~/header-analyzer ☀ LIGHT apps ← back to terminal

🌐 Language

█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗ ███████╗ ███████╗ ██████╗ ██╔══██╗ ████╗ ██║ ██╔══██╗ ██║ ╚██╗ ██╔╝ ╚══███╔╝ ██╔════╝ ██╔══██╗ ███████║ ██╔██╗ ██║ ███████║ ██║ ╚████╔╝ ███╔╝ █████╗ ██████╔╝ ██╔══██║ ██║╚██╗██║ ██╔══██║ ██║ ╚██╔╝ ███╔╝ ██╔══╝ ██╔══██╗ ██║ ██║ ██║ ╚████║ ██║ ██║ ███████╗ ██║ ███████╗ ███████╗ ██║ ██║ ╚═╝ ╚═╝ ╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚══════╝ ╚═╝ ╚══════╝ ╚══════╝ ╚═╝ ╚═╝
Email Header Analyzer_
Paste raw email headers to trace the delivery path, check SPF · DKIM · DMARC, calculate hop delays, and flag security issues — 100% in-browser, no upload.
Paste raw headers
Overview
Authentication
All Headers
HeaderValue
📨

Paste raw email headers above and click Analyze.

To get email headers in Gmail: open the email → ⋮ menu → Show original.
In Outlook: File → Properties → Internet headers.

FAQ — Frequently Asked Questions about Email Header Analyzer

Frequently Asked Questions — HTTP Header Analyzer

What is an HTTP header analyzer?

An HTTP header analyzer fetches and displays the response headers from any URL in a structured, human-readable format. It identifies security headers, caching directives, content types, CORS policies, authentication requirements, and more. Developers and IT admins use it to diagnose misconfigurations, verify security posture, and check email authentication records like SPF, DKIM, and DMARC.

Why do HTTP security headers matter?

HTTP security headers are server instructions that tell browsers how to handle site content safely. Missing or misconfigured headers are among the most common web security weaknesses. Critical headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options prevent XSS attacks, man-in-the-middle attacks, and clickjacking — directly protecting users from compromise.

What is Content Security Policy (CSP)?

Content-Security-Policy is a powerful security directive that controls which resources (scripts, stylesheets, images, fonts, iframes) a browser is allowed to load. A strong CSP is one of the most effective defenses against Cross-Site Scripting (XSS) attacks. Overly permissive CSP using 'unsafe-inline' significantly increases XSS vulnerability.

What is HSTS and why is it important?

Strict-Transport-Security instructs browsers to always connect via HTTPS, even if the user types http://. This prevents protocol downgrade attacks and protects against cookie theft over plain HTTP. Best practice includes max-age=31536000, includeSubDomains, and optionally preload for HSTS preload list inclusion.

What are SPF, DKIM, and DMARC headers for email?

SPF (Sender Policy Framework): Specifies which mail servers can send emails from your domain. DKIM (DomainKeys Identified Mail): Digitally signs emails to verify authenticity. DMARC (Domain-based Message Authentication, Reporting & Conformance): Policy that tells receivers what to do with SPF/DKIM failures. Together they prevent email spoofing and phishing attacks.

What is X-Frame-Options and why does it matter?

X-Frame-Options controls whether your page can be embedded in an <iframe> on another site. Setting DENY or SAMEORIGIN prevents clickjacking attacks where users are tricked into clicking hidden elements. Modern sites should use CSP frame-ancestors instead, which is more flexible and supersedes X-Frame-Options.

What security headers should every website have?

Essential headers: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options, Referrer-Policy. Recommended additions: Permissions-Policy (restrict camera, microphone, geolocation), Cache-Control, X-XSS-Protection. Use the analyzer to identify gaps in your security posture.

Do HTTP headers affect SEO and page speed?

Yes. Google uses HTTPS as a ranking signal. Cache-Control headers directly impact page load speed and Core Web Vitals scores. Correct Content-Type headers prevent rendering errors. Proper header configuration improves both security and SEO performance — the analyzer shows optimization opportunities.

Can I check email authentication for my domain?

Yes. Enter your domain to check for SPF, DKIM, and DMARC records. The analyzer retrieves and displays these email authentication headers to verify your domain is properly configured to prevent email spoofing and improve deliverability to spam filters.

Is this HTTP header and email analyzer really free?

Yes, completely free. One of 52 free tools available at jasperbernaers.com. No account needed, unlimited header analysis, email authentication checking, and SPF/DKIM/DMARC verification.