Does the analyzer send my header to a server?

No. All parsing happens in your browser. Nothing is uploaded.

What does a DKIM fail mean?

DKIM fail means the cryptographic signature on the message could not be verified. The message may have been tampered with or sent from an unauthorized server.

What does From and Return-Path mismatch indicate?

It can be normal for mailing lists. On a one-to-one message it is often a spoofing signal.

Why are Cyrillic characters a red flag?

Cyrillic letters that look identical to Latin letters (а, е, о) are used to register lookalike domains. The analyzer flags any non-Latin character in the From line.

Will this catch every phishing email?

No. The header view is one input. Pair it with body content, link inspection, and out-of-band verification for high-stakes messages.

How do I export the analysis?

Copy the output from your browser. We do not generate downloadable reports.

Email Header Analyzer: DKIM, SPF, DMARC Forensics

Paste raw email header

Paste a header above. Nothing is sent to a server.

All calculations happen in your browser. We don’t store inputs.

How it works.

You enter

A pasted raw email header. In Gmail, "Show original"; in Outlook, "View source".

We compute

A client-side parser breaks out From, Reply-To, Return-Path, Subject, Message-ID, the Received chain, and Authentication-Results.

You learn

A clean view of the routing, with red flags for auth failures and mismatched fields.

You enter

You can also click "Load a phishy sample" to see what a suspicious header looks like.

We compute

The parser flags DKIM, SPF, DMARC failures, From and Return-Path domain mismatches, and Cyrillic-range characters used for lookalikes.

You learn

A defensible second opinion before you click a link or forward to your security team.

You enter

Nothing about the pasted header is sent off-page.

We compute

All parsing happens in JavaScript in your browser. No backend, no logging, no analytics on the input.

You learn

A header forensic kit you can use on a co-worker forward without leaking it to a third-party service.

What this tool isn’t.

This is a starter kit, not a full forensic suite. The parser only flags structural issues that show in the header itself: DKIM/SPF/DMARC failures, domain mismatches, basic homoglyph patterns. It cannot tell you whether a sending server is on a known-bad list, whether the From domain is freshly registered, or whether the body content is malicious. For a deeper look, pair this output with a domain-age check (whois) and a blocklist check (Spamhaus, SURBL). The tool also assumes you pasted the full raw header, not the rendered email; partial input gives partial answers.