eMail Checkup

Analyse a suspicious email — spoofing detection and compromised mailbox (BEC)

Why analyse email headers?

Email headers are the technical metadata that travel with every message — path through SMTP servers, SPF / DKIM / DMARC authentication results, Microsoft/Google transit identifiers, Return-Path and Reply-To addresses. Invisible by default in Outlook or Thunderbird, they nonetheless carry the whole truth about a message’s real origin. A visually convincing phishing can look like an email from your bank — but the headers almost always give away the scam.

Our tool runs two analysis layers: (1) the 6 classic authenticity checks (SPF, DKIM, DMARC, From/Reply-To/Return-Path consistency, Received path, private sending address) that catch external impersonation, and (2) a mailbox-compromise detection engine (Phase 3) that identifies cases where an attacker has hijacked a legitimate mailbox and sends from it — today’s most dangerous phishing, because it passes every authentication check.

PDF attachments — deeper analysis

If the email carries a PDF, the tool inspects it too: extraction of mentioned IBANs (alert if a foreign IBAN appears while the sender claims to be Luxembourgish), URL extraction to check consistency, metadata inspection (Creator/Producer foreign or suspicious). Many scams ride on an “official document” attached whose technical details betray its real origin.

Everything is processed locally through pdf.js — your suspicious email doesn’t travel. If the analysis reveals critical signals, a pulsing red banner appears at the top with the instruction: “do not click any link”.

Frequently asked questions

When should I use this tool?
As soon as an email feels off: a supplier demanding urgent payment on a new IBAN, a supposed executive asking for a wire transfer outside regular processes, an official-looking message with an odd link, a sign-in notification for a login you didn’t perform. The tool parses the technical headers (invisible in your mail client) and surfaces red flags within seconds.
What's the difference between spoofing and a compromised mailbox?
Spoofing is an external attempt to impersonate a sender — caught by SPF/DKIM/DMARC, which fail. A compromised mailbox (BEC, Business Email Compromise) is sneakier: the attacker has taken over a real inbox and sends from it — SPF/DKIM/DMARC all pass, the email is technically “authentic”. Our Phase 3 engine detects that case via 8 behavioural signals: suspicious reply chains, links to hijacked no-code platforms (plasmic, netlify, vercel, wixsite, carrd…), masked domains, known phishing copy patterns, etc.
Are my emails sent anywhere?
No. All analysis is local in your browser — the .eml file or the pasted text never leaves your device. The only optional network action: if you click “Receive report by email”, the report’s HTML (not the original email) is sent to the address you enter through our Mailgun relay, with BCC to our support for follow-up.