Check if an email is phishing — instantly. Paste email headers for free analysis of SPF, DKIM, DMARC authentication, suspicious links, and 15+ threat indicators.
Paste headers below or upload an email file
Copy the full email headers from your email client and paste them above. All analysis runs entirely in your browser. Email files (.eml, .msg) are processed locally and never uploaded to any server.
Authentication & Trust
Header Forensics
Content Analysis
Attachment & Media
Threat Intelligence
AI-Powered Analysis
* Limited on free tool — full analysis available via API. All heuristic checks run locally in your browser.
Copy the full email headers from your email client (Gmail, Outlook, Thunderbird, etc.) and paste them into the text area above.
The checker parses authentication records (SPF, DKIM, DMARC), traces the email route, extracts IOCs, and detects spoofing patterns.
Receive a risk score (0-100) with a clear verdict, key findings, and recommended actions based on the analysis.
Our phishing email checker runs 15+ analysis modules against every email to detect threats that simpler tools miss.
Validates all three email authentication protocols to verify sender legitimacy and detect spoofing.
Checks Authenticated Received Chain integrity for forwarded emails.
Identifies lookalike domains using Unicode characters designed to trick recipients (e.g. paypaı.com).
Compares displayed link text against actual URLs to catch deceptive redirects.
Matches email patterns against known phishing campaign templates and kits.
Extracts IPs, domains, URLs, email addresses, and file hashes as indicators of compromise.
Detects hidden text, tracking pixels, and dangerous HTML elements used in phishing.
Identifies consent phishing attacks that abuse OAuth authorization flows to steal access.
Analyzes embedded HTML forms for credential harvesting attempts.
Identifies CSS techniques used to hide malicious content from users.
Detects reply-chain attacks where attackers inject messages into existing conversations.
Checks email headers against RFC standards to identify forged or malformed messages.
Assesses attachment risk based on file types, double extensions, and embedded macros.
Detects QR codes in emails that redirect to phishing sites (quishing attacks).
Identifies stylometric anomalies that suggest the email was not written by the claimed sender.
Phishing emails remain the number one attack vector for cybercriminals, responsible for over 90% of data breaches. Checking whether an email is phishing requires examining both the visible content and the hidden technical headers that reveal where the email actually came from. Our free phishing email checker automates this process, but understanding what to look for helps you make better security decisions.
Phishing emails typically share common red flags that distinguish them from legitimate messages:
Modern email security relies on three authentication protocols that work together to verify sender identity. When you paste email headers into this checker, these are the first things we validate:
SPF verifies that the sending mail server is authorized to send on behalf of the domain in the envelope “From” address. A pass means the server is authorized; a fail or softfail suggests the email may be spoofed. Learn more about SPF →
DKIM uses cryptographic signatures to verify the email body and key headers haven't been altered in transit. A valid DKIM signature proves the email is exactly as the sending domain created it. Learn more about DKIM →
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails — reject, quarantine, or accept the message. A legitimate email should pass DMARC alignment. Learn more about DMARC →
Understanding the types of phishing attacks helps you recognize them faster:
Fake login pages designed to steal usernames and passwords.
Impersonation of executives or vendors to redirect payments or data.
Targeted attacks using personal details to build trust.
QR codes in emails that redirect to phishing sites, bypassing link scanners.
To analyze an email with this checker, you need the full source including headers. Here's how to get them:
You can also upload .eml or .msg files directly using the upload button above.
Copy the full email source including headers from your email client (in Gmail: three dots → Show original; in Outlook: File → Properties) and paste it into the analyzer above. The tool checks SPF, DKIM, and DMARC authentication, scans for suspicious links, detects spoofed domains, and provides a risk score from 0 to 100.
Yes, completely free with no signup or account required. There are no limits on the number of emails you can analyze. For automated analysis via API, you can create a free account on the DFIR Platform.
No. All analysis runs entirely in your browser using client-side JavaScript. Your email headers and content are never uploaded to or stored on any server. This is a fully private, client-side tool.
The checker runs 15+ analysis modules: SPF, DKIM, DMARC, and ARC authentication; homoglyph and typosquatting detection; link mismatch analysis; phishing template matching; IOC extraction (IPs, domains, URLs, hashes); HTML content analysis; OAuth consent URL detection; form action analysis; CSS cloaking detection; thread hijacking detection; RFC 5322 compliance; attachment risk assessment; QR code phishing detection; image-only email detection; and writing style anomaly analysis.
Yes. The tool includes thread hijacking detection, writing style anomaly analysis, and sender domain spoofing checks designed to identify BEC attacks. It flags when reply chains appear compromised or when writing patterns are inconsistent with the claimed sender.
SPF verifies the sending server is authorized for the domain. DKIM uses cryptographic signatures to verify the email wasn’t tampered with. DMARC ties SPF and DKIM together with a policy for handling failures. A legitimate email should pass all three. Learn more in our wiki: SPF, DKIM, DMARC.
Do not click any links or download attachments. Report the email to your IT security team or email provider as phishing. Delete the email. If you already clicked a link or entered credentials, change your passwords immediately, enable two-factor authentication, and monitor your accounts for unauthorized activity.
The tool combines rule-based analysis with pattern matching across 15+ detection modules. It checks concrete, verifiable indicators like authentication failures, domain spoofing, and known phishing templates. No automated tool is 100% accurate — always use professional judgment alongside automated analysis, especially for sophisticated targeted attacks.
Scan any domain for open ports, SSL issues, DNS misconfigurations, and attack surface exposure.
WHOIS, DNS records, reputation scoring, and certificate transparency for any domain.
Upload suspicious files for hash analysis, multi-engine reputation checks, and threat classification.
The DFIR Platform provides a full investigation workflow for security teams — phishing analysis via API, IOC enrichment, exposure scanning, and case management. Free tier available.