer is a free browser-based tool that parses email headers to trace message origins. It extracts Received header chains, identifies originating IP addresses, verifies SPF, DKIM and DMARC authentication and detects spoofing indicators. All processing occurs locally in the browser with no data uploads.

Launch Email Analyzer

Overview

What Email Header Analysis Reveals

Every email carries a hidden technical record of its journey from sender to recipient. The visible "From" field can be set to anything by anyone. The headers tell the truth. Sherlock Email Header Analyzer reads this technical record and presents it in a structured format that reveals the actual origin of any email.

What Headers Contain

Received Header Chain
Each mail server that handles an email adds a Received header with its identity, the previous server's identity, a timestamp and the protocol used. Reading bottom to top traces the complete path from origin to inbox. The originating IP address at the bottom of the chain identifies where the email actually came from.
SPF Authentication
Sender Policy Framework records whether the sending server was authorized by the claimed domain's DNS records to send mail on its behalf. A "fail" result means the message came from an unauthorized server, a strong indicator of spoofing. RFC 7208 defines the standard (ietf.org).
DKIM Signatures
DomainKeys Identified Mail uses cryptographic signatures to verify that the message content was not altered after the sending domain signed it. A valid DKIM signature confirms both the domain identity and message integrity. A failed or missing signature warrants further investigation.
DMARC Policy
Domain-based Message Authentication, Reporting and Conformance combines SPF and DKIM results against the domain owner's published policy. DMARC tells receiving servers whether to accept, quarantine or reject messages that fail authentication. The DMARC result indicates whether the sender domain's owner approved this message.
Originating IP Address
The IP address of the first non-internal server in the Received chain. This identifies the network from which the email was actually sent. Geolocation and WHOIS lookup on this IP reveals the sending organization, ISP and country of origin.
Timestamps and Delays
Each Received header includes a timestamp. Comparing timestamps between hops reveals routing delays and can identify messages that were held, retried or routed through unusual paths.

Use Cases

Who Uses Email Header Analysis

Phishing Detection

Verify whether a suspicious email actually came from the claimed sender. SPF and DKIM failures combined with an unfamiliar originating IP confirm a spoofed message. Document findings for security incident reports and user awareness training.

HR Investigations

When employees receive threatening or harassing emails, header analysis traces the source. Originating IP addresses, sending server identity and authentication results establish whether the message came from within the organization or an external source.

Legal Proceedings

Email evidence in civil and criminal cases requires authentication. Header analysis documents the sending server, routing path and authentication status. Pair with our expert witness services for formal forensic examination and court testimony.

Business Email Compromise

BEC attacks impersonate executives or vendors to redirect payments. Header analysis reveals whether a wire transfer request actually originated from the claimed sender's mail system or from an attacker's infrastructure. Time-critical analysis can prevent financial losses.

IT Security Teams

Investigate reported phishing attempts, verify email delivery issues and troubleshoot SPF/DKIM/DMARC configuration. Header analysis is a daily tool for security operations centers and email administrators managing domain reputation.

Fraud Investigation

Trace the origin of fraudulent communications. Email headers provide technical evidence that links messages to specific infrastructure, time zones and service providers. This data supports forensic investigations and law enforcement referrals.

Guide

How to Get Email Headers

Gmail
Open the email. Click the three-dot menu in the top right. Select "Show original." Copy the full header text from the top of the page.
Microsoft Outlook (Desktop)
Open the message. Click File, then Properties. The Internet Headers appear in the bottom text box. Select all and copy.
Outlook on the Web
Open the email. Click the three-dot menu. Select "View message source" or "View message details." Copy the header text.
Apple Mail
Open the email. Select View from the menu bar, then Message, then All Headers. Copy the displayed header text.
Yahoo Mail
Open the email. Click the three-dot menu. Select "View raw message." Copy the header text from the top of the display.

After copying the headers, paste them into the Sherlock Email Header Analyzer for instant analysis.

Privacy

Your Data Stays Local

Browser-Based Processing

The Sherlock Email Header Analyzer runs entirely in your browser using JavaScript. No email headers are uploaded to any server. No data is stored, logged or transmitted. This makes the tool safe for analyzing sensitive corporate emails, legal communications and confidential messages. Your headers never leave your device.

Questions

Email Analyzer FAQ

What is email header analysis?
Email header analysis examines the technical metadata attached to every email message. Headers contain the complete routing path from sender to recipient, IP addresses of every mail server that handled the message, timestamps at each hop, authentication results for SPF, DKIM and DMARC and the true originating server. This data reveals where an email actually came from regardless of what the From field displays.
Can you trace where an email came from?
Yes. The Received headers in an email document every mail server that processed the message from origin to delivery. By analyzing these headers bottom to top, you can identify the originating IP address, the sending mail server and the geographic region. SPF, DKIM and DMARC results further verify whether the claimed sender domain actually authorized the message.
What are SPF, DKIM and DMARC?
SPF (Sender Policy Framework) verifies that the sending server is authorized to send email for the claimed domain. DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify the message was not altered in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) combines SPF and DKIM results to enforce a domain owner's anti-spoofing policy. Failures in any of these indicate potential spoofing.
Is the email analyzer free?
Yes. The Sherlock Email Header Analyzer is completely free and runs entirely in your browser. No installation, no account and no data uploads required. Headers are parsed locally in JavaScript and never leave your device.
How do I get email headers?
In Gmail, open the email, click the three-dot menu and select Show Original. In Outlook, open the message, click File then Properties and copy the Internet Headers. In Apple Mail, select View then Message then All Headers. Copy the full header text and paste it into the Sherlock Email Header Analyzer.
Can email headers be faked?
The From field can be trivially spoofed by anyone. However, Received headers added by legitimate mail servers are much harder to forge because each server in the chain adds its own entry. SPF, DKIM and DMARC authentication provide additional verification. A skilled analyst can identify forged headers by examining inconsistencies in timestamps, IP addresses and header ordering.
Is this tool suitable for legal proceedings?
The Sherlock Email Header Analyzer provides a structured view of email header data suitable for preliminary analysis. For court proceedings, engage a qualified forensic examiner to analyze the original email source files, document chain of custody and produce a formal forensic report. Contact Sherlock Forensics at 604.229.1994 for expert witness and forensic analysis services.

Get Started

Trace Any Email to Its Source

Free browser-based email header analysis. No installation, no uploads, no account required. Need a formal forensic examination for legal proceedings? Contact our CISSP, ISSAP and ISSMP certified team.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994
Launch Email Analyzer Contact for Forensic Analysis

Sherlock Email Header Analyzer is provided for lawful use. Terms of Service