Skip to content
Marvin's Toolbox.

Search tools

Type to filter all tools

Email Header Analyzer

Paste raw email headers to trace the Received chain hop by hop with per-hop delays, read the SPF, DKIM and DMARC results, and see every header explained. Helps you spot spoofing and find where a slow email got stuck.

Everything runs locally in your browser. Your data never leaves your device.

In most mail clients: open the message, then "Show original", "View source" or "View raw message", and copy everything above the first blank line. Pasting the whole raw message works too, the body is ignored.

Nothing analyzed yet
Paste raw email headers above, or load an example, to trace the delivery path and read the SPF, DKIM and DMARC results.

About the Email Header Analyzer Tool

This tool reads raw email headers and turns them into a report you can actually use: the key headers at a glance, the SPF, DKIM and DMARC verdicts the receiving servers recorded, the full Received chain as a hop-by-hop timeline with per-hop delays, and a searchable table of every header. Paste the headers from your mail client's "Show original" or "View source" view, or the whole raw message, the body is ignored.

Common spoofing signals get flagged in plain words: a Reply-To pointing at a different domain, a failed DMARC check, an address hidden in the display name, more than one From header. An alignment check compares the visible From domain against the Return-Path and the DKIM signing domains, which is exactly what DMARC cares about.

What you can do

  • Trace an email's delivery path through every server it passed.
  • See where a slow email got stuck, with per-hop delays highlighted.
  • Check the recorded SPF, DKIM and DMARC results of a message.
  • Spot spoofing and phishing signals in an email's headers.
  • Find the sending server's IP address in the Received chain.
  • Check whether the From domain aligns with Return-Path and DKIM.
  • Decode encoded subject lines and search all headers of a message.

How to use the Email Header Analyzer

  1. 1Open the message in your mail client and pick "Show original", "View source" or "View raw message".
  2. 2Copy the headers (or the whole raw message) and paste them into the tool.
  3. 3Read the summary card: sender, subject, date and the three authentication verdicts.
  4. 4Follow the delivery path to see each hop, its IP and how long it took.
  5. 5Check the flagged signals and the alignment table when a message feels off.

What the verdicts mean, and where they come from

SPF checks whether the server that delivered the message was allowed to send for the envelope sender's domain. DKIM is a cryptographic signature by the signing domain over parts of the message. DMARC ties one of the two to the From domain people actually see and applies the domain owner's published policy.

The verdicts shown are the ones the receiving servers wrote into the Authentication-Results, ARC-Authentication-Results and Received-SPF headers when the message arrived. A browser cannot run the DNS lookups these checks need, so the tool reports what was recorded rather than re-running anything. Headers low in the chain can be forged by a sender, but the results added by your own mail provider are usually trustworthy.

Reading the delivery path

Every server that handles a message adds a Received header on top of the existing ones, so reading them bottom-up gives the path from the sender to your mailbox. For each hop the tool shows the claimed sending host, its IP where stated, the receiving host, the protocol and the timestamp, and computes the time spent between hops. Delays of a minute or more are highlighted, that is usually where a message sat in a queue. Negative gaps are marked as clock disagreement between servers rather than treated as real timing.

Timestamps and host names in Received headers are claims made by each server. Servers you trust write honest ones, but a spammer's own relay can write anything, so treat the earliest hops with more suspicion than the ones added by your provider.

Honest limits

The tool parses and explains, it does not judge. It cannot re-run SPF, DKIM or DMARC, cannot resolve host names, and does not know a domain's reputation. The signals it flags are patterns that appear in spoofed mail and also, sometimes, in perfectly legitimate newsletters and mailing lists, so use them as pointers for a closer look rather than a verdict on the message.

Hash a password with bcrypt or Argon2 and verify a password against an existing hash. Tune the cost factor, memory, iterations and parallelism, see how long the hash takes, and read the parsed parts of any hash you paste.

Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.

Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.

Reveal the characters you can't see in a text: zero-width spaces, non-breaking spaces, bidi marks, control characters and CRLF versus LF line endings. Inspect every occurrence and clean them out with a click.

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.

Build and sign a JSON Web Token from a header and payload. Supports the HMAC, RSA, ECDSA and EdDSA algorithms real systems use, fills in standard claims like expiry for you, and shows the signed token ready to copy.