Parse headers
Load a sample scenario or paste raw email headers to begin analysis
Authentication checks
SPF, DKIM, DMARC results and threat indicators
Parse headers first to see authentication results
Hop trace
Trace the full mail delivery path from originating server to inbox
Parse headers first to trace the mail path
Verification platforms
External tools for investigating email authenticity โ click any card to open
VirusTotal
Scan URLs, IPs, file attachments, and domains against 70+ antivirus engines simultaneously.
Use for: sender IP ยท links in body ยท attachments
MXToolbox
Full header analyzer. Checks SPF, DKIM, DMARC, blacklist status, and hop delays.
Use for: full header parse ยท SPF/DKIM lookup
Google Messageheader
Google's own tool. Shows each hop, delay times, and where delivery slowed or stalled.
Use for: hop timing ยท delivery path analysis
PhishTool
Purpose-built phishing analysis. Parse .eml files and extract IOCs automatically.
Use for: full .eml analysis ยท IOC extraction
IPinfo.io
Geolocate IPs, identify ASN, hosting provider. Detects VPN, proxy, and Tor exit nodes.
Use for: sender IP geo ยท ASN ยท proxy detection
AbuseIPDB
Community-reported malicious IPs. Check if a sender IP has prior abuse reports.
Use for: sender reputation ยท spam/abuse history
WHOIS Lookup
Domain registration date, registrant, registrar. Domains under 30 days old are high risk.
Use for: domain age ยท registrant identity
dmarcian
Deep SPF, DKIM, and DMARC record validator with clear, human-readable explanations.
Use for: SPF/DMARC record deep inspection
Recommended investigation workflow
1
Extract the sender IP from the first untrusted
Received: header โ check on IPinfo + AbuseIPDB2
Validate authentication (SPF / DKIM / DMARC) using MXToolbox or dmarcian
3
Check the sending domain with WHOIS โ domains registered under 30 days ago are a red flag
4
Scan URLs, IPs, and attachments in VirusTotal
5
Full .eml analysis in PhishTool for comprehensive automated IOC extraction
Analyst investigation checklist
Work through each item when analyzing a suspicious email