Email Header Analysis: Tracing Message Routes
Read and analyze email headers to trace message delivery paths, identify delays, verify authentication results, and diagnose deliverability issues.
Why Email Headers Matter
Every email carries a set of headers that record its journey from sender to recipient. Headers reveal:
- The actual sender (vs the displayed "From" name)
- Every server that handled the message
- Authentication results (SPF, DKIM, DMARC)
- Delivery delays and where they occurred
- Spam filter scores and reasons
When an email fails to deliver or lands in spam, headers are your diagnostic tool.
Viewing Email Headers
| Email Client | How to View Headers |
|---|---|
| Gmail | Open email > Three dots > "Show original" |
| Outlook | Open email > File > Properties > "Internet headers" |
| Apple Mail | View > Message > All Headers |
| Thunderbird | View > Message Source |
Reading Headers Bottom-to-Top
Email headers are read from bottom to top — the oldest headers are at the bottom, and each server that handles the message adds headers at the top:
Return-Path: <[email protected]>
Received: from mx.google.com (mx.google.com [142.250.x.x])
by gmail-server; Tue, 25 Feb 2026 10:00:02 -0800
Received: from mail.example.com (mail.example.com [203.0.113.10])
by mx.google.com; Tue, 25 Feb 2026 10:00:01 -0800
Received: from app-server.internal (localhost [127.0.0.1])
by mail.example.com; Tue, 25 Feb 2026 10:00:00 -0800
From: "Support Team" <[email protected]>
To: [email protected]
Subject: Your account update
Date: Tue, 25 Feb 2026 18:00:00 +0000
Message-ID: <[email protected]>
Reading bottom-to-top: the application server generated the email, passed it to the mail server, which sent it to Google's MX server, which delivered it to Gmail.
Authentication Headers
Modern mail servers add authentication results to headers:
Authentication-Results: mx.google.com;
dkim=pass header.d=example.com header.s=selector1;
spf=pass (google.com: domain of [email protected]
designates 203.0.113.10 as permitted sender)
[email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.d=example.com;
spf=pass [email protected]
Key fields to check: - dkim=pass — Message signature is valid and hasn't been tampered with. - spf=pass — Sending IP is authorized by the domain's SPF record. - dmarc=pass — Both authentication and alignment checks passed.
If any show fail, that is likely why the email landed in spam.
Identifying Delays
Compare timestamps in Received headers to find bottlenecks:
Received: by final-server; Tue, 25 Feb 2026 10:05:30 -0800
Received: from intermediate; Tue, 25 Feb 2026 10:05:29 -0800
Received: from sending-server; Tue, 25 Feb 2026 10:00:00 -0800
The jump from 10:00:00 to 10:05:29 (5+ minutes) between the sending server and intermediate server indicates a delivery delay — possibly DNS lookup timeout, greylisting, or rate limiting.
Spam Filter Headers
X-Spam-Status: Yes, score=8.5 required=5.0
tests=[BAYES_99=3.5, HTML_IMAGE_RATIO_02=0.5,
MISSING_DATE=1.4, RDNS_NONE=1.3,
SPF_HELO_NONE=0.8, URIBL_BLOCKED=1.0]
X-Spam-Flag: YES
Each test contributes to the spam score. In this example, BAYES_99 (content looks like spam) and RDNS_NONE (sending IP has no reverse DNS) are the biggest contributors.
Useful Header Analysis Tools
- Google Admin Toolbox —
https://toolbox.googleapps.com/apps/messageheader/— Paste headers for visual timeline. - MXToolbox Header Analyzer —
https://mxtoolbox.com/EmailHeaders.aspx— Detailed hop analysis. - Mail Header Analyzer — Browser extensions for quick in-line analysis.
These tools parse the raw headers and present the delivery path as a visual timeline with delay analysis.