Free Tool — No Sign-Up Required
TheBRHub Free Tools
Email Header Analyzer
See What's Really Happening.
SPF passing but emails still hitting spam? DKIM breaking after a forward? Reply-To doesn't match From? Paste your raw headers below — instant diagnosis with plain-English explanations on every metric.
9
Auth Checks
A–F
Health Grade
0s
Setup Required
100%
Client-Side Private
Paste Raw Email Headers
Gmail: ⋮ → Show original | Outlook: File → Properties → Internet headers | Click any result for deep-dive details
Drag & drop email file
or click to browse
.eml .txt .msg .mbox (up to 2 MB)
Overview
Authentication
Routing
Security
Raw
Issues & Recommendations
Raw Authentication Headers
Email Routing Path
Security Indicators
Details
What We Check
More Than Pass/Fail.
We Explain Why It Matters.
Every check includes a plain-English breakdown of what it means, why it matters, and what to do about it — click any result in the tool above for live deep-dive explanations.
✉
SPF — Sender IP Authorization
Validates the sending IP against the domain's DNS SPF record. Detects unauthorized senders, softfail vs hardfail, missing records, and explains which IP was checked and why it passed or failed.
🔑
DKIM — Cryptographic Signature
Verifies the RSA/Ed25519 signature. Identifies signing domain, selector, algorithm, and whether the signature survived transit. Catches forwarding chain breaks and body modifications.
🔐
DMARC — Policy Enforcement
Checks SPF/DKIM alignment with the visible From domain. Reports active policy (none/quarantine/reject) and whether the message satisfies it — essential for understanding inbox vs spam outcomes.
🔗
ARC — Forwarding Chain Integrity
Validates whether intermediate servers preserved authentication when forwarding. Critical for mailing lists, routing rules, and security gateways that would otherwise break SPF/DKIM.
🚦
Routing Hops & Transit Time
Reconstructs the complete delivery path. Timestamps each hop, calculates delays, flags unusual latency (300s+ triggers spam filters), and identifies TLS use per individual hop.
📊
SCL / Spam Score
Extracts Microsoft Exchange SCL (-1 to 9), X-Spam-Status, and X-Spam-Score. Explains the delivery threshold each score crosses and what action the server will take.
🚨
Phishing Signal Detection
Automatically detects Reply-To domain mismatches — the #1 phishing indicator. Also flags all-auth-fail patterns consistent with impersonation and spoofing attacks.
🔒
TLS Encryption Per Hop
Detects ESMTPS usage on each routing hop individually. Plaintext hops mean the message could have been intercepted. Each hop is checked and labeled independently.
🏷
BIMI & Brand Indicators
Checks BIMI eligibility — the standard that lets verified senders display their logo in Gmail, Yahoo, and Apple Mail. Requires DMARC enforcement plus an optional VMC certificate for Google.
How It Works
Three Steps. Full Diagnosis.
1
Find Your Raw Headers
Gmail: open email → three dots → "Show original." Outlook: File → Properties → Internet headers. Most ESPs have "View source" or "Show headers" in message activity logs.
2
Paste & Analyze
Paste the raw headers into the tool above. All processing happens in your browser — nothing is transmitted to our servers. Results appear instantly with no sign-up required.
3
Click Any Result
Every metric, auth card, hop, and issue is clickable. A detail panel slides in from the right with plain-English context, what to fix, and why it affects deliverability.
Plain-English Explanations
Every Metric. Actually Explained.
Not just a checkmark — every result comes with enough context to understand what it means and what to do about it.
SPF
Sender Policy Framework
A DNS TXT record listing authorized IPs. The receiving server checks if the sender's IP is on that list during SMTP delivery.
SPF only covers the envelope-from address, not the visible From header. DMARC ties them together and enforces the policy.
DKIM
DomainKeys Identified Mail
A cryptographic signature added to outgoing messages. The receiving server fetches your public key from DNS and verifies the signature — proving the email wasn't modified in transit.
If content changes after signing (mailing list footer), the signature fails. ARC is the forwarding solution.
DMARC
Domain-Based Message Authentication
Builds on SPF and DKIM with alignment checking — the authenticated domain must match your visible From address. The policy tells receivers what to do on failure.
p=reject + 100% compliance is the gold standard. Also required to qualify for BIMI logo display in Gmail and Yahoo.
ARC
Authenticated Received Chain
Solves the forwarding problem. When a message passes auth from origin but gets forwarded through a mailing list or gateway, ARC lets trusted intermediaries vouch for the original results.
Critical for G Suite routing rules, Google Groups, and security gateways that intercept mail before delivery.
SCL
Spam Confidence Level (Microsoft)
Microsoft Exchange's internal spam score from -1 (explicitly trusted) to 9 (confirmed spam). SCL 5+ routes to Junk. SCL -1 bypasses all spam filtering. Only in M365/Exchange environments.
A sudden SCL jump for legitimate mail usually means your sending IP was flagged by Microsoft's reputation system.
BIMI
Brand Indicators for Message Identification
Lets verified senders display their logo in Gmail, Yahoo Mail, and Apple Mail. Requires DMARC enforcement (p=quarantine or reject) and a BIMI DNS record pointing to an SVG logo file.
Major senders report 10–15% higher open rates after BIMI. Google additionally requires a VMC certificate from a CA.
Free vs. DeliverCORE
This Tool Is Free.
DeliverCORE Goes Further.
The header analyzer is always free. For continuous monitoring, domain warmup, and blacklist scanning — that's DeliverCORE.
Free Forever
Header Analyzer
$0 / always
Paste-and-analyze. No account needed.
- ✓ SPF, DKIM, DMARC, ARC analysis
- ✓ Routing hop timeline + TLS
- ✓ SCL / Spam Score reading
- ✓ BIMI eligibility check
- ✓ Phishing signal detection
- ✓ A–F health grade with detail panels
- — Continuous domain monitoring
- — Blacklist scanning
- — Domain warmup engine
Most Popular
Professional
DeliverCORE Professional
$79 / month
For growing teams that need ongoing visibility.
- ✓ Everything in Free
- ✓ 25 domains monitored
- ✓ Blacklist scanning (every 4hrs)
- ✓ Domain warmup engine
- ✓ Inbox placement testing
- ✓ DMARC report processing
- ✓ Slack + email alerts
- — API access
- — White-label & client management
Enterprise
DeliverCORE Enterprise
$199 / month
For organizations that need full-scale monitoring.
- ✓ Everything in Professional
- ✓ Unlimited domains
- ✓ Real-time monitoring
- ✓ AI-powered warmup scheduling
- ✓ API access
- ✓ Priority support
- ✓ Custom integrations
Need client management?
See Agency & MSP plans →
See Agency & MSP plans →
Starter plan also available at $29/mo for up to 5 domains. View all plans →
FAQ
Common Questions
Yes — completely free, no account required. The only "catch" is that if you find problems and need continuous monitoring, client management, or blacklist scanning, that's where DeliverCORE comes in.
No. All analysis happens entirely in your browser using JavaScript. Your headers are never transmitted to TheBRHub's servers. You can disconnect from the internet after loading the page and the analyzer will still work.
Gmail: Open the email → click ⋮ → "Show original" → copy the full text.
Outlook desktop: Open the email → File → Properties → "Internet headers."
Outlook web: Open email → ⋮ → "View" → "View message source."
Apple Mail: View → Message → All Headers, then Cmd+A to select all.
Outlook desktop: Open the email → File → Properties → "Internet headers."
Outlook web: Open email → ⋮ → "View" → "View message source."
Apple Mail: View → Message → All Headers, then Cmd+A to select all.
SPF passing doesn't guarantee inbox delivery. DMARC requires SPF to pass AND align — the domain in MAIL FROM must match the visible From header. Many ESPs use their own domain in the envelope, so SPF passes while DMARC alignment fails. Spam scores, sending reputation, and content signals also contribute independently of auth results.
p=none: No action — delivered normally, failure just gets reported.
p=quarantine: Message moves to spam/junk.
p=reject: Message blocked entirely — never reaches inbox or spam.
Most domains start at p=none for monitoring before moving to enforcement.
p=quarantine: Message moves to spam/junk.
p=reject: Message blocked entirely — never reaches inbox or spam.
Most domains start at p=none for monitoring before moving to enforcement.
BIMI (Brand Indicators for Message Identification) displays your company logo directly in the inbox next to your emails in Gmail, Yahoo Mail, and Apple Mail. It's not required, but senders who implement it report meaningfully higher open rates due to increased brand visibility and trust. Prerequisites: DMARC at p=quarantine or p=reject, plus a valid BIMI DNS record. Google additionally requires a VMC (Verified Mark Certificate) from a Certificate Authority.
MXToolbox shows raw results. This tool explains what each result means, grades your overall configuration with a letter score, and surfaces issues a non-specialist can act on. We also detect Reply-To phishing patterns, check BIMI eligibility, and every result has a clickable detail panel with plain-English context. Everything runs client-side — your headers stay on your machine.
Ready to See What's Really in Your Headers?
Paste any email header for an instant, plain-English breakdown of every authentication result, routing hop, and deliverability signal — with click-to-expand details on everything.