Header Examples
Click "Analyze This" to see how they look in the tool.
1. Perfect Legitimate Email
Analyze ThisA perfectly aligned email from a corporate domain (company.com) using Google's infrastructure.
- SPF: PASS (IP authorized)
- DKIM: PASS (Signature valid)
- DMARC: PASS (Alignment correct)
From: John Smith <john.smith@company.com>
To: alice@recipient.com
Subject: Q4 Sales Report
Date: Mon, 6 Dec 2025 14:30:00 +0000
Message-ID: <CADc5vVTkZA+8JnG@mail.company.com>
Reply-To: john.smith@company.com
Return-Path: john.smith@company.com
Received: from mail.company.com (mail.company.com [203.0.113.45])
by mx.google.com with SMTP id a1234567890abcdef
for <alice@recipient.com>
Mon, 6 Dec 2025 14:32:15 +0000
Received: from internal-relay.company.com (internal-relay.company.com [10.0.1.5])
by mail.company.com with ESMTP id 56789012
Mon, 6 Dec 2025 14:31:55 +0000
Received: from smtp.company.com (smtp.company.com [203.0.113.40])
by internal-relay.company.com with TLS
Mon, 6 Dec 2025 14:31:20 +0000
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Received-SPF: pass (google.com: domain of john.smith@company.com designates 203.0.113.40 as permitted sender) smtp.mailfrom=company.com
Authentication-Results: mx.google.com;
dkim=pass header.i=@company.com header.s=default header.b=A1B2C3D4;
spf=pass (google.com: domain of john.smith@company.com designates 203.0.113.40 as permitted sender)
smtp.mailfrom=company.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=company.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=company.com; s=default;
h=from:to:subject:date:message-id:reply-to:mime-version:content-type;
bh=1234567890abcdef1234567890abcdef;
b=A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0U1V2W3X4Y5Z6A7B8C9D0E1F2...
ARC-Seal: i=1; a=rsa-sha256; t=1733667135; cv=none;
d=google.com; s=arc-20160816;
b=A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0U1V2W3X4Y5Z6A7B8C9D0E1F2...2. Good Email (Newsletter)
Analyze ThisLegitimate newsletter sent via a third-party service. Return-Path differs from From address but passes SPF alignment via subdomain.
- SPF: PASS (Return-Path authorized)
- DMARC: PASS (Relaxed alignment)
- Status: Legitimate Marketing Email
From: TechNews Daily <newsletter@technewsdaily.com>
To: bob@example.com
Subject: Your Weekly Tech Update
Date: Tue, 7 Dec 2025 08:00:00 -0500
Message-ID: <message-id-12345@newsletter.mail.technewsdaily.com>
Reply-To: support@technewsdaily.com
Return-Path: bounce@newsletter.mail.technewsdaily.com
Received: from smtp-out.technewsdaily.com (smtp-out.technewsdaily.com [198.51.100.50])
by mx.gmail.com with SMTP id z9876543210fedcba
for <bob@example.com>
Tue, 7 Dec 2025 08:02:10 -0500
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Received-SPF: pass (google.com: domain of bounce@newsletter.mail.technewsdaily.com designates 198.51.100.50 as permitted sender)
Authentication-Results: mx.gmail.com;
dkim=pass header.i=@technewsdaily.com header.s=newsletter header.b=F1G2H3I4;
spf=pass (google.com: domain of bounce@newsletter.mail.technewsdaily.com designates 198.51.100.50 as permitted sender) smtp.mailfrom=newsletter.mail.technewsdaily.com;
dmarc=pass (p=quarantine) header.from=technewsdaily.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=technewsdaily.com; s=newsletter;
h=from:to:subject:date:message-id:reply-to;
bh=abcdef1234567890abcdef1234567890;
b=F1G2H3I4J5K6L7M8N9O0P1Q2R3S4T5U6V7W8X9Y0Z1A2B3C4D5E6F7G8H9I0J1...3. Minor Issues (No DKIM)
Analyze ThisEmail passes SPF but lacks a DKIM signature. It is delivered but less secure.
- SPF: PASS
- DKIM: NONE (Missing)
- DMARC: PASS (Relies on SPF alone)
From: support@company.com
To: customer@example.com
Subject: Password Reset Request
Date: Wed, 8 Dec 2025 10:15:00 +0000
Message-ID: <support-12345@mail.company.com>
Reply-To: support@company.com
Return-Path: support@company.com
Received: from mailserver.company.com (mailserver.company.com [192.168.1.100])
by mx.outlook.com with SMTP
Wed, 8 Dec 2025 10:17:00 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass (domain of support@company.com designates 192.168.1.100 as permitted sender)
Authentication-Results: protection.outlook.com;
spf=pass (sender IP is 192.168.1.100) smtp.mailfrom=company.com;
dkim=none;
dmarc=pass (p=none) header.from=company.com4. Misaligned (Likely Spoofed)
Analyze ThisAuthenticated by 'untrusted-relay.net' but claims to be 'mycompany.com'. DMARC fails due to alignment mismatch.
- SPF/DKIM: PASS (But for wrong domain)
- DMARC: FAIL (Alignment mismatch)
- Verdict: Spoofed / Unauthorized
From: ceo@mycompany.com
To: recipient@example.com
Subject: Urgent: Wire Transfer Needed
Date: Thu, 9 Dec 2025 15:45:00 +0000
Message-ID: <msg-99999@untrusted-relay.net>
Reply-To: finance@suspicious-domain.net
Return-Path: bounce@untrusted-relay.net
Received: from untrusted-relay.net (untrusted-relay.net [185.220.100.200])
by mx.hotmail.com with SMTP
Thu, 9 Dec 2025 15:47:30 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass (domain of bounce@untrusted-relay.net designates 185.220.100.200 as permitted sender)
Authentication-Results: protection.hotmail.com;
spf=pass smtp.mailfrom=untrusted-relay.net;
dkim=pass header.d=untrusted-relay.net header.s=default;
dmarc=fail (p=reject sp=reject) header.from=mycompany.com5. Explicit Phishing (PayPal Spoof)
Analyze ThisClassic phishing attempt. SPF fails, DKIM missing, sending IP is unrelated to PayPal.
- SPF: FAIL
- DKIM: NONE
- DMARC: FAIL
- IP: Suspicious (.ru)
From: Account Security <security-team@paypal.com>
To: victim@example.com
Subject: Urgent: Verify Your Account Information
Date: Fri, 10 Dec 2025 11:20:00 -0800
Message-ID: <phishing-12345@attacker.net>
Reply-To: paypal-verify@attacker.net
Return-Path: bounce@attacker.net
Received: from attacker-server.ru (attacker-server.ru [89.163.128.45])
by mx.gmail.com with SMTP id a5678901234567890
for <victim@example.com>
Fri, 10 Dec 2025 11:22:15 -0800
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Received-SPF: fail (google.com: domain of bounce@attacker.net does not designate 89.163.128.45 as permitted sender)
Authentication-Results: mx.gmail.com;
spf=fail (google.com: domain of bounce@attacker.net does not designate 89.163.128.45 as permitted sender);
dkim=none;
dmarc=fail6. Broken DKIM (Forwarded)
Analyze ThisLegitimate email that failed DKIM because a forwarding service modified the content. SPF passes, but DMARC fails.
- SPF: PASS
- DKIM: FAIL (Content modified)
- Cause: Forwarding service
From: boss@company.com
To: team@example.com
Subject: Meeting Notes - Project Alpha
Date: Sat, 11 Dec 2025 09:30:00 +0000
Message-ID: <original-msg-12345@mail.company.com>
Reply-To: boss@company.com
Return-Path: boss@company.com
Received: from mail.company.com (mail.company.com [203.0.113.40])
by forwarding.service.com with SMTP
Sat, 11 Dec 2025 09:31:00 +0000
Received: from forwarding.service.com (forwarding.service.com [198.51.100.100])
by mx.outlook.com with SMTP
Sat, 11 Dec 2025 09:32:15 +0000
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Received-SPF: pass (domain of boss@company.com designates 203.0.113.40 as permitted sender)
Authentication-Results: protection.outlook.com;
spf=pass smtp.mailfrom=company.com;
dkim=fail (signature did not verify - headers were modified);
dmarc=fail (p=quarantine) header.from=company.com7. Enterprise Security (Best Practice)
Analyze ThisEnterprise-grade security with SPF, DKIM, DMARC (Reject), and ARC. Demonstrates full protection.
- SPF: PASS
- DKIM: PASS (Secure Key)
- DMARC: PASS (Strict Reject)
- ARC: PASS
From: Sarah Johnson <sarah.johnson@enterprise.com>
To: partners@example.com
Subject: 2026 Partnership Proposal
Date: Wed, 15 Dec 2025 13:45:00 +0000
Message-ID: <enterprise-strategic-99999@mail.enterprise.com>
Reply-To: sarah.johnson@enterprise.com
Return-Path: sarah.johnson@enterprise.com
Received: from mail-01.enterprise.com (mail-01.enterprise.com [203.0.113.10])
by mx.google.com with SMTP id e8642097531357908
for <partners@example.com>
Wed, 15 Dec 2025 13:47:00 +0000
Received: from scanning.security-gateway.com (scanning.security-gateway.com [198.51.100.200])
by mail-01.enterprise.com with ESMTP id scanning-01
Wed, 15 Dec 2025 13:46:15 +0000
Received: from smtp-edge.enterprise.com (smtp-edge.enterprise.com [203.0.113.5])
by scanning.security-gateway.com with TLS
Wed, 15 Dec 2025 13:45:30 +0000
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
X-Mailer: Enterprise Mail System v8.2
Received-SPF: pass (google.com: domain of sarah.johnson@enterprise.com designates 203.0.113.5 as permitted sender)
Authentication-Results: mx.google.com;
dkim=pass header.i=@enterprise.com header.s=enterprise-2024 header.b=X9Y8Z7W6;
spf=pass (google.com: domain of sarah.johnson@enterprise.com designates 203.0.113.5 as permitted sender) smtp.mailfrom=enterprise.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=enterprise.com;
arc=pass (i=1 d=google.com);
compauth=pass reason=100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=enterprise.com; s=enterprise-2024;
h=from:to:subject:date:message-id:reply-to:mime-version:content-type:x-mailer;
bh=X9Y8Z7W6V5U4T3S2R1Q0P9O8N7M6L5K4J3I2H1G;
b=X9Y8Z7W6V5U4T3S2R1Q0P9O8N7M6L5K4J3I2H1G0F9E8D7C6B5A4Z3Y2X1W0V9...
ARC-Seal: i=1; a=rsa-sha256; t=1734520020; cv=pass;
d=google.com; s=arc-20160816;
b=X9Y8Z7W6V5U4T3S2R1Q0P9O8N7M6L5K4J3I2H1G0F9E8D7C6B5A4Z3Y2X1W0V9...
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=arc-20160816;
h=message-id:from:to:subject:date:mime-version:content-type;
bh=X9Y8Z7W6V5U4T3S2R1Q0P9O8N7M6L5K4J3I2H1G0F9E8D7C6B5A4Z3Y2X1W0V9...
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.d=enterprise.com header.i=@enterprise.com;
spf=pass (google.com: domain of sarah.johnson@enterprise.com designates 203.0.113.5 as permitted sender);
dmarc=pass (p=REJECT) header.from=enterprise.com;