Every email carries a complete log of its journey from sender to recipient, hidden in its headers. Learning to read this log is the fastest way to diagnose a deliverability problem — it tells you exactly what happened at each hop and whether authentication passed.
The method depends on the email client:
The "Show original" view in Gmail is particularly useful because it also shows a parsed summary of authentication results at the top.
The most important headers for tracing a message are the Received: headers. Each mail server that handles the message adds one. They are listed in reverse chronological order — the bottom-most one is where the message started, the top one is where it arrived.
Each Received header typically shows: the IP address of the sending server, the hostname, the receiving server's hostname, and a timestamp. Gaps in the timestamps can reveal delays at specific hops.
This header, added by the receiving server, summarises the results of SPF, DKIM, and DMARC checks:
Authentication-Results: mx.google.com; dkim=pass header.i=@example.com header.s=default; spf=pass (google.com: domain of sender@example.com designates 1.2.3.4 as permitted sender) smtp.mailfrom=sender@example.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com
What to look for:
Many receiving systems add headers showing whether the message was flagged as spam and what score it received. A high spam score does not always mean the message went to spam (it depends on the threshold), but it tells you how suspicious the receiving system considered the message.
Three headers describe the "from" identity, and they are different:
Look at the timestamps on each Received header. A large gap between two consecutive hops indicates a delay at that server — it accepted the message but queued it before passing it on. This is usually a temporary issue at the receiving server.
If dkim=fail, the DKIM signature was not valid — either the message was modified in transit (legitimate forwarding can do this), the wrong DKIM key is being used, or the signature was malformed. If spf=fail, the sending IP is not in the SPF record for the Return-Path domain — check that your sending source is properly authorised.
If all three authentication checks pass but mail is still in spam, the issue is reputation. The authentication headers will show pass for all three, but the X-Spam headers will show a high score or explicit spam classification. This means your domain or IP reputation is the problem, not your authentication.
Google provides a header analysis tool at Google Apps Toolbox — Messageheader. Paste in the full headers and it will visualise the timing between hops and flag any issues it finds. Useful for quick analysis without reading raw headers.
If the guides aren't enough, book a free 30-minute call. We'll look at your setup, name the layer that's failing, and give you the fix order. No pitch, no obligation.