Skip to main content
Free Email Header Reference

Email Header Parser
Understand Any Email's Journey

Every email carries hidden metadata that reveals exactly where it came from, which servers handled it, and whether its sender is authentic. This guide explains every header field in plain English.

How to get headers in GmailSecurity-focused analyzer →

How to Get Email Headers in Gmail

Gmail hides headers by default. Here's how to access the raw headers for any email.

1

Open the email

Open the email you want to inspect inside Gmail — desktop or mobile browser.

2

Click the three-dot menu

Find the ⋮ (three-dot) menu in the top-right corner of the email body — not the toolbar.

3

Select "Show original"

A new tab opens with the full raw message. Click "Copy to clipboard" or select the header text manually at the top.

What Each Header Field Means

A plain-English breakdown of every important header field — what it does, what to look for, and when it signals a problem.

From

The sender's display name and email address. Note: the display name is free-text and can be anything. Always verify the actual email address after the @ symbol matches the claimed organization.

From: PayPal Support <service@paypal.com>

To

The primary recipient(s) of the email. If the To address is not yours but you still received the email, you were likely blind-carbon-copied (BCC) — a pattern common in mass phishing campaigns.

To: you@gmail.com

Date

The timestamp when the email was sent, as claimed by the sender's mail server. Can be forged — cross-reference with the Received headers for the actual delivery time.

Date: Mon, 14 Apr 2026 09:23:41 +0000

Subject

The email subject line. Subject lines are unverified metadata — any content can be placed here.

Subject: Your account requires verification

Message-ID

Check this

A globally unique identifier for this email, generated by the sending mail server. Used to reference emails in threading and for delivery tracking. Legitimate Message-IDs include the sending domain after the @ symbol. A mismatch between the Message-ID domain and the From domain can indicate spoofing.

Message-ID: <abc123@mail.paypal.com>

Check that the domain in Message-ID matches the From domain.

Reply-To

Check this

The address that replies will be sent to. When Reply-To differs from the From address — especially pointing to a different domain — this is a classic phishing signal. Legitimate transactional emails rarely set a Reply-To different from the sender.

Reply-To: attacker@malicious.net

Red flag if Reply-To domain differs from From domain.

Received chain

Check this

A series of Received headers, one added by each mail server that handled the email. Read from the bottom up to trace the email's origin. The bottom-most Received header shows where the email originated. Unexpected intermediate servers or servers not associated with the claimed sender's domain indicate relaying or spoofing.

Received: from mail.paypal.com ([...]) by mx.google.com

Verify the originating server matches the claimed sender domain.

Authentication-Results (SPF)

Check this

SPF result indicating whether the sending server is authorized by the claimed domain's DNS records. "spf=pass" means the server is authorized. "spf=fail" or "spf=softfail" means the server is not on the domain's authorized list — a significant red flag for spoofing.

spf=pass (google.com: domain of service@paypal.com designates 66.211.170.87 as permitted sender)

spf=fail is a strong spoofing indicator.

Authentication-Results (DKIM)

Check this

DKIM result indicating whether the email's cryptographic signature is valid. "dkim=pass" means the email was signed by the claimed domain and has not been tampered with since. "dkim=fail" means the signature is invalid or missing — the email may have been modified in transit or forged.

dkim=pass header.d=paypal.com

dkim=fail on a transactional email is suspicious.

Authentication-Results (DMARC)

Check this

DMARC result combining SPF and DKIM checks. "dmarc=pass" means the email aligns with the domain's published policy. "dmarc=fail" means both SPF and DKIM alignment failed — this is the clearest authentication indicator that the email is not from who it claims. Legitimate banks and financial institutions almost always publish strict DMARC policies.

dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com

dmarc=fail on an email from a bank or financial service is a definitive red flag.

Authentication Results at a Glance

Legitimate Email Signals

  • spf=pass — sending server is authorized
  • dkim=pass — signature is valid
  • dmarc=pass — domain policy met
  • Reply-To matches From domain
  • Message-ID domain matches sender
  • Received chain from known infrastructure

Suspicious / Phishing Signals

  • spf=fail — server not authorized by domain
  • dkim=fail — signature invalid or missing
  • dmarc=fail — failed both SPF and DKIM
  • Reply-To points to different domain
  • Message-ID domain differs from From
  • Received chain routed through unknown servers

Frequently Asked Questions

What are email headers?+

Email headers are metadata fields attached to every email that describe its journey from sender to recipient. They include the sender and recipient addresses, timestamps, the servers that relayed the message, authentication results (SPF, DKIM, DMARC), and a unique Message-ID. Headers are hidden from normal email view but accessible via "Show original" in Gmail.

How do I get email headers in Gmail?+

Open the email in Gmail. Click the three-dot menu (⋮) in the top-right corner of the message. Select "Show original." A new tab opens with the full raw headers. Click "Copy to clipboard" or manually select and copy the text at the top of the page.

What does SPF, DKIM, and DMARC mean in email headers?+

SPF (Sender Policy Framework) checks whether the sending server is authorized to send on behalf of the claimed domain. DKIM (DomainKeys Identified Mail) verifies a cryptographic signature proving the email was not tampered with. DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM and tells receiving servers what to do when checks fail. All three passing means the email is likely legitimate.

What is the Received chain in email headers?+

The Received chain is a sequence of headers added by each mail server that handled the email. Reading from the bottom up, you can trace the exact path an email took from the sender's mail server to your inbox. Unexpected servers in the chain or unusual routing can indicate a spoofed or relayed email.

Can email headers reveal phishing?+

Yes. Key phishing indicators in headers include SPF/DKIM/DMARC failures (the email did not come from the claimed domain), a Reply-To address different from the From address, newly registered sending domains, and routing through unusual server infrastructure. Gorganizer checks all of these automatically across your entire inbox.

Let Gorganizer Analyze Your Inbox Headers Automatically

Manually checking headers is useful for one-off investigations. For a complete inbox scan — where every email is analyzed for SPF/DKIM/DMARC failures, Reply-To mismatches, lookalike domains, and 1,751+ other signals — Gorganizer does it automatically.

Analyze My Inbox Headers AutomaticallySecurity-focused analyzer →

For security-focused header analysis and phishing detection, see /tools/phishing-email-header-analyzer