Analisador de E-mail
Client-Side Only SOC-FriendlyAnalise e inspecione cabeçalhos de e-mail.
Identity
- From
- —
- To
- —
- Subject
- —
- Date
- —
- Return-Path
- —
- Reply-To
- —
Findings
0Run analysis to see signals and mismatches.
URLs
0No URLs extracted yet.
Routing Hops
0No routing data yet.
What these checks mean
- SPF: Did the sending IP align with the envelope sender domain (
MAIL FROM)? - DKIM: Is the message content signed, and does the signature validate for the signing domain?
- DMARC: Does From: align with SPF and/or DKIM, and what’s the policy outcome?
This tool reads the results already present in the email headers (e.g., Authentication-Results). It does not perform live DNS lookups or cryptographic verification.
Common header fields
| Header | Why it matters |
|---|---|
From | Displayed sender identity (user-facing) |
Return-Path | Envelope sender (SPF typically evaluates this) |
Reply-To | Where replies go (often abused in BEC) |
Received | Mail hops + IP clues (spoofing / relays) |
Authentication-Results | SPF/DKIM/DMARC outcomes from the receiver |
Email Authentication Explained
Email authentication is a collection of techniques used to provide verifiable information about the origin of an email message. By validating the sender's identity, these protocols help mail servers distinguish between legitimate messages and spoofed or fraudulent ones (like phishing). The three pillars of modern email authentication are SPF, DKIM, and DMARC.
When an email is received, the receiving server performs these checks and records the results in the email's headers, which this tool parses for you.
SPF/DKIM/DMARC
- SPF (Sender Policy Framework): A DNS-based mechanism that lists the IP addresses and domains authorized to send email on behalf of your domain.
- DKIM (DomainKeys Identified Mail): Adds a digital signature to the email, allowing the receiver to verify that the message was indeed sent by the domain owner and hasn't been tampered with in transit.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Ties SPF and DKIM together. It tells the receiver what to do if the authentication fails (e.g., "none," "quarantine," or "reject") and provides a way for receivers to report back to the sender.
Phishing Detection
Phishing emails often use "spoofing" to appear as if they come from a trusted source. Our analyzer looks for common red flags, such as a mismatch between the "From" address (what the user sees) and the "Return-Path" (where the mail actually came from). We also extract and analyze URLs in the email body to identify suspicious links, such as those using Punycode (lookalike domains) or IP addresses instead of hostnames.
By reviewing the "Findings" section, you can quickly identify these signals and determine if an email is safe to interact with.
Pro Tips
- Always check the "Authentication-Results" header first; it provides the definitive outcome of the security checks performed by your mail provider.
- Use the "Mask PII" option when sharing reports with others to protect sensitive email addresses and IP information.
- Pay close attention to the "Reply-To" header; if it differs from the "From" address, it may be a sign of a Business Email Compromise (BEC) attack.
- Review the "Routing Hops" to see the path the email took; an unusually long or complex path through unknown servers can be a sign of relay abuse.