Skip to main content
SPF · DKIM · DMARC · Routing Analysis

Email Header Analyzer — Detect Phishing Signals

Paste raw email headers to instantly surface phishing indicators: DKIM signature failures, SPF mismatches, DMARC policy violations, suspicious relay chains, and Reply-To injection attacks.

Analyze My Inbox with GorganizerFree Email Checker Tool

How to Analyze Email Headers in 3 Steps

No software to install. Find the raw headers in your email client, paste them in, and get an instant phishing verdict.

1

Open the email

Navigate to the suspicious email in Gmail. Do not click any links inside the message before you analyze it.

2

View raw headers

Click the three-dot menu inside the email, then choose "Show original". Gmail opens a new tab with the full raw source.

3

Paste here or use Gorganizer

Copy the header block and paste it into an analyzer — or connect your Gmail to Gorganizer and let it check your entire inbox automatically.

What We Detect

Six header-level signals that Gorganizer's scoring engine checks on every email processed through your inbox.

DKIM Signature Validation

Verifies the cryptographic signature attached by the sending server. A DKIM fail or missing signature on a brand-impersonation email is a near-certain phishing indicator.

SPF Record Verification

Checks whether the sending IP is listed in the domain's SPF record. An SPF fail means the server was never authorised to send mail for that domain — a classic spoofing signature.

DMARC Policy Check

Validates the domain's DMARC policy and whether the message passed alignment. A DMARC failure on a message from a major brand almost always signals a spoofed sender.

Received-From Chain Analysis

Traces every relay hop in the "Received:" header stack. Phishing campaigns often route through unexpected countries, bulletproof hosting providers, or an unusually long chain of intermediaries.

Reply-To / From Mismatch

Detects when the Reply-To address belongs to a different domain than the From address. This is a well-known trick — attackers send from a spoofed address and collect replies at an attacker-controlled inbox.

Originating IP Reputation

Cross-references the first "Received:" IP against known spam networks, bulletproof hosts, and high-abuse ASNs. Legitimate organisations send from their own authorised infrastructure.

How to Find Raw Headers in Gmail

Gmail hides raw headers by default. Here is the exact path to expose them.

  1. Open the suspicious email

    Navigate to the email in Gmail. Do not click any links inside the message.

  2. Click the three-dot menu

    In the top-right corner of the email body (not the main Gmail toolbar), click the three-dot "More" icon. This opens a small context menu.

  3. Select "Show original"

    Choose "Show original" from the dropdown. Gmail opens a new tab showing the full raw message source including all headers.

  4. Copy the header block

    Copy everything from the top of the page down to the first blank line — that is the raw header block. The body content below is optional but not needed for header analysis.

  5. Paste and analyze

    Paste the headers into Gorganizer's email analyzer. Results appear within seconds: authentication verdict, routing anomalies, and a final phishing risk score.

Pro tip: If you use Gmail on mobile, the "Show original" option is under the three-dot menu at the top of the message. On desktop, the same option appears in the per-message overflow menu, not the main toolbar.

Frequently Asked Questions

What are email headers and why do they matter?
Email headers are a hidden block of metadata prepended to every message you receive. They record the full routing path the email traveled — every server it passed through, when it arrived, and crucially, the authentication results (SPF, DKIM, DMARC) that prove whether the sender is who they claim to be. Phishing emails almost always contain anomalies in their headers: forged sender addresses, failed authentication checks, unexpected relay hops, or originating IPs associated with known spam infrastructure.
What phishing signals appear in email headers?
The most common phishing indicators in email headers include: SPF "fail" or "softfail" results (the sending server is not authorised for that domain), DKIM signature failures or missing signatures, DMARC policy failures, a "Reply-To" address that differs from the "From" address, a long or unusual chain of "Received:" hops, an originating IP address located in a high-risk country or belonging to a known bulletproof hosting network, and mismatches between the display name domain and the actual sending domain.
How do I find the raw headers of an email in Gmail?
Open the email in Gmail. Click the three-dot menu (More options) in the top-right corner of the message — not the main toolbar, but the one inside the email itself. Select "Show original" from the dropdown. A new tab opens showing the full raw message, including all headers. Copy everything from the top of the page down to the first blank line — that is your raw header block. Paste it into an analyzer like Gorganizer's to get an instant phishing verdict.
What is DKIM and why does it matter for phishing?
DKIM (DomainKeys Identified Mail) is a cryptographic signature that the sending mail server attaches to outgoing emails. The receiving server fetches the public key from DNS and verifies the signature. If the signature is valid, the email genuinely came from that domain and was not modified in transit. Phishing emails sent by attackers who do not control the legitimate domain cannot produce a valid DKIM signature — so a DKIM failure or missing signature is a strong phishing indicator, especially when combined with a brand impersonation attempt.
What is SPF and how does it prevent email spoofing?
SPF (Sender Policy Framework) is a DNS record that lists all servers authorised to send email on behalf of a domain. When an email arrives, the receiving server checks whether the sending IP appears in the SPF record. If it does not, the result is "fail" or "softfail" — a clear signal that the message may be spoofed. Attackers impersonating banks, payment processors, or Google typically trigger SPF failures because they are sending from servers the real organisation never authorised. Always treat an SPF fail on a message claiming to come from a well-known brand as a high-risk phishing indicator.
One-click inbox analysis

Let Gorganizer Analyze Your Entire Inbox

Stop checking emails one at a time. Connect your Gmail account and Gorganizer scans every message — checking SPF, DKIM, DMARC, routing chains, and 1,751+ additional signals — then moves all phishing and spam to trash in one click. Invoices, receipts, and starred messages are always protected.

Analyze My Gmail Inbox

$4.99 one-time · No subscription · Gmail trash recovery (30 days)