Phishing Email Checker

Paste any suspicious email and get an instant threat analysis. We check authentication records, sender signals, suspicious links, urgency patterns, and more.

SPF / DKIM / DMARC analysis Suspicious link detection No data stored 100% free
Paste full email source (headers + body)
For the most accurate analysis, paste the complete email source including headers. This lets us check SPF, DKIM, and DMARC authentication results.
Please paste some email content before analyzing.
0 characters
How to copy the full email source
  1. Open the suspicious email in Gmail
  2. Click the three dots (⋮) in the top-right corner of the email
  3. Click "Show original"
  4. In the new tab, click "Copy to clipboard", then paste above
  1. Open the email in Outlook Web (outlook.com)
  2. Click the three dots (···) at the top of the email
  3. Click View - "View message source"
  4. Select all (Ctrl+A), copy, and paste above
  1. Open the email in Apple Mail
  2. Go to View menu - Message - "All Headers"
  3. Then View - "Message Source" (Option+Cmd+U)
  4. Select all, copy, and paste above
  1. Open the email in Yahoo Mail
  2. Click the three dots (···) next to Reply
  3. Click "View raw message"
  4. Select all, copy, and paste above
Running checks...
Email authentication (SPF / DKIM / DMARC)
Sender and header analysis
Content and language patterns
Risk
score
Detected signals
What to do

How Our Phishing Email Checker Works

Our tool runs multiple rule-based checks on the email content you paste - analyzing authentication headers, sender signals, link patterns, and language - to give you an accurate threat assessment.

1

Paste your email

Paste the full email source with headers for maximum accuracy, or just the body text. We accept content from Gmail, Outlook, Apple Mail, and Yahoo.

2

Multiple checks run instantly

We scan authentication results (SPF, DKIM, DMARC), sender spoofing, Reply-To mismatches, suspicious links, urgency language, credential requests, and more.

3

Get a risk verdict

Receive a risk score, a clear verdict - Safe / Suspicious / Likely Phishing - every signal detected, and specific guidance on what to do next.

Phishing Signals Our Checker Detects

Phishing emails combine technical deception with psychological manipulation. Our checker scans for both - from failed authentication records to fear-based language.

Critical

SPF / DKIM / DMARC failures

Authentication results in email headers revealing the message didn't pass sender verification - the strongest technical indicator of spoofing.

Critical

Sender domain spoofing

From address claiming to be PayPal, Apple, or your bank but using a completely different sending domain - or a typosquatted lookalike.

Critical

Suspicious links and IP-based URLs

Links using raw IP addresses instead of domain names, URL shorteners, redirect chains, or domains designed to mimic trusted brands.

Critical

Credential harvesting requests

Requests for passwords, card numbers, OTPs, or personal data - often via "verify your account" CTAs pointing to fake login pages.

Warning

Reply-To mismatch

Reply-To address pointing to a different domain than the From address - a classic technique to harvest replies without revealing the real attacker domain.

Warning

Urgency and fear language

"Your account will be suspended", "Immediate action required", "Unauthorized login detected" - pressure tactics designed to trigger panic before critical thinking.

Warning

Display name deception

Display name says "Apple Support" or "IT Department" while the actual sending address is completely unrelated to the claimed sender.

Info

Generic greetings and grammar

"Dear Customer", "Dear User", inconsistent formatting, or language patterns inconsistent with the claimed sender's usual communication style.

Understanding Your Phishing Email Results

Every analysis returns a risk score from 0 to 100 and one of three verdicts. Here's what each means and how the score is calculated.

0 - 20
Safe

No significant phishing signals were detected. Authentication records passed, the sender domain matches the claimed identity, no suspicious links were found, and the content does not contain urgency or credential-harvesting patterns. The email is likely legitimate - but always exercise caution with unexpected requests.

21 - 55
Suspicious

Some risk signals were detected - such as a missing DMARC record, a Reply-To mismatch, urgency language, or URL shorteners - but not enough to confirm a phishing attack definitively. Do not act on the email without independently verifying the sender. Check the detected signals section for what triggered the score.

56 - 100
Phishing

Multiple high-risk signals were detected - such as SPF/DKIM/DMARC failures, brand impersonation, credential harvesting requests, or IP-based links. Treat this email as malicious. Do not click any links, do not reply, and do not provide any information. Follow the action steps shown in the results.

Each detected signal adds a weighted amount to the risk score. Critical signals (SPF fail, brand impersonation, DMARC fail) contribute 25-40 points. Warning signals contribute 10-25 points. Info signals contribute up to 10 points. The score is capped at 100.

What to Do If You Received a Phishing Email

If our checker flags an email as suspicious or phishing, follow these steps immediately - even if you're not completely certain it's malicious.

1

Do not click any links or open attachments

Phishing links lead to credential-harvesting pages or install malware. Attachments may contain exploits that execute on opening. If you're unsure, hover over links first to preview the real destination URL.

2

Do not reply or provide any information

Replying confirms your address is active. Never provide passwords, OTPs, card numbers, or personal details in response to an unsolicited email - regardless of how urgent or official it appears.

3

Verify through a separate, trusted channel

If the email claims to be from your bank, a vendor, or a colleague, call them directly using a number from their official website - never use contact details provided in the suspicious email itself.

4

Report it as phishing to your email provider

Use your email client's "Report phishing" or "Mark as spam" function. You can also report to your national cybersecurity agency - CISA in the US, NCSC in the UK, CERT in the EU.

5

If you already clicked a link - act immediately

Change passwords for any accounts you accessed after clicking. Enable two-factor authentication. Run a malware scan. If financial information was entered, contact your bank right away and monitor for unusual activity.

6

Notify your IT team if this was a work email

Business email compromise attacks often begin with reconnaissance emails. Even if you didn't interact with the email, reporting it to your security team could prevent a larger attack on your organisation.

Use our full toolkit: Phishing Link Checker, Email Header Analyzer, Fake Email Checker, and IP Blacklist Check for deeper investigation.

Frequently Asked Questions

Yes. Your email content is analyzed entirely in your browser — nothing is sent to our servers or stored. The checks run locally using JavaScript pattern matching and public DNS lookups. We recommend removing any sensitive personal information (passwords, card numbers) before pasting as a general precaution.

 

Email headers contain critical technical information: authentication results (SPF, DKIM, DMARC pass/fail), the actual sending server IP, routing path, and the true origin of the message. The visible “From” field can say anything — headers reveal the real sender. Full source analysis is significantly more accurate than body-only analysis.

 

Always trust your instincts. Our tool runs pattern-based checks and may miss sophisticated targeted attacks (spear phishing) that don’t use typical red flags. If something feels wrong — unexpected request, unusual sender, link you didn’t expect — verify through a separate channel before taking any action.

 

Yes, in some cases. Attackers who control their own domain can set up valid SPF and DKIM records for that domain. The key is whether the domain matches the claimed sender — a valid DKIM signature for random-domain.xyz means nothing if the email claims to be from PayPal. Our checker looks at the combination of authentication results and domain matching.

 

Act immediately: change passwords for any accounts accessed after clicking. Enable two-factor authentication. Run a malware scan. If you entered financial information, contact your bank. Report to your IT team if this was a work device. Use our phishing link checker to verify the URL, and our email header analyzer for deeper investigation.

 

Try More Email Authentication Tools

Strengthen your domain security with our free lookup tools:

Follow a manual added link

dmarc record checker icon powerdmarc

SPF
Generator

Follow a manual added link

spf record lookup icon powerdmarc

SPF Record
Checker

Follow a manual added link

dkim record lookup icon powerdmarc

DKIM
Checker

Follow a manual added link

bimi record generator icon powerdmarc

BIMI
Checker

Follow a manual added link

dmarc record generator icon powerdmarc

DMARC
Checker

Prevent Domain Spoofing with DMARC Enforcement


Phishing emails impersonating your domain damage your brand and deceive your customers. PowerDMARC enforces DMARC, SPF, and DKIM to block spoofed email at source.


Book a demo Start 15-day trial