Back to product

Email Header Analysis Guide

Use the original email headers to compare the visible sender, reply-to path, authentication results, and delivery hops before deciding what to do next.

Start with the original email

Screenshots hide the header trail. Save the message as .eml when possible so the scanner can inspect sender fields, URLs, attachments, and authentication details together.

Compare From, Reply-To, and Return-Path

Attackers often make the visible From name look familiar while replies or bounces go somewhere else. Mismatches are not always malicious, but they are worth checking before clicking or paying.

Read SPF, DKIM, and DMARC together

Authentication results are strongest when they align with the visible sender domain. Failed, missing, or misaligned checks should push the message into manual review.

Check links outside the email client

Hover text can lie. Expand shortened links, compare the real destination domain, and avoid signing in through a message unless you opened the service directly.

Check the message before trusting it

PhishAnalyze turns the original email into a verdict, evidence, and next steps so the decision is not based on urgency alone.

Scan an email