Interpretation guide
Use headers as evidence, not a one-field verdict.
Authentication is context
SPF, DKIM, and DMARC pass results can support trust, but forwarding, ARC, relaxed alignment, and compromised senders can still complicate the verdict.
Received hops need order
Read bottom-to-top for origin context and top-to-bottom for delivery path. Internal relays, gateways, and security appliances often add benign hops.
Mismatch needs follow-up
From, Reply-To, Return-Path, display-name, and domain mismatches are triage prompts. Confirm message body, sender history, tenant logs, and user action.