A web-based SMTP header analysis tool hosted at smtpheaders.com.
Paste raw email headers or drop / upload .eml or .msg files (max 50MB) and get a detailed breakdown of anti-spam verdicts, mail server hops, SPF/DKIM results, domain impersonation checks, and more. Powered by 105+ tests across 85+ header types.
Privacy is maintained by no submitted data being stored on the servers, and the email body being automatically stripped before submission.
This is a fork of mgeeky/decode-spam-headers wrapped in a PHP web frontend with security hardening, a Solarised colour theme, dark/light mode support, and upstream-compatible Python changes.
The hosting for this is at my own cost, so if you find this tool useful, please consider sponsoring the project or becoming a Patron. Thank you kindly in advance 🙏
- Visit smtpheaders.com
- Paste raw SMTP headers into the text box, or drag and drop an
.eml/.msgfile - Optionally enable DNS resolution (resolves IPs and domains; slower)
- Click Analyse
.eml files dropped on the top dropzone auto-submit. .msg files have their headers extracted server-side first, then you review and submit.
Screenshots coming soon (the old CLI screenshots below are from the upstream project).
- 105+ analysis tests across 85+ SMTP header types
- Office365 ForeFront anti-spam rule decoding (including reverse-engineered opaque SFS/ENG rules)
- Domain impersonation detection with SPF and reverse-DNS checks
- Mail server hop visualisation from
Receivedheaders - Table of Contents for navigating large reports
- Supports
.eml,.msg(OLE2 header extraction), and raw pasted headers - Dark and light mode (Solarised colour scheme, follows system preference)
- Per-session CSRF protection, IP-based rate limiting, sandboxed output
- PHP 8.0+ with
session,json,fileinfoextensions - Python 3.8+ with dependencies from
requirements.txt - A web server (Apache, Nginx, etc.)
git clone https://github.com/platima/smtp-header-viewer.git
cd smtp-header-viewer
pip3 install -r requirements.txtPoint your web server's document root at the cloned directory. The entry point is index.php.
With DSH_DEBUG=1 set in the server environment, visit /?action=healthz to get a JSON report of the resolved Python binary, its version, and whether each required package is importable:
{
"python_binary": "/bin/python3",
"python_version": "Python 3.12.12",
"packages": {
"python-dateutil": "ok",
"tldextract": "ok",
"packaging": "ok",
"dnspython": "ok",
"colorama": "ok",
"requests": "ok"
},
"script_exists": true
}If any package shows an error rather than "ok", install it:
pip3 install <package-name> --break-system-packages| Variable | Default | Purpose |
|---|---|---|
DSH_DEBUG |
0 |
Set to 1 to enable debug output on errors |
DECODE_SPAM_HEADERS_WEB |
(unset) | Set automatically by index.php; gates Python import stubs and TOC |
The site is designed to sit behind Cloudflare WAF:
- Rate limiting: add a rule on POST requests (the app also rate-limits server-side)
- Caching: bypass cache for POST responses
- Turnstile/challenge: recommended for bot protection on the form
- Note: Cloudflare WAF cannot inspect file upload bodies, so app-level validation is essential
The Python script also works standalone as a CLI tool (original upstream behaviour):
pip3 install -r requirements.txt
python3 decode-spam-headers.py headers.txt
python3 decode-spam-headers.py headers.txt -f html -o report.html
python3 decode-spam-headers.py --helpcorrelate-rules.py— batch correlation of Office365 anti-spam rule IDs across multiple analysis outputs (CLI only, not part of the web interface)
These screenshots are from the upstream CLI tool. Web interface screenshots will be added after launch.
- Chain of MTA servers (parsed
Receivedheaders):
- Office365 ForeFront Spam Report decoding:
- Domain Impersonation detection:
- Anti-spam rule reverse-engineering:
- HTML report output:
Processed headers (85+ types)
X-forefront-antispam-reportX-exchange-antispamX-exchange-antispam-mailbox-deliveryX-exchange-antispam-message-infoX-microsoft-antispam-report-cfa-testReceived,From,To,Subject,Thread-topicReceived-spfX-mailer,X-originating-ip,User-agentX-microsoft-antispam-mailbox-deliveryX-microsoft-antispamX-spam-status,X-spam-level,X-spam-flag,X-spam-reportX-vr-spamcause,X-ovh-spam-reason,X-vr-spamscoreX-virus-scanned,X-spam-checker-versionX-ironport-av,X-ironport-anti-spam-filtered,X-ironport-anti-spam-resultX-mimecast-spam-scoreSpamdiagnosticmetadataX-ms-exchange-atpmessagepropertiesX-msfblX-ms-exchange-transport-endtoendlatencyX-ms-oob-tlc-oobclassifiersX-ip-spam-verdict,X-amp-resultX-ironport-remoteip,X-ironport-reputation,X-sbrsX-ironport-sendergroup,X-policy,X-ironport-mailflowpolicyX-sea-spam,X-fireeye,X-antiabuseX-tmase-version,X-tm-as-product-ver,X-tm-as-resultX-imss-scan-details,X-tm-as-user-approved-sender,X-tm-as-user-blocked-senderX-tmase-result,X-tmase-snap-result,X-imss-dkim-white-listX-scanned-by,X-mimecast-spam-signature,X-mimecast-bulk-signatureX-sender-ip,X-forefront-antispam-report-untrustedX-sophos-senderhistory,X-sophos-rescanX-MS-Exchange-CrossTenant-Id,X-OriginatorOrgIronPort-Data,IronPort-HdrOrdrX-DKIM,DKIM-FilterX-SpamExperts-Class,X-SpamExperts-EvidenceX-Recommended-Action,X-AppInfo,X-SpamX-TM-AS-MatchedIDX-MS-Exchange-EnableFirstContactSafetyTipX-MS-Exchange-Organization-BypassFocusedInboxX-MS-Exchange-SkipListedInternetSenderX-MS-Exchange-ExternalOriginalInternetSenderX-CNFS-Analysis,X-Authenticated-SenderX-Apparently-From,X-Env-Sender,Sender- ...and more
- Analysis engine: decode-spam-headers.py by Mariusz Banach / @mariuszbit
- Web interface: Platima Tinkers (SBC Shop | YouTube)
- ipSlav for identifying Office365 opaque rules
getOffice365TenantNameById(tenantID)is not yet finished upstreamAuthentication-Resultsheader is not yet completely parsed upstream
MIT - Copyright 2021 Mariusz Banach, 2025 Platima Tinkers
