Raw Email Viewer
Paste raw email source or drop a .eml file โ parsing happens in your browser, and only extracted metadata (IPs, domains, tracking URLs) is sent to our backend for analysis; your raw email content and message body are never uploaded.
๐ Email parsing happens entirely in your browser. Only extracted metadata (IPs, domains, tracking URLs) is sent to our backend for geo-lookup and probe analysis โ your raw email content and message body are never transmitted.
What is a raw email header?
Every email is more than a subject line and a body. Hidden in the raw source is a detailed record of everything the message passed through: the servers that relayed it, when each hop happened, what encoding was used, and a set of cryptographic authentication results. This metadata is what mail servers, spam filters, and security tools actually act on.
Raw headers are written in RFC 2822 format โ a plain-text standard that has been in use since the early days of the internet. Each header is a Name: value pair. Headers added later in transit appear at the top; the original sender headers are at the bottom. This tool parses all of it and presents it in a structured, searchable interface โ entirely in your browser.
Received, Return-Path, X-Forwarded-To. These trace the physical path the message took from sender to inbox, with timestamps at each hop.
DKIM-Signature, Authentication-Results, Received-SPF. These carry the cryptographic proof of who sent the message and whether it was tampered with.
Content-Type, MIME-Version, Content-Transfer-Encoding. These describe the structure of the message body โ whether it contains HTML, attachments, or encoded text.
How to read DKIM, SPF, and DMARC results
The three email authentication standards work as a layered defence against spoofing and phishing. Each checks a different aspect of the message. Our security tab combines them into a single AโF grade: all three passing earns an A; any hard failure drops the grade to F.
The sending mail server signs the email with a private key. The receiving server fetches the matching public key from DNS and verifies the signature. A pass means the message was not modified in transit and originated from a server authorised by the domain. A fail means the signature is invalid โ the message may have been tampered with.
The domain owner publishes a DNS record listing which IP addresses are authorised to send mail on their behalf. The receiving server checks whether the connecting IP is on that list. A pass confirms the sending IP is authorised. A softfail (~all) means the IP is not listed but the domain hasn't enforced rejection โ common during migrations.
DMARC sits on top of DKIM and SPF. It requires that at least one check passes and that the authenticated domain aligns with the From header visible to the user. The domain owner sets a policy: none (monitor only), quarantine (send to spam), or reject (block outright).
How to open a .eml file online
A .eml file is the standard export format used by most email clients โ Apple Mail, Outlook, Thunderbird, and Gmail all support it. It is a plain-text file in RFC 2822 format containing both the headers and the encoded body. To inspect one with this tool: