Plunk logo
Plunk
§ T-09  —  Tool← All tools

Email headers
analyzer

Paste raw email headers and get a parsed breakdown of SPF, DKIM, and DMARC results, routing hops with timestamps, and the full authentication chain.

Raw header input

Paste the full raw headers — no email body required. Everything is processed locally in your browser.

§ 01Email headers explained

What headers tell you.

Every email carries a forensic trail. Here's what to look for when debugging deliverability.

/ Authentication

SPF, DKIM & DMARC

The Authentication-Results header is your first stop. It shows whether the sending server was authorised (SPF), the signature was valid (DKIM), and whether both align with the From domain (DMARC).

/ Routing

Received chain

Received headers trace the path of your email from origin to inbox. Read them bottom-to-top. Large time gaps reveal where delays happened — useful for diagnosing why an email arrived late.

/ Identity

Return-Path & Reply-To

Return-Path is where bounces go — it must pass SPF. Reply-To overrides where replies are sent. A mismatch between From, Return-Path, and Reply-To can trigger spam filters or indicate phishing.

Never debug deliverability again.

Plunk sets up authentication correctly from day one and gives you the analytics to catch deliverability issues before your users do.

Start with PlunkCheck DKIM record

Frequently asked questions

Where do I find the raw email headers?

In Gmail: open the email, click the three-dot menu (⋮), choose "Show original". In Outlook: open the email, click File → Properties, and copy the "Internet headers" box. In Apple Mail: with the email open, go to View → Message → All Headers. The raw headers appear at the top of the message source.

What do the Authentication-Results headers mean?

Authentication-Results is added by the receiving mail server and summarises the SPF, DKIM, and DMARC check results. "pass" means the check succeeded. "fail" or "hardfail" means it failed. "none" means no record was found. If DMARC passes but SPF or DKIM fails, check that your sending domain aligns with the From header.

How do I read the Received chain?

Received headers are added by each mail server the message passed through, with the most recent at the top. Reading them bottom-to-top gives you the routing path from sender to inbox. Large time gaps between hops indicate server delays or queuing. The very first Received header shows where the message originated.

Why does email land in spam even though SPF and DKIM pass?

Authentication passing is necessary but not sufficient. Spam filters also consider sender reputation, IP blacklist status, content quality, engagement history, and DMARC alignment. A brand-new IP, a domain with no sending history, or content with many spam trigger words can cause filtering even with perfect authentication.

What is the DKIM-Signature header?

DKIM-Signature contains a cryptographic signature applied by the sending server. The "d=" tag identifies the signing domain and "s=" is the selector used to locate the public key in DNS. Receiving servers verify the signature against the public key at <selector>._domainkey.<domain>. A mismatch or missing key causes a DKIM fail.