Email Header Analyzer

Email Authentication Protocols: SPF, DKIM, and DMARC

Email authentication is a set of techniques used to verify that an email message genuinely originates from the domain it claims to be from. Without authentication, anyone can forge the "From" address to impersonate any organization — a technique used in phishing attacks that cost businesses $2.7 billion annually according to the FBI's Internet Crime Complaint Center. Three protocols form the modern email authentication stack: SPF, DKIM, and DMARC.

SPF (Sender Policy Framework) is a DNS record that lists the IP addresses authorized to send email on behalf of a domain. When a receiving mail server gets a message, it checks whether the sending server's IP is in the sender domain's SPF record. An SPF "pass" result means the IP is authorized. A "fail" or "softfail" suggests potential spoofing. SPF is the most widely deployed email authentication standard, with over 90% of Fortune 500 companies publishing SPF records.

DKIM (DomainKeys Identified Mail) uses public-key cryptography to sign outgoing emails. The sending mail server adds a digital signature to the email headers, and the public key is published as a DNS TXT record. Receiving servers retrieve this public key and verify the signature. A valid DKIM signature proves the email was not modified in transit and was authorized by the signing domain. Unlike SPF (which only checks the sending IP), DKIM survives email forwarding because the signature travels with the message.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)builds on SPF and DKIM by specifying what receiving servers should do with messages that fail authentication — either nothing (p=none), quarantine them to spam (p=quarantine), or reject them outright (p=reject). DMARC also enables reporting: domain owners receive aggregate reports showing who is sending email using their domain, helping identify unauthorized senders and configuration errors.

Reading Email Headers: The Routing Chain

Every email contains a series of "Received" headers that record each mail server the message passed through on its journey from sender to recipient. These headers are added by each server and read in reverse order — the oldest Received header (added by the originating server) is at the bottom, and the newest (added by the recipient's server) is at the top.

Each Received header shows the server that passed the message ("from"), the server that received it ("by"), the protocol used ("with"), and a timestamp. By comparing timestamps between consecutive hops, you can calculate the delay at each step — useful for diagnosing why an email took hours to arrive. Delays over 5 minutes at a single hop often indicate a spam filter holding the message for analysis or a mail queue backup.

Detecting Email Spoofing and Phishing

Email headers contain several indicators that reveal whether a message is legitimate or potentially fraudulent. The most important are the alignment between the visible From address and the Return-Path (the actual envelope sender used for bounces), and the Authentication-Results header added by receiving servers.

A common phishing technique displays a trusted brand name in the From header while using a completely different actual sender domain — for example, showing "PayPal Security <security@paypa1.com>" where the domain is subtly misspelled. The DMARC protocol requires alignment between the visible From domain and the authenticated sender domain, making it significantly harder for attackers to impersonate legitimate senders from properly protected domains.

Our email header analyzer highlights authentication results (SPF, DKIM, DMARC pass or fail), traces the full routing chain with delays, and flags potential warnings like mismatched sender addresses or authentication failures — all processing happening in your browser so sensitive email metadata never leaves your device.