Email Raw Source Analyzer
Paste an email's full raw source (headers + body) to decode authentication, routing, tracking pixels, and spam indicators. This is what you get from Gmail's "Show original" or Outlook's "Internet Headers."
Press Ctrl+Enter to analyze
Show original → copy everything. In Outlook: File → Properties → copy Internet Headers. In Apple Mail: View → Message → Raw Source.
Everything is analyzed locally in your browser. Nothing is uploaded to our servers.
Analyzing email source...
Your raw source analysis is ready
Enter your email to see the full header-by-header breakdown. We'll send you a copy, that's it, no marketing emails.
100% client-side analysis. No spam, no mailing list, just your results.
Authentication Results
Sender Information
Routing Timeline
Body & HTML Analysis
Spam Indicators
All Headers
What is Email Source Code?
Every email you receive is more than what you see in your inbox. Behind the rendered message is raw source code: a text document formatted according to the MIME (Multipurpose Internet Mail Extensions) standard. This source code contains two main parts: the headers and the body.
The headers are a collection of metadata fields that record everything about the email's journey: who sent it, what servers relayed it, how it was authenticated, and dozens of other technical details. The body contains the actual message content, which can be plain text, HTML, or a multipart combination of both, along with any attachments encoded in Base64.
Understanding raw email source is essential for diagnosing deliverability problems, identifying phishing attempts, and verifying that your authentication records (SPF, DKIM, DMARC) are working correctly. This tool parses that source code and presents it in a readable format so you can quickly spot issues.
Understanding Email Headers
Email headers are the backbone of email routing and verification. Each header is a key-value pair that provides specific information about the message. Some are added by the sender's mail client, others by each mail server that handles the message along the way.
Key headers to know:
From: The visible sender address shown to the recipient. This can be easily spoofed, which is why authentication protocols exist.
Return-Path: The actual envelope sender used for bounce handling. When this differs from the From address, it can be a sign of forwarding, third-party sending, or spoofing.
Received: Added by each server that processes the email. Reading these in reverse order traces the message's path from origin to destination. Delays between hops can indicate server issues or greylisting.
Authentication-Results: Added by the receiving server, this header contains the results of SPF, DKIM, and DMARC checks. It's one of the most important headers for deliverability troubleshooting.
Message-ID: A unique identifier for the message. Missing or malformed Message-IDs can indicate bulk sending tools or misconfigured mail servers.
Email Authentication: SPF, DKIM, DMARC
Email authentication is a set of protocols that verify the sender's identity and protect against spoofing. All three work together to build a chain of trust.
SPF (Sender Policy Framework)
SPF lets domain owners publish a DNS record listing which IP addresses are authorized to send email on their behalf. When a receiving server gets an email, it checks if the sending IP is in the SPF record. A "pass" means the IP is authorized; a "fail" means it isn't.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to the email headers. The sending server signs the message with a private key, and the receiving server verifies it using a public key published in DNS. A valid DKIM signature proves the email wasn't tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC ties SPF and DKIM together by checking that the domain in the From header aligns with the domains verified by SPF and DKIM. It also tells receiving servers what to do with messages that fail (none, quarantine, or reject) and where to send aggregate reports.
Identifying Email Tracking and Privacy
Many marketing emails include invisible tracking mechanisms. Understanding these helps you evaluate both the privacy implications of emails you receive and the tracking practices of emails you send.
Tracking pixels are tiny 1x1 transparent images embedded in HTML emails. When the email is opened and images are loaded, the pixel URL is fetched from the sender's server, telling them that you opened the email, when, and often from what device and location.
Link tracking replaces destination URLs with redirect URLs through the sender's tracking domain. When you click a link, the request first goes to the tracking server (which logs the click), then redirects you to the actual destination. You can identify these by looking for unfamiliar domains in link URLs or utm_ parameters in query strings.
URL shorteners like bit.ly or t.co serve a similar purpose: they mask the destination URL and allow click tracking. In email, shortened URLs are sometimes flagged by spam filters because they obscure the true destination, a technique commonly used in phishing.
Frequently Asked Questions
Is my email content uploaded to your servers?
No. All analysis happens entirely in your browser using JavaScript. The raw email source you paste never leaves your device. The only data sent to our server is your email address (if you choose to unlock the full report) and anonymous aggregate statistics about the analysis results. Your actual email content is never transmitted.
What does it mean if SPF, DKIM, or DMARC fails?
A failing authentication check doesn't always mean the email is malicious. SPF can fail when emails are forwarded through servers not in the sender's SPF record. DKIM can break if a mailing list modifies the message body. DMARC failure means either SPF or DKIM (or both) didn't pass with domain alignment. However, consistent authentication failures from a sender are worth investigating, as they could indicate spoofing or misconfiguration.
How do I find the raw source of an email?
In Gmail, open the email, click the three-dot menu in the top right, and select "Show original." In Outlook desktop, open the message, go to File, then Properties, and look in the "Internet Headers" box. In Apple Mail, select the message, go to View, then Message, then Raw Source. In Yahoo Mail, click the three-dot menu and select "View raw message." Each client presents the same underlying data in slightly different ways.
What are tracking pixels and should I be concerned?
Tracking pixels are tiny invisible images (typically 1x1 pixels) embedded in HTML emails. When your email client loads images, it fetches these pixels from the sender's server, confirming that you opened the email. While common in marketing emails and generally harmless, they do reveal your IP address, approximate location, device type, and the time you opened the email. Many email clients now block external images by default to prevent this tracking.
Why are there delays between routing hops?
Small delays (under a few seconds) between hops are normal and represent processing time at each mail server. Longer delays can be caused by greylisting (a spam prevention technique where the server temporarily rejects the message), queue processing on busy servers, DNS lookup delays, or content scanning. Delays over 5 minutes between hops may indicate delivery issues, while delays of 30+ minutes could suggest the email was stuck in a queue or subjected to extended spam analysis.