Email Headers in Gmail: How to Read and Interpret Them

Reading email headers is the most direct way to debug deliverability — they show you exactly what Gmail saw and how it evaluated the message. Most "why is my mail going to spam" questions can be answered just by opening the headers and reading them carefully.

This guide covers how to view headers in Gmail, what each major header means, and how to use them diagnostically as a sender.

How to view headers in Gmail

1. Open the message in Gmail (web interface)
2. Click the three-dot menu at the top right of the message (the one inside the message, not the global Gmail menu)
3. Click "Show original"
4. A new tab opens with the full headers and raw message

The result page has three sections:

• A summary box at the top with SPF, DKIM, DMARC status
• The raw headers
• The raw message body

From here you can also Download Original (saves an .eml file) or Copy to clipboard.

In the Gmail mobile app, header viewing is not supported. Open the message in mobile web (gmail.com in a browser) and follow the same steps.

The summary box

The top of the "Show original" page shows a quick summary:

Subject:                  Test Message
From:                     [email protected]
Date:                     Fri, 16 May 2026 10:23:11 -0700
To:                       [email protected]
SPF:                      PASS with IP 198.51.100.10
DKIM:                     PASS with domain example.com
DMARC:                    PASS

For 90% of sender-side debugging, this summary tells you what you need. Three PASS results mean your authentication is working.

The Authentication-Results header

The full Authentication-Results header has more detail:

Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=marketing-202605 header.b=AbC123Df;
       spf=pass (google.com: domain of [email protected] designates 198.51.100.10 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

Key fields:

Field	Meaning
dkim=pass	DKIM signature verified
[email protected]	DKIM identity (organizational)
header.s=marketing-202605	DKIM selector
header.b=AbC123Df	First 8 chars of signature
spf=pass	SPF check passed
[email protected]	Return-Path domain
dmarc=pass	DMARC alignment satisfied
p=REJECT	Your domain's policy
dis=NONE	Disposition applied (none means allowed)

If any result shows fail, softfail, temperror, or permerror, the header value tells you why.

The Received headers

Received headers trace the path the message took from sender to inbox. Read them bottom-up — the oldest hop is at the bottom.

Received: from mx.google.com (mx.google.com [74.125.224.10])
        by inbox.gmail.com with SMTPS id abc123def456
        for <[email protected]>;
        Fri, 16 May 2026 10:23:15 -0700 (PDT)
Received: from mail.example.com ([198.51.100.10])
        by mx.google.com with ESMTPS id xyz789;
        Fri, 16 May 2026 10:23:14 -0700 (PDT)

Reading bottom-up: your server (mail.example.com at 198.51.100.10) handed off to Gmail's mx.google.com at 10:23:14, which then routed internally to the user's inbox at 10:23:15. One-second delivery time.

For senders, the Received headers tell you which IP Gmail saw the message arriving from. If you expected to send from one IP and Gmail saw a different one, you have a routing issue (relay misconfigured, smart host inserted unexpectedly).

Practitioner note: When a client tells me "Gmail is rejecting our mail" the first thing I ask for is the full headers from a delivered (or attempted-delivered) message. The Authentication-Results and Received headers tell me in 30 seconds whether the issue is auth, routing, IP reputation, or content — much faster than going through the ESP's UI.

Other useful headers

From, Reply-To, Return-Path

From: "Acme Marketing" <[email protected]>
Reply-To: [email protected]
Return-Path: <[email protected]>

• From is what the user sees as the sender
• Reply-To is where replies go if set (otherwise to From)
• Return-Path is where bounces go and the domain SPF authenticates against

Mismatch between From and Return-Path domains is normal for ESP-sent mail. DMARC alignment requires authentication identity (DKIM d= or Return-Path) to match the From: organizational domain.

Message-ID

Message-ID: <[email protected]>

A globally unique identifier for the message. Useful for support tickets ("Gmail support, here's the Message-ID you asked for") and for searching across systems for the same message.

DKIM-Signature

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=example.com; s=marketing-202605; t=1747407794;
        h=from:to:subject:date:message-id;
        bh=base64hash;
        b=base64signature

Fields:

• d= — signing domain
• s= — selector
• h= — list of headers covered by signature
• bh= — body hash
• b= — signature value

Compare d= to the From: domain. If they don't organizationally match, DKIM alignment fails (even if signature verification succeeds).

List-Unsubscribe and List-Unsubscribe-Post

List-Unsubscribe: <https://example.com/unsubscribe?token=xyz>, <mailto:[email protected]?subject=unsub>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Required for bulk senders under the Gmail/Yahoo bulk sender rules. The One-Click header confirms compliance with RFC 8058 one-click unsubscribe.

If you're a bulk sender and these headers are missing or malformed, you're out of compliance. See Gmail Yahoo bulk sender requirements.

X-headers

Gmail and other servers add non-standard X- prefixed headers for internal use:

X-Google-Smtp-Source: AGHT+IELabcdef
X-Received: ...
X-Gm-Message-State: ...
X-Gm-Gg: ...

Most are opaque internal identifiers. The ones that matter for senders are X-Spam-Status (some servers report this), X-Forwarded-For (forwarding origin), and X-Mailer (sending tool — your ESP may set this).

Diagnosing common issues from headers

SPF=fail. The IP in the Received header isn't authorized by your SPF record. Either the IP changed, you have an unauthorized sender, or your SPF record is incomplete.

DKIM=fail (body hash mismatch). Body was modified after signing. Usually mailing list footers, antivirus scanning, or content filtering modified the message in transit. See DKIM body hash mismatch.

DKIM=permerror (key not found). DNS lookup for the selector failed. Either the record isn't published, the selector is wrong, or DNS is misconfigured.

DMARC=fail (no aligned authentication). Either both SPF and DKIM failed, or they passed but neither aligned with the From: domain. Most common: ESP signing with its own domain instead of yours.

For deeper diagnostic, see check email authentication and the troubleshooting tree for DKIM verification failed.

Practitioner note: When debugging from headers, also send the same message to a non-Gmail address (Yahoo, Microsoft) and compare. If Gmail rejects but others pass, it's likely a Gmail-specific reputation or content issue. If all reject, it's a fundamental authentication or routing problem.

Tools for header analysis

• Gmail's "Show original" — built-in, sufficient for most needs
• Google Admin Toolbox Messageheader — paste headers, get a parsed analysis
• MXToolbox Header Analyzer — parses Received headers into a routing timeline
• mxtoolbox.com/EmailHeaders.aspx — alternative parser

For sender-side monitoring across all your mail, DMARC aggregate reports give you the same authentication data without needing per-message header inspection. See Mailhardener.

If you're debugging Gmail headers and the issue isn't obvious, book a consultation. Header-level deliverability debugging is bread-and-butter audit work.

Sources

• Google — View Original Email Headers
• Google Admin Toolbox — Messageheader
• RFC 5322: Internet Message Format
• RFC 7601: Message Header Field for Indicating Message Authentication Status
• RFC 8058: Signaling One-Click Functionality for List Email Headers
• MXToolbox Header Analyzer

---

v1.0 · May 2026