Mail Domain Check

Phishing triage · message authentication

Email header analyzer for phishing triage

Inspect the receiver's SPF, DKIM, DMARC, ARC, identity-alignment, and Received routing evidence without uploading the email header.

Local analysis

INPUT

Complete email header

The pasted header stays in this browser. Message content after the first blank line is ignored. Page analytics record only an anonymous page view, never this field.

RESULT

Authentication assessment

No header analyzed

The analyzer selects structured receiver results, maps the visible From, MAIL FROM, and DKIM identities, and flags where alignment evidence is incomplete.

Get the right evidence

Copy the complete header, not the visible sender line

GmailMore · Show original

Open the message in desktop Gmail, choose More next to Reply, select Show original, then copy the full header.

Google instructions
New OutlookMore actions · View details

Open the message, choose More actions, then View and View message details. Classic Outlook uses File and Properties.

Microsoft instructions
Crypto alertVerify outside the message

Do not connect a wallet, sign a transaction, or enter credentials from the email. Check the claimed event in the official app or bookmarked domain.

Crypto phishing workflow

Evidence model

Authentication and alignment are different checks

SPFSMTP identity and sending IP

A pass applies to MAIL FROM or HELO. It does not automatically align with the address a person sees.

DKIMSignature domain and selector

A pass validates one signing identity. DMARC still compares that d= domain with the visible From domain.

DMARCPassing and aligned identity

The receiver reports pass when at least one qualifying SPF or DKIM identity passes and aligns under policy.

Primary references: RFC 8601 Authentication-Results, RFC 9989 DMARC, and Google message authentication help.