Phishing triage · message authentication
Email header analyzer for phishing triage
Inspect the receiver's SPF, DKIM, DMARC, ARC, identity-alignment, and Received routing evidence without uploading the email header.
INPUT
Complete email header
RESULT
Authentication assessment
The analyzer selects structured receiver results, maps the visible From, MAIL FROM, and DKIM identities, and flags where alignment evidence is incomplete.
Identity map
- Visible From
- SPF identity
- DKIM identity
Received route
0 fieldsNewest field first. Relay headers below the receiving trust boundary can be forged, so route observations are clues rather than proof of origin.
Get the right evidence
Copy the complete header, not the visible sender line
Open the message in desktop Gmail, choose More next to Reply, select Show original, then copy the full header.
Google instructionsOpen the message, choose More actions, then View and View message details. Classic Outlook uses File and Properties.
Microsoft instructionsDo not connect a wallet, sign a transaction, or enter credentials from the email. Check the claimed event in the official app or bookmarked domain.
Crypto phishing workflowEvidence model
Authentication and alignment are different checks
A pass applies to MAIL FROM or HELO. It does not automatically align with the address a person sees.
A pass validates one signing identity. DMARC still compares that d= domain with the visible From domain.
The receiver reports pass when at least one qualifying SPF or DKIM identity passes and aligns under policy.
Primary references: RFC 8601 Authentication-Results, RFC 9989 DMARC, and Google message authentication help.