Free email forensics

Is that email really from who it says?

Drop a suspicious email and we'll read its hidden headers — the same provenance a forensic analyst checks. See where it was actually sent from on a map versus where it claims to be, whether it passed sender authentication, and what it's carrying. Free, and no signup.

Analyse an email

Drop a saved email (.eml or Outlook .msg) for a full provenance check — where it was really sent from on a map, SPF/DKIM/DMARC authentication, whether the From / Reply-To / Return-Path addresses align, and attachment checks. Attachments are never opened.

Drop a .eml or .msg file here, or click to chooseExport the email from your mail app (Outlook .msg, or .eml). Max 2 MB.

No sign-in. Public email checks are analysed in memory and discarded; only aggregate security statistics are retained.

  • Where it really came from — claimed vs actual sending country, on a map.
  • SPF, DKIM and DMARC results, and From / Reply-To mismatches.
  • Risky attachments flagged by name and type — we never open them.
  • Tell-tale scam signs — language that doesn't match the origin, poor spelling, and big money demands.

Got the text of a message instead of a file? Paste it into the message checker. Checking a website address? Use the domain checker.

Prefer to forward than save a file? With a free account you get a personal address — just forward a suspicious email (as an attachment) to it and its forensic analysis lands in your saved cases automatically. Create a free account.

How to save an email as a file

  • Outlook (desktop): open the email, then File → Save As → choose Outlook Message Format (.msg).
  • Gmail: open the email, click the three-dot menu → Download message (saves a .eml).
  • Apple Mail: select the email, then File → Save As → Raw Message Source (.eml).

What we check — and what we don't

We read the email's delivery headers to trace the route it travelled and the server that first sent it, then geolocate that server and check it against public IP-reputation sources. We compare the From, Reply-To and Return-Path addresses, check SPF, DKIM and DMARC, and list attachments by name, type and a fingerprint (hash) only. We never open or run attachments, and we never reply to or contact the sender. Public email checks are analysed in memory and then discarded; we keep only aggregate security statistics (see our privacy notice).