Email Header Checks: From, Reply-To, SPF, DKIM, and DMARC Explained
Understand the basic email header signals that can add context to suspicious messages.
Headers add sender context
Email headers contain routing and authentication details that are not visible in the normal message body.
They can show From, Reply-To, Return-Path, Message-ID, received hops, and authentication results when those fields are present.
From and Reply-To can differ
A message can display one sender while replies go somewhere else. This is not always malicious, but unexpected domain differences deserve attention.
For business or payment messages, compare the sender domain with the organization you expected.
SPF, DKIM, and DMARC are signals
SPF, DKIM, and DMARC help receiving mail systems evaluate whether a message is authorized and aligned with a domain.
A fail, softfail, or missing result can be a caution signal, but headers are complex and should not be treated as proof on their own.
Routing can be noisy
Received headers show mail transfer paths. Some messages have many hops because of forwarding, gateways, or security tools.
Too many unusual hops can be worth reviewing, but normal business mail can also look complicated.
What CheckLink can help with
CheckLink's Email Header Inspector parses pasted headers locally in your browser and highlights simple caution signals.
Raw headers are not sent to CheckLink. For important cases, combine header context with link scanning and manual review.
Checklist
FAQ
Do failed authentication checks prove phishing?
No. They are caution signals that need context. Forwarding and misconfiguration can affect results.
Does CheckLink store pasted headers?
No. The Email Header Inspector is designed to parse headers locally in the browser.
Related guides
Related glossary terms
Use CheckLink before the next click
CheckLink provides risk signals and review paths. It does not guarantee that a website is risk-free.