ServicesAI AutomationPortfolioContactBlogStoreWhatsApp Me

Spam Filter Forensics: Email Header Analysis

April 4, 2026

Most people treat "Spam" like a mystical, unpredictable weather event. They change a few words, hope for the best, and send again. But email deliverability isn't magic—it's logic. If your emails are landing in spam, there is a data-backed reason why, and it's buried in the email headers.

As a senior engineer, I don't guess. I audit. Header analysis is the forensics of the email world. It’s how you find the "smoking gun" that’s killing your deliverability.

Here is how you perform a spam filter autopsy.

How to Get the "Original" Headers

To analyze headers, you need the raw text of the email as received by the recipient.

  • In Gmail: Open the email, click the three dots (More) next to the reply button, and select "Show original."
  • In Outlook: Open the email, click the three dots, select "View," then "Message details."

What you’ll see is a wall of text that looks like a server-side log file. This is where the truth lives.

The First Check: Authentication Results

Look for a header called 

Authentication-Results
. This is the most critical part of the autopsy. It summarizes how the receiving server viewed your DNS records.

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of darren@acme-hq.co.za designates 209.85.220.41 as permitted sender) smtp.mailfrom=darren@acme-hq.co.za;
       dkim=pass header.i=@acme-hq.co.za header.s=google header.b=XyZ...;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=acme-hq.co.za

If you see 

spf=fail
, 
dkim=fail
, or 
dmarc=fail
, you’ve found your problem.

  • SPF Fail: You haven't authorized the sending server in your DNS.
  • DKIM Fail: The cryptographic signature is broken or missing.
  • DMARC Fail: Your SPF or DKIM failed, and your policy told the receiver to be suspicious.

The "Spam Score" Headers

Many enterprise filters (like SpamAssassin or Microsoft’s EOP) inject their own "score" headers into the email before it hits the inbox (or spam folder).

X-Spam-Status and X-Spam-Level

If you see 

X-Spam-Status: Yes
, the filter has already decided you're spam. But look deeper at the reasons:

X-Spam-Status: Yes, score=6.5
X-Spam-Report: 
  * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
  * 2.5 URIBL_DBL_SPAM Contains a URL listed in the DBL blocklist
  * 1.2 HTML_IMAGE_ONLY_28 BODY: Message is 24% to 28% HTML and images
  * 2.0 SUBJECT_ALL_CAPS Subject is all capitals

This report is a goldmine. In this example, the "smoking gun" is 

URIBL_DBL_SPAM
. This means a URL you included in your email (maybe a tracking link or a poorly-vetted link) is on a global blocklist.

Microsoft’s BCL and SCL

If you’re sending to Outlook/Office 365, look for 

X-Microsoft-Antispam
. You’ll see two critical codes:

  • BCL (Bulk Complaint Level): How many people have marked you as spam in the past. 0-3 is good; 7-9 is "bulk mailer" territory.
  • SCL (Spam Confidence Level): -1 means it bypassed filtering. 0-1 is clean. 5-6 is "suspected spam." 9 is "confirmed spam."

Provider-Specific Rejection Codes

Google and Microsoft have their own internal "trust" scores that aren't always explicitly labeled as a number. Instead, look at the 

Received
headers to see how long your email sat in "limbo" before being delivered.

If you see multiple 

Received
hops with 5-10 minute delays between them, you’re being "greylisted." The server is intentionally delaying your mail to see if you’re a real sender or a bot. Bots usually don't retry; real mail servers do.

The "Alignment" Trap

This is a subtle one that catches even experienced engineers. You might have 

spf=pass
and 
dkim=pass
, but still fail DMARC. Why? Alignment.

DMARC requires that the domain in the 

From
address (what the user sees) matches the domain used for SPF (the "return-path") or DKIM (the signing domain).

If you’re using a tool like SendGrid or Mailgun and haven't set up a custom sending domain, your 

From
might be 
darren@mycompany.co.za
, but your SPF is 
em123.sendgrid.net
. This is a "relaxed" alignment failure. High-security filters will junk this email immediately.

Forensic Tools for Faster Audits

You don't always have to read the raw text manually. These tools parse headers and highlight the red flags:

  1. MXToolbox Header Analyzer: Paste your headers and it gives you a clean table of passes/fails.
  2. Mail-Tester.com: Send an email to a unique address, and it gives you a 0-10 score with a full breakdown of your headers.
  3. Google Admin Toolbox (Messageheader): Specifically built for analyzing Gmail/Workspace delivery paths.

Summary

When you land in spam, don't just "try a different subject line." Get the original headers.

  1. Check the 
    Authentication-Results
    for pass/fail.
  2. Look for 
    X-Spam-Status
    or 
    SCL
    scores.
  3. Verify that your 
    From
    domain aligns with your 
    DKIM
    and 
    SPF
    domains.
  4. Check for blacklisted URLs in the spam report.

Deliverability is a technical problem with a technical solution. If you've looked at your headers and you're still seeing "Spam: Yes" but can't figure out why, it might be time for a professional audit.

Book a Deliverability Audit →

Related Articles