How to Read Email Headers — Trace SPF, DKIM & Routing (2025)

Published on November 6, 2025 • by MailTested Team

Every email carries a hidden trail — the full header — showing exactly how it traveled from sender to inbox. Learning to read it is the fastest way to diagnose delivery failures, SPF/DKIM issues, or phishing attempts. This guide teaches you how to decode and understand headers like a deliverability engineer.

1️⃣ Where to Find the Full Email Header

Each mail client stores full headers differently:

Gmail: Open the email → ⋮ → “Show Original”
Outlook: File → Properties → “Internet headers” box
Apple Mail: View → Message → All Headers
Thunderbird: View → Headers → All

Copy the entire block of text — this is your forensic goldmine.

Analyze Your Header Automatically →

2️⃣ Key Sections in an Email Header

a) Return-Path

The actual address that handles bounces. It shows who really sent the message — not just what appears in “From.”

b) Received Chain

Each “Received:” line shows one mail server that handled your message. They appear in reverse order — the top line is the most recent hop. Analyzing these tells you if your email was delayed, rerouted, or forged.

Received: from mail.mailtested.com (mail.mailtested.com [192.168.1.1])
        by mx.google.com with ESMTPS id abcd12345
        for <[email protected]>; Thu, 6 Nov 2025 08:12:34 +0000

c) Authentication-Results

This is where SPF, DKIM, and DMARC verdicts appear. A passing example looks like this:

Authentication-Results: mx.google.com;
 spf=pass (mailtested.com: domain of [email protected] designates 192.168.1.1 as permitted sender)
 dkim=pass header.d=mailtested.com;
 dmarc=pass (p=quarantine) header.from=mailtested.com

If any of these show “fail” or “softfail,” that’s your first red flag.

d) Message-ID

A unique identifier generated by the sending MTA — useful for tracking duplicates, threading, and delivery logs.

e) Received-SPF

Some providers include a simplified SPF summary, e.g.:

Received-SPF: fail (mailtested.com: domain of [email protected] does not designate 192.168.1.1)

When SPF fails, mailbox filters downgrade or reject the message outright.

3️⃣ How to Detect Common Problems from Headers

SPF fails — check your sending IP is authorized in your SPF record.
DKIM fails — verify the selector key in your DNS matches the signature domain.
DMARC fails — confirm both SPF and DKIM align with the “From” domain.
Missing PTR (reverse DNS) — fix your rDNS to match your sending hostname.
Long gaps between Received lines — indicates slow relays or throttling.

Check SPF Record → Verify DKIM Signature → Inspect DMARC Policy →

4️⃣ Use MailTested’s Header Analyzer

Manually decoding headers is tedious — even experts use automation to save time. MailTested’s Header Analyzer parses SPF, DKIM, DMARC, routing, and relay latency automatically, turning a messy wall of text into clean, actionable diagnostics.

✅ Final Thoughts

Email headers reveal everything — you just need to know where to look. Mastering them turns guesswork into precision, letting you prove whether a message was authenticated, delayed, or spoofed. Always test suspicious or failing messages through MailTested to validate your configuration in seconds.

Analyze Your Header Now → Run Full Deliverability Test →