Email headers are the technical metadata attached to every message. If you are troubleshooting delivery, spam placement, or spoofing, headers are often the fastest source of truth.
Quick answer: what are email headers?
Email headers are structured fields that describe where a message came from, how it traveled, and how recipient systems evaluated it.
They are generated by sending and receiving servers throughout the SMTP path.
Why header analysis matters
Header analysis helps you answer questions like:
- Was this message actually sent by the claimed domain?
- Which server hop introduced delay or failure?
- Did SPF, DKIM, and DMARC align?
- Why did the message land in spam or get rejected?
Where to view raw headers
| Client | How to access headers |
|---|---|
| Gmail | Open message -> three-dot menu -> Show original |
| Outlook desktop | Open message -> File -> Properties -> Internet headers |
| Apple Mail | View -> Message -> All Headers / Raw Source |
| Yahoo Mail | More -> View raw message |
Header names are standardized, but formatting and line wrapping vary by client.
High-value header fields and what they mean
| Header | What to look for |
|---|---|
| Human-visible sender identity |
| Bounce return address used by SMTP envelope |
| Unique message identifier for traceability |
| Server hop chain (read bottom-to-top for earliest hop) |
| Claimed send timestamp; compare with |
| SPF/DKIM/DMARC pass or fail outcomes |
| Signing domain and selector details |
| Destination for user replies |
| MIME structure ( |
Sample header excerpt
Practical forensic workflow
- Confirm claimed sender identity in
and envelope sender in. - Read
for SPF/DKIM/DMARC outcomes. - Traverse
hops to locate delays, loops, or relay anomalies. - Compare timestamps between
and eachline. - Correlate
with provider logs and webhook events.
Common troubleshooting patterns
SPF pass, DKIM fail
Usually indicates signing issues (key rotation mismatch, modified body, or wrong selector). Validate with a DKIM checker and SPF checker.
DMARC fail despite SPF pass
Often an alignment problem between envelope domain and visible domain. Use DMARC checker and monitor policy drift via DMARC monitoring.
Delayed delivery
chain shows where latency happened. Look for repeated deferrals or long inter-hop gaps and combine findings with deliverability testing.
Suspected spoofing
Mismatched auth results, unusual relay hops, and inconsistent domains are common indicators. Preserve raw headers for incident response and abuse reporting.
Header testing in your release workflow
Treat header validation as a pre-production gate:
- Inspect metadata with the email header analyzer.
- Validate auth configuration using SPF, DKIM, and DMARC tools.
- Assert expected headers in Email Sandbox integration tests.
- Automate route/failure checks with email webhooks.
Final take
Email headers are not just technical noise. They are the canonical audit trail for how a message was authenticated, routed, and evaluated.
Teams that learn to read headers systematically resolve incidents faster and ship safer email changes.