What is Email Header And How to Read It? (2026)

Your cold emails are landing in spam. Or you got a sketchy message and want to verify the sender.

Either way, the answer hides inside the email header. Most people never look there.

They help me debug routing issues, check authentication, and figure out why emails miss the inbox.

Here is what you will get:

How to find headers in Gmail, Outlook, Yahoo, ProtonMail, and Zoho.
A field-by-field breakdown of what each line means. How SPF, DKIM, and DMARC show up in headers.
A real annotated example. And the best free tools to analyze headers automatically.

TL;DR: What Email Headers Are and Why You Should Care

Every email carries hidden metadata called the email header. You never see it unless you go looking.

It contains sender info, routing data, timestamps, and authentication results.

Headers reveal whether an email is legit or spoofed. They show the exact path a message took through servers.

They expose authentication failures that push your emails to spam.

If you send cold emails, campaigns, or transactional messages, this matters. Reading headers is how you catch deliverability problems early.

Below, I walk through a real header line by line.

I show you how to find headers in Gmail, Outlook, Yahoo, ProtonMail, and Zoho.

I explain what SPF, DKIM, and DMARC results actually mean. And I list the best free tools to analyze headers automatically.

What Is an Email Header? (And What It’s Not)

An email header is technical metadata attached to every email you send or receive.

It records who sent the message, which servers handled it, and whether authentication checks passed or failed.

Here is the important part.

The header is hidden by default. You have to open it manually inside your email client. Mail servers generate it automatically.

You do not write it yourself.

One more thing most guides skip. You read headers bottom to top. The oldest entry sits at the bottom.

The newest sits at the top. This trips up most people on their first read.

I open raw email headers multiple times a week while debugging deliverability for TrulyInbox users. Once you know the structure, they become easy to scan.

Email Header vs. Email Envelope vs. Email Body

Every email has three parts. Most people only know about one.

Envelope. Server-to-server delivery instructions. You never see this. It tells mail servers where to route the message.
Header. Routing and authentication metadata. Hidden by default, but you can view it. This is what this guide focuses on.
Body. The actual message content you read. The visible part of every email.

The envelope and header work behind the scenes. The body is what shows up in your inbox. Understanding all three helps you diagnose problems faster.

How to Find Email Headers in Every Major Email Client

Before you can read email headers, you need to find them.

Every major email client hides them in a slightly different place.

I verified these steps in each client. If your interface looks different, check for a recent update.

Gmail

Open the email you want to inspect.
Click the three dots next to the Reply button.
Select “Show Original.”
A new tab opens with SPF, DKIM, and DMARC results at the top. The full raw header sits below.

Tip: Click “Copy to clipboard” to grab the entire header. Then paste it into an analyzer tool for easier reading.

Microsoft Outlook (Web & Desktop)

The steps differ depending on which version you use.

Outlook on the web:

Open the email.
Click the three dots at the top right.
Go to View > View Message Source.

Outlook desktop (Office 365):

Open the email in its own window.
Click File > Properties.
Find the Internet Headers box at the bottom.

The desktop version buries headers deeper. Keep that in mind when troubleshooting.

Yahoo Mail

Open the email.
Click the three dots above the message.
Select “View Raw Message.”
A new window opens with the full raw source.

Yahoo gives you the complete raw header in one step. No extra clicks needed.

ProtonMail

Open the email.
Click the three dots on the message.
Select “View Headers.”

ProtonMail shows a clean, formatted header view. This makes it easier to scan compared to raw text in other clients.

Zoho Mail

Open the email.
Click the three dots on the message.
Select “Show Original.”

Zoho displays the full raw source including all routing headers. Similar process to Gmail.

How to Read an Email Header: Field-by-Field Breakdown

This is the core section. I will walk you through every important header field, explain what it means, and tell you why it matters.

Most guides just list fields in a table. That is not enough. Each field connects to a real use case: debugging, security verification, or deliverability diagnosis.

Informational Headers (From, To, Date, Subject, Reply-To)

These are the human-readable fields. You see most of them in your inbox already. But they are not as trustworthy as they look.

From. Shows the sender’s email address. But here is the problem. The From field can be forged. This is exactly why SPF and DKIM exist.
To. The recipient address. Straightforward, but BCC recipients will not appear here.
Date. The timestamp when the email was sent. Large discrepancies between Date and Received timestamps can signal spoofing.
Subject. The subject line. No hidden meaning here.
Reply-To. The address that receives replies. It can differ from the From address. Sometimes this is legitimate, like a support alias. Other times, it is a phishing red flag.

If the From and Reply-To point to completely different domains, investigate further. Legitimate senders usually keep these aligned.

Routing Headers (Received, Return-Path, Message-ID)

These fields trace the email’s journey from sender to inbox. Think of them as a breadcrumb trail through servers.

Received. The most important routing field. Each “Received” entry represents one server hop. It includes the server name, IP address, and timestamp. Read these bottom to top.
Return-Path. The bounce address. If the email fails to deliver, the bounce notification goes here. It can differ from the From address legitimately.
Message-ID. A unique identifier for that specific email. No two emails share the same Message-ID. Useful for tracking a single message through logs.

When debugging delivery issues, I start with the Received headers. They tell you exactly where delays or failures happened.

Technical Headers (MIME-Version, Content-Type, X-Mailer, X-Headers)

These fields describe the email’s format and reveal which tools sent it.

MIME-Version. Almost always “1.0.” It tells the receiving server this email follows MIME formatting standards.
Content-Type. Tells you whether the email is plain text, HTML, or multipart. Most marketing emails use multipart/alternative to include both.
X-Mailer. Identifies the sending software or email client. You can fingerprint which ESP or tool sent the email from this field.
X-Spam-Status. Shows the spam filter’s scoring of the email, if the server includes it. Look for a numerical score and the threshold that triggers spam classification.
Custom X-headers. ESPs like Mailchimp, SendGrid, and HubSpot add their own X-headers. These carry campaign IDs, tracking data, and internal tags.

X-headers are optional. Not every email includes them. But when they are present, they give you valuable context about how the email was sent.

Email Authentication Headers: SPF, DKIM, and DMARC Explained

Authentication is the most important part of any email header. These three protocols determine whether receiving servers trust your email or throw it in spam.

SPF (Sender Policy Framework). Checks if the sending server’s IP address is authorized by the domain’s DNS records.
DKIM (DomainKeys Identified Mail). Verifies a cryptographic signature to confirm the message was not altered in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance). Ties SPF and DKIM together. It checks if both align with the From domain and enforces the domain owner’s policy.

All three results appear in the Authentication-Results header field. That single field is the most important line in any email header.

How to Read the Authentication-Results Header

Here is what a passing Authentication-Results field looks like:

Authentication-Results: mx.example.com;

spf=pass (sender IP is 192.0.2.1) smtp.mailfrom=sender.com;

dkim=pass header.d=sender.com header.s=selector1;

dmarc=pass (policy=reject) header.from=sender.com

Let me break this down line by line.

spf=pass. The sending IP is authorized by sender.com’s SPF record. Good.
dkim=pass. The DKIM signature is valid. The email was not tampered with. The selector “selector1” identifies which key was used.
dmarc=pass. Both SPF and DKIM align with the From domain. The domain’s DMARC policy is “reject,” meaning unauthorized emails get blocked entirely.

Here are all the possible results you might see:

pass. The check succeeded. Everything is configured correctly.
fail. The check failed outright. The email is likely spoofed or misconfigured.
softfail. The check partially failed. Common with SPF when a server is not included in the record but the domain is not strict about enforcement.
neutral. The domain’s records do not make a clear statement. Neither pass nor fail.
none. No record exists for that protocol. The domain has not set up SPF, DKIM, or DMARC at all.

You want to see “pass” on all three. Anything else needs investigation.

What Happens When Authentication Fails

Failed authentication has real consequences for your emails.

SPF fail or softfail. The receiving server may flag the email as suspicious. Softfail usually means spam folder. Hard fail can mean outright rejection.
DKIM fail. The message signature is broken. The email looks tampered with. Most servers will either reject it or send it to spam.
DMARC fail. What happens depends on the domain’s DMARC policy:

– p=none. No enforcement. The email still delivers, but reports are generated.

– p=quarantine. The email goes to spam or junk.

– p=reject. The email is blocked entirely. It never reaches the recipient.

If you send cold emails or marketing campaigns, failed authentication is the fastest way to land in spam. Check your headers after every campaign. Fix failures immediately.

How Email Headers Affect Your Deliverability

This is the “so what” section. Everything above connects to one outcome: whether your emails reach the inbox.

Most guides treat email headers as academic knowledge. They are not. If you send emails at scale, headers are your primary diagnostic tool.

Here is what headers reveal about your deliverability:

Authentication failures. A single SPF softfail or DKIM failure shows up in headers. It also shows up in spam folders. Fix it in your DNS records.
Suspicious routing. Too many server hops raise red flags for spam filters. Unknown or blacklisted IPs in the Received chain make things worse.
Missing or malformed headers. Emails without proper headers look untrustworthy to receiving servers. This quietly lowers your sender reputation.
The “why did this go to spam?” answer. Nine times out of ten, the answer is sitting in the Authentication-Results field. That is where I start every investigation.

This is exactly why warming up your email matters. Warm-up helps establish the sending patterns and authentication trust that show up clean in your headers. I built TrulyInbox around this principle.

If you cannot read your own email headers, you are flying blind on deliverability.

Best Free Email Header Analyzer Tools

You do not have to read raw headers manually every time. These free tools parse and format headers automatically.

I have used all of these while troubleshooting deliverability for TrulyInbox users. Here is when each one is most useful.

Google Admin Toolbox (Messageheader)

Built by Google. Best for Gmail users.
Paste your raw header and get a clean visual breakdown.
Highlights delays between server hops. Useful for spotting routing bottlenecks.
Link: toolbox.googleapps.com/apps/messageheader/

MXToolbox Email Header Analyzer

The most popular standalone header analysis tool.
Shows the full routing chain, hop-by-hop delays, and blacklist status for sending IPs.
MXToolbox itself ranks #2 for “email headers.” Their tool is that widely used.
Link: mxtoolbox.com/EmailHeaders.aspx

Microsoft Message Header Analyzer

Microsoft’s own tool hosted at mha.azurewebsites.net.
Best for Outlook-heavy environments.
Parses headers into a clean table with timestamps and relay info.
Link: mha.azurewebsites.net

Other Tools Worth Trying

WhatIsMyIPAddress Header Analyzer. Detects the sender’s IP address and geographic location. Good for verifying where an email actually originated.
Mailheader.org. Provides header samples alongside analysis. Helpful if you are learning to read headers and want reference examples.

Pick the tool that matches your email environment. If you use Gmail, start with Google’s tool. If you use Outlook, start with Microsoft’s. For general purpose analysis, MXToolbox covers everything.

Common Email Header Mistakes That Hurt Your Inbox Placement

These are the exact issues I see when users come to TrulyInbox after their warm-up is not working. The header is where I diagnose the root cause.

Authentication Failures (Broken SPF, DKIM, DMARC)

These are the most common and most damaging mistakes.

Missing or misconfigured SPF record. Your headers will show spf=softfail or spf=fail. This means the sending server is not authorized by your domain. Fix it in your DNS settings.
Broken DKIM signature. Your headers will show dkim=fail. This usually happens after a DNS change or when your ESP rotates signing keys. Re-verify your DKIM setup.
No DMARC policy. Your headers will show dmarc=none. This means you have no protection against spoofing. Set up at least a basic DMARC record.
Mismatched From and Return-Path domains. SPF and DMARC check domain alignment. If your From address uses one domain but your Return-Path uses another, alignment fails.

Routing and Configuration Red Flags

Too many server hops. Each Received entry is one hop. More than four or five hops looks suspicious to spam filters.
Unknown or blacklisted IPs. Check the IP addresses in your Received headers against a blacklist tool like MXToolbox. One blacklisted IP in the chain can tank your delivery.
Shared IPs with bad reputation. If you send from a shared IP, other senders on that IP affect your reputation. Check the sending IP in your Received headers regularly.

Missing Headers That Bulk Senders Need (List-Unsubscribe, Precedence)

List-Unsubscribe. Google and Yahoo now require this header for bulk senders. If your marketing emails do not include it, spam filters will penalize you.
Precedence. Automated emails like receipts and notifications should include a Precedence: bulk header. Missing it can cause spam filters to misclassify your messages.
These omissions are silent killers. Your emails look fine on the surface. But the missing headers trigger spam filters without any visible bounce or error message.

FAQs About Email Headers

What is an email header in simple terms?

An email header is hidden metadata attached to every email. It contains sender info, routing data, timestamps, and authentication results. You can view it in any email client, but it is hidden by default.

How do I view email headers in Gmail?

Open the email. Click the three dots next to the Reply button. Select “Show Original.” A new tab opens with the full header and an SPF, DKIM, DMARC summary at the top.

Can email headers be faked or spoofed?

Parts of the header can be forged. The From field is the most common target. But authentication protocols like SPF, DKIM, and DMARC catch most forgeries. Always check the Authentication-Results field to verify the sender.

What do SPF, DKIM, and DMARC mean in email headers?

SPF checks if the sending server is authorized by the domain. DKIM verifies the message was not altered in transit using a cryptographic signature. DMARC ties both together and tells receiving servers what to do if checks fail.

How do email headers help with deliverability?

Headers show whether your authentication passed or failed. They reveal routing problems and spam filter scores. Reading them helps you diagnose exactly why emails land in spam instead of the inbox.