🔐 SPF Verification
Sender Policy Framework checks whether the sending mail server is authorized by the domain's DNS. A failed SPF is a strong phishing indicator. We parse the Authentication-Results header to extract the SPF verdict and explain what it means.
🖊️ DKIM Signature
DomainKeys Identified Mail verifies the email body and headers haven't been tampered with in transit. A missing or failed DKIM signature on a sensitive email is a serious red flag. We surface the DKIM domain, selector, and verdict.
📋 DMARC Policy
DMARC ties SPF and DKIM together with a published policy. We parse the DMARC result and explain whether the sender's domain enforces reject, quarantine, or none policies — critical for evaluating spoofing risk.
📡 Routing Hop Analysis
Every mail server the message passed through leaves a Received: header. We parse all hops, extract IPs and hostnames, calculate the delay between each, and flag anomalies like unexpected geographic jumps.
🌍 IP Geolocation
We extract the originating IP address from the first untrusted Received: header and geolocate it — showing country, city, ISP, and flags for known proxy or hosting infrastructure.
⚠️ Phishing Risk Score
Combining SPF/DKIM/DMARC failures, mismatched From/Reply-To addresses, suspicious X-Mailer strings, and routing anomalies, we generate a 0–100 phishing risk score with an explanation of each contributing factor.
FAQ — Email Header Analyzer
How do I find the raw email headers? ▼
In Gmail: open the email → click the three-dot menu → "Show original". In Outlook: File → Properties → Internet Headers. In Apple Mail: View → Message → All Headers. In Thunderbird: View → Headers → All. Copy the entire block of text above the email body and paste it here.
What does a failed SPF result mean? ▼
SPF fail means the sending server's IP address is not listed in the domain's published SPF DNS record. This is a strong indicator of spoofing or phishing — the email may be pretending to come from a domain it isn't authorized to send from. Combined with DKIM failure, it's near-certain the email is not legitimate.
What is the difference between SPF, DKIM, and DMARC? ▼
SPF verifies the sending server IP is authorized by the domain owner. DKIM adds a cryptographic signature to the message that proves it hasn't been modified in transit. DMARC is a policy layer that tells receiving servers what to do when SPF or DKIM fail — reject, quarantine, or deliver anyway. All three passing is the gold standard for legitimate email.
What is the "originating IP" and why does it matter? ▼
The originating IP is the first external mail server that injected the email into the mail delivery system — typically the attacker's server or a compromised relay. By geolocating this IP you can see the country, ISP, and whether it's a known datacenter, VPN, or proxy, which provides strong context for assessing legitimacy.
Is my email data safe? Can you read my emails? ▼
All header parsing happens entirely in your browser using JavaScript. No email content, headers, or any personal data is ever uploaded to PhishPin servers. The only external request made is an IP geolocation lookup via ip-api.com, which receives only the extracted IP address — never any email content.
What are X-Headers and why do they matter? ▼
X-Headers are non-standard headers added by mail clients, servers, or spam filters. They can reveal the email client used (X-Mailer), spam scores (X-Spam-Score), marketing software (X-Mailer: Mailchimp), or other metadata. Attackers sometimes use unusual X-Headers to fingerprint bulk phishing infrastructure.