ToolBelt

Email Header Analyzer Pro

Trace the Received hops, SPF/DKIM/DMARC results and DKIM signature of any email.

Open tool

Overview

The Pro variant of the email header analyzer goes deeper than the basic split: it reconstructs the full Received chain with delay per hop, extracts and verifies Authentication-Results for SPF, DKIM, and DMARC, parses the DKIM signature into its components (algorithm, signing domain, selector, canonicalisation, signed headers), and highlights anomalies like missing PTR records on hop servers or unusual gaps between hops.

Email security analysts hunting phishing, deliverability engineers tuning DKIM signing, and forensic teams reconstructing the path of a suspicious message all need the extra context. Long-tail keywords covered: deep analyze email authentication results, parse DKIM signature header online, and detect anomalies in Received hops.

How it works

Beyond the basic header parse, the Pro tool walks Authentication-Results (RFC 8601) and breaks out each method's result and the reason supplied. For DKIM, it parses the DKIM-Signature header per RFC 6376 — the v=, a=, d=, s=, c=, h=, bh=, and b= tags — and reports which headers were signed. For SPF, it surfaces the result and the mfrom or helo identity that was checked. For DMARC, it shows policy alignment and which mechanism passed.

The Received chain is enriched with computed time deltas between adjacent hops, helping spot a delay that points to a misconfigured greylisting server or a transit slowdown. PTR (reverse DNS) lookups on each hop IP are flagged when missing, since that is a common reputation problem for low-grade senders.

Examples

  • A message with dkim=pass header.d=example.com and spf=pass smtp.mailfrom=bounces.example.com but dmarc=fail: alignment failure, often a third-party sender misconfigured.
  • A Received chain with a 45-minute gap between two hops suggests greylisting or a queue backup.
  • A DKIM signature with c=relaxed/relaxed and h=from:to:subject:date: standard configuration, headers signed in a forgiving canonicalisation.
  • An Authentication-Results header missing dmarc= entirely: the receiver does not evaluate DMARC, which is unusual for large providers in 2026.

FAQ

Can the tool verify the DKIM signature itself?

It parses and explains the signature but does not re-sign the body, so it cannot prove the signature is currently valid. Use opendkim-testmsg or an MTA log for that.

Why do hop deltas show negative seconds sometimes?

Different mail servers have different clock skew. Differences of a few seconds either way are normal; minutes-long negative deltas point to a misconfigured clock somewhere in the chain.

What does c=simple/simple mean in a DKIM signature?

It is the canonicalisation algorithm — simple does almost no normalisation, relaxed collapses whitespace. Most modern senders use relaxed/relaxed to survive minor in-flight modifications.

Is my message content stored?

No. Only the headers you paste are analysed, locally, and nothing is sent to a server.

Try Email Header Analyzer Pro

An unhandled error has occurred. Reload ×