Every hop is a witness. Every timestamp, testimony.

Advanced Offline Email Forensics for macOS.

Parse raw RFC-5322 headers, trace transit routing paths geographically, and generate court-ready PDF evidence packages — 100% locally.

SPF: PASS · relay verified
Δ 47s relay delay anomaly
HeaderLume email telemetry graph tracing an email from its origin IP through the sender domain to the recipient inbox
0
header fields decoded per parse
0
auth protocols audited instantly
0
MBOX streamed without crashing
0
bytes ever leave your Mac
Built for teams doing serious work
Litigation Firms Incident Response Digital Forensics Labs Law Enforcement eDiscovery Vendors
// Interactive Demo

Watch a header confess.

Load a sample forensic header and watch HeaderLume reconstruct the message's transit path hop-by-hop — exactly as it runs on-device.

HeaderLume — Forensic Analysis Session
evidence/message-0447.eml
SPF
SPF: PASS — Sending IP 203.0.113.47 is an authorized sender for veridian-legal.example per the domain's published SPF record.
DKIM
DKIM: PASS — Cryptographic signature (selector s2048) verified. Message body and key headers were not altered in transit.
DMARC
DMARC: WARNING — From-domain alignment is relaxed and the policy is p=none. Spoofed mail would not be rejected by receivers.
ARC
ARC: SEALED — Authentication results were preserved across the forwarding chain by a valid ARC seal (i=1).
awaiting header evidence…
idle — no evidence loaded
// Capabilities

A full forensics lab. Zero network required.

Purpose-built for examiners, litigators, and incident responders who can't afford to leak evidence to the cloud.

Offline MIME Parser

Raw RFC-5322 header parsing executed fully on-device. No data ever leaves the examiner's machine.

3D Transit Route Mapping

Path-drawing geographic maps resolving IP hops and measuring relay delay anomalies.

Authentication Traffic Lights

Instant status auditing for SPF, DKIM, DMARC, and ARC security seals.

E-Discovery Load Files

Automatic generation of Concordance .DAT load-files and .OPT image logs for Relativity ingestion.

Memory-Efficient MBOX Streaming

Stream giant mailbox databases (10GB+) line-by-line asynchronously without out-of-memory crashes.

Absolute Zero Telemetry

App Sandbox-enforced offline isolation switch that instantly blocks all network sockets.

// In the Field

Built for the examiner's bench.

Native macOS, dark by default, engineered for long analysis sessions. Click through the workflow.

HeaderLume.app — Routing Chronology
// Why Not Do It By Hand?

Manual header reading doesn't scale. Or hold up.

Anyone can squint at a Received chain. Producing defensible, repeatable findings is a different job.

TaskReading headers manuallyGeneric web checkersHeaderLume
Parse a full Received chainMinutes, error-pronePartialInstant, every hop
Relay delay anomaly detectionManual math per hopNoAutomatic Δ-analysis
SPF / DKIM / DMARC / ARC auditRequires CLI toolingBasicTraffic-light instant
Evidence confidentialityLocalUploads to third party100% on-device, sandboxed
10GB+ MBOX archivesImpracticalUpload limitsAsync streaming
Court-ready outputDIY formattingScreenshotsPDF certificates + .DAT/.OPT
// Built for the Courtroom

Findings your opposing counsel can't wave away.

Every HeaderLume analysis certificate embeds examiner identity, timestamps, and SHA-256 evidence hashes — the metadata foundation for authenticating electronic records.

Because analysis never leaves the machine, your chain of custody stays intact: no third-party processor to subpoena, no cloud terms of service to explain to a judge.

Concordance .DAT and .OPT exports drop straight into Relativity and other review platforms your litigation-support team already runs.

FRE 902(13)–(14)

Self-authenticating electronic records

Certified records generated by an electronic process, and data copied with digital identification (hashing), can be admitted without live foundation testimony. HeaderLume's certificates are built around exactly this framework.

Daubert-friendly methodology

Repeatable, documented process

Deterministic parsing of published standards (RFC 5322, RFC 7208, RFC 6376, RFC 7489) means another examiner can reproduce your findings step-for-step.

// From the Bench

Examiners who stopped squinting at Received lines.

★★★★★

"The relay delay flags caught a spoofed chain our whole team had missed. The PDF certificate went into the exhibit binder the same afternoon."

MK
M. Kessler
Digital Forensics Examiner, litigation support
★★★★★

"We handle privileged material. 'The evidence never touches a server' is the sentence that got this approved by our general counsel in one email."

RT
R. Torres
Incident Response Lead, financial services
★★★★★

"Streamed a 14GB custodian MBOX overnight and had .DAT load files in Relativity by morning. That used to be a vendor invoice."

AS
A. Singh
eDiscovery Project Manager
// Licensing

Evidence-grade tooling, at every scale.

Start free. Upgrade when the caseload grows.

Basic
For the curious investigator
$0
Free download. No account required.
  • Single EML parsing
  • Raw header visualizer
  • Local DNS checks
Download Free
MOST POPULAR
Premium
Annual subscription for working examiners
$199.99$99.99 / 1st year
Then auto-renews at $199.99/year. Family Sharing enabled.
  • Unlimited EML / MBOX parsing
  • 3D transit mapping
  • E-discovery load-file exports
  • Court-ready PDF certificates
Start Premium — Risk Free
Genesis Partner
Lifetime license for firms & labs
$999.99
One-time payment. Yours forever.
  • Lifetime license, all future major upgrades
  • Priority developer support
  • Enterprise multi-seat deployment keys
Become a Partner
Subscriptions are billed through the Mac App Store — cancel anytime in one tap, and Apple's standard refund protections apply. No card details ever touch our servers (we don't have servers).
// Questions

Asked by every examiner. Answered.

How do I read email headers on a Mac?
In Apple Mail, open the message and choose View → Message → All Headers, then paste the raw text into HeaderLume (or drop in the .eml file). It parses every Received hop, resolves the originating IP, and renders the transit route as a visual graph — no manual decoding.
Can HeaderLume trace the sender's IP address of an email?
Yes. It walks the Received chain in the raw RFC-5322 header, extracts each relay IP, and maps the geographic route hop-by-hop — flagging relay delay anomalies that suggest spoofing or interception. Note that the true origin can be masked by the first provider in the chain; HeaderLume shows you exactly how far the evidence goes.
Is email header analysis admissible in court?
Header evidence is routinely admitted when properly authenticated. HeaderLume's PDF certificates embed examiner metadata and SHA-256 evidence hashes designed to support authentication under FRE 902(13)–(14) for self-authenticating electronic records. (Consult your counsel for jurisdiction-specific requirements.)
Does HeaderLume upload my emails anywhere?
No. All parsing runs locally inside the macOS App Sandbox — no tracking scripts, no analytics, no logging. The Absolute Zero Telemetry switch blocks every outbound socket, including optional geolocation lookups, for air-gapped examination.
What's the difference between SPF, DKIM, and DMARC?
SPF verifies the sending server's IP is authorized by the domain. DKIM cryptographically proves the message wasn't altered in transit. DMARC ties both to the visible From address and tells receivers what to do on failure. HeaderLume audits all three — plus ARC seals for forwarded mail — as instant traffic lights.
What formats does HeaderLume import and export?
Import: raw pasted headers, .eml files, and MBOX archives (streamed asynchronously, 10GB+ supported). Export: court-ready PDF analysis certificates, PNG telemetry graphs, and Concordance .DAT / .OPT load files for Relativity ingestion.