CHECKLINK AI
Privacy-first email tool

Email Header Inspector

Paste email headers and review sender, reply-to, authentication, and routing signals.

Tool guidance

How to use the Email Header Inspector

Paste the full original message or full email headers, not just the visible email body, when you can.

Do not paste passwords, private documents, or sensitive attachments. The header text is processed locally in your browser.

How to use it

Open the suspicious email in your mail provider.
Find the full original message or full email headers.
Copy the full header or original source.
Paste it into CheckLink.
Review sender, reply-to, return-path, SPF, DKIM, DMARC, Message-ID, and routing signals.
Treat results as context, not proof.

What results mean

SPF, DKIM, and DMARC pass results are useful signals, not proof that the email is safe.
Sender, Reply-To, Return-Path, Message-ID, and Received fields can show routing or infrastructure clues.
A mismatch deserves context, especially for login, payment, invoice, payroll, gift card, or vendor-change requests.

What to do next

Use Email Link Inspector if you only have the visible email body.
Use BEC Request Inspector for payment, invoice, payroll, or vendor-change wording.
Request manual review when money, credentials, or customer risk is involved.
Where to find full headers

Provider instructions

Provider wording can vary. Look for full headers, original source, raw message, message source, or view details.

Gmail

Open Gmail in a browser.
Open the email.
Click the three-dot More menu next to Reply.
Choose Show original.
Copy the original or header text and paste it into CheckLink.

Zoho Mail

Open Zoho Mail.
Open the email.
Use More Actions.
Choose Show Original.
Copy the header or original text and paste it into CheckLink.

Outlook / Microsoft 365

In Outlook on the web or new Outlook, open the email and look for View or View message details.
In classic Outlook for Windows, open the message in its own window, go to File > Properties, then copy the Internet headers box.
Paste the header text into CheckLink.

Yahoo Mail

Open the email.
Use the More options menu.
Choose View Raw Message or similar wording.
Copy the raw header or source text and paste it into CheckLink.

Apple Mail / other apps

Look for View Source, Raw Message, Show Original, Message Source, or Full Headers.
If you cannot find headers, use Email Link Inspector instead and inspect the visible links.

Your pasted headers stay in your browser. CheckLink does not receive or store the email header text.

Do not paste passwords, private documents, or sensitive attachments.

Header summary

Header signals can be forged, missing, or modified. Use this as context, not proof.

From
Not found
The visible sender address.
Reply-To
Not found
Where replies go. If Reply-To differs from From, be more careful.
Return-Path
Not found
Where bounces go. It can reveal the sending infrastructure.
Sender
Not found
A technical sender field that may appear when another system sends on behalf of a domain.
Message-ID
Not found
A technical identifier for the message. A different domain can be a routing clue, not automatic proof of phishing.
Subject
Not found
The subject line from the message header.
Date
Not found
The date value from the message header.
Authentication-Results
Not found
A mail-system summary of SPF, DKIM, and DMARC checks when present.
SPF
Not found
SPF pass means the sending server was allowed by the domain's SPF policy. Useful, not a guarantee.
DKIM
Not found
DKIM pass means the email appears to have a valid cryptographic signature from a sending domain.
DMARC
Not found
DMARC pass means the domain's policy aligned with SPF or DKIM. Good signal, not a guarantee.
Received header count
0
How many mail servers appear in the route. More hops are not automatically bad.

Signals found

Authentication-Results header was not found

Caution

The pasted header does not include a mail-system summary for SPF, DKIM, or DMARC. The original message may be incomplete, or the provider may use different wording.

Next step: Paste the full original message if possible. If you only have the visible body, use Email Link Inspector to review links instead.

How to read this result

SPF pass means the sending server was allowed by the domain's SPF policy. This is useful, but it does not guarantee the email is safe.
DKIM pass means the email appears to have a valid cryptographic signature from a sending domain.
DMARC pass means the domain's policy aligned with SPF or DKIM. This is a good signal, but not a guarantee.
Message-ID, Return-Path, and Received headers are routing clues. Differences can be normal with mail platforms, forwarding, or sending tools.
A clean header does not prove the message is safe. A suspicious header does not prove fraud. Use this as context for payment, login, invoice, payroll, gift card, or vendor-change requests.

FAQ

What are email headers?

Headers are metadata that can show sender fields, routing information, and authentication results.

Does CheckLink upload my headers?

No. This inspector parses pasted header text locally in your browser.

What are SPF, DKIM, and DMARC?

They are email authentication mechanisms that help receiving systems evaluate whether a message aligns with a domain's sending rules.

Does a failed check prove phishing?

No. It is a caution signal that needs context and may deserve manual review.