📬

Email Header Parser

Parse raw email headers to extract routing, authentication, and spoofing indicators

POST 1 credit /v1/email/headers
curl -X POST "https://email.toolkitapi.io/v1/email/headers" \
  -H "Content-Type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{"raw_headers": "From: [email protected]\nTo: [email protected]\nSubject: Test Email\nDate: Mon, 14 Apr 2026 12:00:00 +0000\nMessage-ID: <[email protected]>\nReceived: from mail.toolkitapi.io (mail.toolkitapi.io [93.184.216.34]) by mx.example.org with ESMTPS; Mon, 14 Apr 2026 12:00:00 +0000\nAuthentication-Results: mx.example.org; spf=pass; dkim=pass; dmarc=pass"}'
import httpx

resp = httpx.post(
    "https://email.toolkitapi.io/v1/email/headers",
    json={"raw_headers": "From: [email protected]\nTo: [email protected]\nSubject: Test Email\nDate: Mon, 14 Apr 2026 12:00:00 +0000\nMessage-ID: <[email protected]>\nReceived: from mail.toolkitapi.io (mail.toolkitapi.io [93.184.216.34]) by mx.example.org with ESMTPS; Mon, 14 Apr 2026 12:00:00 +0000\nAuthentication-Results: mx.example.org; spf=pass; dkim=pass; dmarc=pass"},
)
print(resp.json())
const resp = await fetch("https://email.toolkitapi.io/v1/email/headers", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({"raw_headers": "From: [email protected]\nTo: [email protected]\nSubject: Test Email\nDate: Mon, 14 Apr 2026 12:00:00 +0000\nMessage-ID: <[email protected]>\nReceived: from mail.toolkitapi.io (mail.toolkitapi.io [93.184.216.34]) by mx.example.org with ESMTPS; Mon, 14 Apr 2026 12:00:00 +0000\nAuthentication-Results: mx.example.org; spf=pass; dkim=pass; dmarc=pass"}),
});
const data = await resp.json();
console.log(data);
# See curl example
Response 200 OK
{
  "subject": "Test Email",
  "from_address": "[email protected]",
  "to_address": "[email protected]",
  "date": "Mon, 14 Apr 2026 12:00:00 +0000",
  "message_id": "<[email protected]>",
  "return_path": null,
  "received_hops": [
    {
      "index": 0,
      "from_host": "mail.toolkitapi.io",
      "by_host": "mx.example.org",
      "timestamp": "Mon, 14 Apr 2026 12:00:00 +0000",
      "delay_seconds": null,
      "protocol": "ESMTPS"
    }
  ],
  "auth_results": [
    {"method": "SPF", "result": "pass", "detail": null},
    {"method": "DKIM", "result": "pass", "detail": null},
    {"method": "DMARC", "result": "pass", "detail": null}
  ],
  "originating_ip": "93.184.216.34",
  "total_delivery_time_seconds": null,
  "spoofing_risk": "low",
  "header_count": 7
}

Description

Parse raw email headers to extract routing, authentication, and spoofing indicators

How to Use

1

1. Copy the raw email headers from your email client (usually available via "Show Original" or "View Source").

2

2. Send a POST request with the `raw_headers` field containing the header text.

3

3. Check `spoofing_risk` for an overall assessment — "low" means authentication passed, "high" means likely spoofed.

4

4. Review `auth_results` for individual SPF, DKIM, and DMARC verdicts, and `received_hops` for the delivery path.

About This Tool

The Email Header Parser analyzes raw email headers to extract routing information, authentication results, and spoofing risk indicators. It parses Received header chains to trace the email's path, extracts SPF, DKIM, and DMARC authentication results, identifies the originating IP address, and assesses the overall spoofing risk level.

Paste raw email headers from any email client and get structured data about how the email was routed, whether it passed authentication checks, and how likely it is to be spoofed.

Why Use This Tool

Frequently Asked Questions

How is spoofing risk determined?
Spoofing risk is assessed by combining SPF, DKIM, and DMARC results with Return-Path/From domain alignment. Failing SPF and DKIM, combined with a From/Return-Path domain mismatch and failed DMARC, results in a "high" risk rating.
What email format should I paste?
Paste the complete raw header block — everything from the first "Received:" line to the blank line before the message body. Most email clients expose this via "Show Original" or "View Headers" options.
Can this detect all types of email spoofing?
The parser detects spoofing indicators based on email authentication protocols (SPF, DKIM, DMARC) and header analysis. It may not detect sophisticated attacks that properly configure authentication for spoofed domains.

Start using Email Header Parser now

Get your free API key and make your first request in under a minute.