Get a Demo
Get Started Free
  • Dmarc as a Service, Email Authentication

How to read email headers: Decode SPF, DKIM, and DMARC like a pro

Ever opened an email header and had no idea what was going on? This quick guide will give you the know-how you need to understand.
email authentication headers

Not sure about what’s going on in your email headers? We’ve got you covered.

Emails look pretty simple at first glance. You have a To, From, Subject, and the message body. There’s not much else to see, right?

If you dig deeper—beneath the surface—email headers contain critical data. And if you’re trying to figure out whether an email sender is who they claim to be, that’s exactly where you need to look.

In this guide, we’ll show you how to read email headers, how to find SPF, DKIM, and DMARC results, and what they really mean. We’ll also show how different inbox providers display this data and how to use it to your advantage.

If you look at the raw email (sometimes called “source” or “original”), you can see more information about the email and how it got to you. Specifically, you want to look for headers that indicate the authentication status of the email message.

Key takeaways

  • SPF, DKIM, and DMARC work together to verify sender identity.
  • You can find Authentication-Results the raw source of every message.
  • Each inbox provider displays headers slightly differently.
  • DMARC alignment is critical—passing SPF or DKIM isn’t enough without it.

Why email headers matter

Email headers give you a transparent look into how an email traveled to your inbox and whether it was authenticated along the way. If you’re working in security, IT, or deliverability—or just want to verify a sender—headers are your first stop.

Headers can help you:

  • Validate sender identity
  • Spot spoofed or unauthenticated messages
  • Troubleshoot deliverability issues
  • Understand policy alignment (for DMARC)

Email authentication in email headers

There are three core standards used to authenticate email messages. Email authentication consists of: 

  • SPF: Verifies the IP address sending the email is authorized by the domain owner.
  • DKIM: Confirms the content wasn’t altered and that it was signed by the sending domain.
  • DMARC: Combines SPF and DKIM results to determine whether to allow, quarantine, or reject a message.

These three standards work together to help establish the identity of a sender. You can see the results of these evaluations in every email you get.

What you see in the email headers depends on your email service provider. They all show authentication results for SPF, DKIM, and DMARC checks in standard headers, but each has subtle variations in how they display the information. 

Below, we will show how you can see the authentication results for SPF, DKIM, and DMARC. For an email to pass DMARC, it must pass either SPF or DKIM with an aligned identifier. What this typically means is that the domain used for the SPF or DKIM check and the domain publishing the DMARC policy must at least be part of the same DNS namespace. 

For example, marketing.company.com and mail.company.com are both part of the company.com namespace, and are therefore aligned. Some services require that you set up both if the sending service supports it.

Email authentication results headers

Each of the three major mailbox providers includes a header labeled “Authentication-Results” in every message they deliver to a mailbox on their systems. This header contains not only the results (pass/fail) of any SPF, DKIM, and DMARC checks that were performed, but also finds other information that contributed to this check. 

Here is how some large email providers represent this information.

Google:

Authentication-Results: mx.google.com;

       dkim=pass header.i=@valimail.com header.s=google2048 header.b=Z8L6tjHb;

       spf=pass (google.com: domain of [redacted]@valimail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=[redacted]@valimail.com;

       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=valimail.com

Yahoo:

Authentication-Results: atlas321.free.mail.ne1.yahoo.com;

 dkim=pass header.i=@valimail.com header.s=google2048;

 spf=pass smtp.mailfrom=valimail.com;

 dmarc=pass(p=REJECT) header.from=valimail.com;

Microsoft:

Authentication-Results: spf=pass (sender IP is 209.85.222.48)

 smtp.mailfrom=valimail.com; dkim=pass (signature was verified)

 header.d=valimail.com;dmarc=pass action=none

 header.from=valimail.com;compauth=pass reason=100


However, they each have their own differences. 

Key elements to look for in email headers

1. SPF

All three provide the SPF verdict (spf=pass in all three examples). Google shows the SPF domain in the “domain of [redacted]@valimail.com” part and the IP that was checked against the SPF record in the “designates 209.85.220.41” phrase. 

Yahoo! only shows the SPF domain in the smtp.mailfrom= tag without showing the client IP. It would have to be located by parsing the Received headers. Microsoft uses the smtp.mailfrom= tag for the SPF domain and shows the IP in the “(sender IP is 209.85.222.48)” phrase.

2. DKIM

The results of the DKIM evaluation will show the domain that was evaluated. To ensure you are looking at the proper result, look for the one that matches the domain in the From address for the email.

All three provide the DKIM verdict (dkim=pass). Google essentially shows the signing domain in the header.i= tag, the DKIM selector in the header.s= tag, and the first few characters of the DKIM hash in the header.b= tag. 

Yahoo does the same, except for the header.b= tag, which it doesn’t include. 

Microsoft shows the signing domain in the header.d= tag, but no selector information.

3. DMARC

The DMARC results are relatively easy to read. The results will show whether or not the email passed DMARC. All three provide the DMARC verdict (dmarc=pass) and the DMARC policy domain (header.from=valimail.com). 

Google additionally provides the prevailing policy statement for the domain (p=REJECT) and any subdomain (sp=REJECT) and the disposition of the message (dis=NONE). 

Yahoo only adds the prevailing policy (p=REJECT), while Microsoft only adds the disposition in this case (action=none).

How to decode headers in Microsoft 365, Gmail, and Yahoo

Different inbox providers display headers differently. Here’s how to navigate each.

Gmail

  • Go to the email → Click the three dots → “Show Original”
  • Look under Authentication-Results
  • Gmail shows detailed SPF, DKIM, and DMARC verdicts

Microsoft 365

  • Open the email → Click “Message Source”
  • Find Authentication-Results, compauth, and dmarc
  • Microsoft includes additional info like reason=100

Yahoo

  • Open the email → Click “More” → “View Raw Message”
  • Find Authentication-Results from the atlas321 domain
  • Yahoo may omit certain fields like header.b

Tired of manually digging through email headers?

You don’t need to be a forensic expert to understand email authentication.

Valimail Monitor gives you a real-time view of your domain’s email authentication status—without parsing raw headers line by line. It automatically analyzes SPF, DKIM, and DMARC results across all your sending services, so you can spot issues fast and take action.

See what your headers are telling you, without the guesswork.

Sign up for Monitor for free

Frequently asked questions about email headers

Why is spf=pass showing, but my email still failed DMARC?

This is one of the most common—and confusing—scenarios. If you see spf=pass in the Authentication-Results header but dmarc=fail, it usually means SPF alignment failed.

Here’s why: DMARC doesn’t just look at whether SPF passes. It also checks alignment—whether the domain in the smtp.mailfrom (used in SPF) matches the domain in the From field.

Example from a header:

spf=pass smtp.mailfrom=sendgrid.yourdomain.com;

dmarc=fail header.from=yourdomain.com

The SPF passed, but because the domains aren’t the same (or within the same organizational domain), DMARC fails.

Fix it by aligning your mailfrom domain with your From domain or using DKIM with alignment instead.

What does dkim=fail mean in my headers, even though I have DKIM configured?

A dkim=fail in the Authentication-Results header means the digital signature in the email couldn’t be verified. This can happen for several reasons:

The public key is missing or incorrectly configured in DNS.

The message was modified in transit (even small changes can break DKIM).

The selector in the header (header.s=) doesn’t match what’s published in DNS.

Example from a header:

dkim=fail reason="bad signature" header.i=@yourdomain.com header.s=default

To troubleshoot:
– Check your DKIM record in DNS
– Validate your selector and domain (header.s= and header.i=)
– Ensure no services are modifying content after signing

Valimail Monitor can help you see which services are failing DKIM and why—without digging through every header manually.

What is compauth=pass in Microsoft headers?

That’s Microsoft’s internal composite authentication verdict, combining results from SPF, DKIM, DMARC, and other trust signals.

Sr. Content Marketing Manager at Valimail

Alyssa Harmon

Related resources

Best software 2026 g2 - valimail
  • Company Announcements

Valimail ranks on G2’s 2026 Best Security Software Products list as the sole DMARC vendor

Read more

HiddenCostEmailImpersonation
  • Email Security, Phishing

The hidden cost of email impersonation: Why the financial risk is bigger than you think

Read more

BrokenSPFNoDMARC
  • DMARC, SPF

Broken SPF + no DMARC = Blocked and spoofed email

Read more

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Try Monitor Free

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

Get a Demo
Product Overview

[UPCOMING WEBINAR] Valimail Product Release: Get Better Brand Protection and Brand Impressions – Register HERE