See exactly where your email went wrong.

Paste any email header. In seconds, you'll know whether authentication passed, which server introduced delay, and what's triggering spam filters. No guesswork. Just answers.

SPF / DKIM / DMARC / ARC
Hop-by-Hop Routing
90+ RBL Blacklist Check
PDF Reports

No account required. Paste headers, get instant diagnostics.

Upload Email Headers
Drop .eml or .txt file here
or click to browse
OR
Clean Email SPF Failure DKIM Failure High Spam Phishing

What We Analyze

Authentication Protocols
SPF, DKIM, DMARC, BIMI, ARC, MTA-STS, TLS-RPT verification
Routing Path Analysis
Hop-by-hop tracking with delay detection at each server
Security Verification
TLS encryption status, transport security protocols
Issue Detection & Remediation
Automated problem detection with expert fix guidance
Blacklist Intelligence
RBL checking across major blacklists with reputation scoring
Analysis Complete
Export a detailed PDF report of your results
Generate Analysis Report
Free
📋
Light Report
Summary tiles and overall grade. Quick snapshot of email health.
Pro Plan
📊
Standard Report
Full analysis with authentication, routing, security, and all header data.
Pro Plan
đŸĸ
Executive Report
High-level overview for leadership. Key metrics and risk summary only.
Agency
🤝
Client-Facing Report
Branded with client name, validation stamp, and professional presentation.
8
Protocol Checks
92
RBL Lists Scanned
4
Report Formats
<2s
Analysis Time
Deep Analysis

Every dimension of email health. One paste.

We don't just parse headers — we diagnose problems and tell you how to fix them.

Authentication forensics that actually help

Most tools tell you SPF passed or failed. We tell you which mechanism matched, whether alignment is strict or relaxed, and whether your DKIM signature survived forwarding. That level of detail is the difference between guessing and knowing.

SPF mechanism matching with IP source correlation
DKIM signature integrity and selector validation
DMARC policy enforcement and alignment mode
ARC chain verification for forwarded messages
Authentication Results Preview
SPFPASSip4:209.85.128.0/17 matched
DKIMPASSselector: google, d=example.com
DMARCPASSp=reject, adkim=s, aspf=r
ARCPRESENTi=1, cv=pass
Auth Score: 100% — All protocols passing with strict alignment.

Trace the exact path your email took

Every hop between sender and recipient is a potential failure point. A slow relay, an unexpected intermediary, or a missing TLS handshake at hop 3 out of 7 — things that are invisible in your ESP dashboard but staring right at you in the headers.

Complete hop-by-hop server identification
Per-hop delay measurement in milliseconds
IP extraction with geolocation context
Protocol detection (ESMTPS, SMTP, LMTP)
Routing Path Preview
mail-yw1-f181.google.com
0ms
mx1.protection.outlook.com
+142ms
DM5PR01MB4567.prod.exchangelabs
+58ms
recipient inbox
Total: 200ms
3 hops, 200ms total — healthy delivery path.

Reports your clients will actually trust

Four report tiers designed for real workflows. Quick summaries for yourself, detailed diagnostics for your team, executive briefings for leadership, and branded client-facing documents with validation codes that look like they came from an enterprise security audit.

Light report for quick reference (free tier)
Standard report with full diagnostic data
Executive summary for non-technical stakeholders
Client-facing report with branding and validation stamp
Report Types
📋
Light
Tiles + grade
📊
Standard
Full analysis
đŸĸ
Executive
Risk overview
🤝
Client-Facing
Branded + validated
Agency plan includes white-label branding, custom templates, and validation stamps.
Capabilities

Built for people who fix email for a living

Every feature exists because someone wasted hours on a problem it solves in seconds.

đŸ›Ąī¸

4-Protocol Auth Check

SPF, DKIM, DMARC, ARC — all parsed, scored, and explained with fix guidance for every failure mode.

Complete auth verification
đŸ—ēī¸

Visual Routing Trace

See every server hop with delay timing. Identify slow relays, unexpected intermediaries, and routing anomalies instantly.

Per-hop delay timing
📋

92-List Blacklist Scan

Every sending IP checked against 92 real-time blocklists. Severity ratings and delisting instructions for each listing.

92 RBLs scanned
🔒

Encryption Audit

TLS versions, STARTTLS negotiation, certificate status. Know if any hop transmitted your email without encryption.

Transport security map
âš ī¸

Smart Issue Detection

Automatic identification of misconfigurations with severity ratings. Every issue includes step-by-step remediation guidance.

Actionable fix instructions
📄

4-Tier PDF Reports

Light, Standard, Executive, and Client-Facing reports. Print from browser or save as PDF. White-label available on Agency plan.

White-label ready
Pricing

Plans that scale with your practice

Free for quick checks. Pro for daily use. Agency for client work.

Free
$0/mo

Quick one-off checks

  • 10 analyses per day
  • Full header parsing
  • Auth verification
  • Routing trace
  • Light report only
Team
$49/mo

Support operations

  • Everything in Pro
  • 5 team seats
  • Shared workspace
  • Client-facing reports
  • Priority support
Agency
$199/mo

White-label platform

  • Everything in Team
  • Unlimited seats
  • White-label branding
  • Custom report templates
  • Dedicated account manager
FAQ

Frequently asked questions

Where do I find email headers to paste?â–ŧ
Gmail: Open email → three dots (⋮) → "Show original" → copy everything. Outlook: Open email → File → Properties → "Internet headers" field. Apple Mail: View → Message → Raw Source. You can also drag-and-drop any .eml file directly into the analyzer.
Do you store my email data?â–ŧ
No. Zero. The entire analysis runs client-side in your browser. Your headers, email content, and results never leave your machine. We don't log, transmit, or cache any user data. The only network call is an anonymized IP lookup for blacklist checks.
My SPF passes but emails still go to spam. Why?â–ŧ
SPF is just one of four authentication checks. Your DKIM might be broken, your DMARC policy might be set to "none," or your sending IP might be blacklisted. The analyzer checks all of these simultaneously and shows you exactly which factor is dragging your score down.
What's the difference between the report types?â–ŧ
Light (Free): Summary tiles and grade — enough for a quick sanity check. Standard (Pro): Every data point from every tab — auth tables, routing hops, security checks, issues, headers, scoring. Executive (Pro): Risk assessment and key metrics for leadership — no technical noise. Client-Facing (Agency): Branded with client name, preparer, date, reference number, validation stamp, and legal disclaimer.
Can I white-label the reports for my clients?â–ŧ
Yes. The Agency plan ($199/mo) removes TheBRHub branding and lets you apply your own company logo, colors, and contact information to all generated reports. The client-facing report type was specifically designed for agency workflows — complete with validation stamps and reference numbers that look like enterprise audit documents.
How does the blacklist check work?â–ŧ
We extract the sending IP from the headers and check it against 92 of the most impactful real-time blocklists (DNSBL). Each listing shows the blocklist name, type, severity level, and delisting instructions. On the free tier, results are simulated based on authentication quality. Paid plans perform live DNSBL queries for verified results.

Every email tells a story. Read yours.

Paste headers from any email — marketing campaigns, transactional messages, or suspicious phishing attempts. Full analysis in under 2 seconds.

🔒 Client-Side Only đŸšĢ Zero Data Storage 📄 4 Report Formats