Email Header Spoof Inspector
Security ToolsReview raw email headers locally for From, Reply-To, and Return-Path mismatches, plus pasted authentication results and spoofing clues when needed.
- Paste a suspicious link, sender, domain, raw header, or copied message text.
- The tool automatically detects the input type and runs local checks.
- No URL is fetched, opened, or rendered as a clickable result.
Inspect suspicious content
Runs in your browser. Your pasted content is not sent to a server.
Not sure? Just paste it above. We will detect it automatically.
Safe example gallery
How to use the Email Header Spoof Inspector
Paste raw headers to compare the sender path, reply path, and return path locally. This is useful when you need a fast spoofing check without opening the message in a mail client.
What it does
- Parses From, Reply-To, Return-Path, Sender, and Authentication-Results fields.
- Flags sender mismatches that often show up in spoofed email.
- Keeps all header analysis in your browser only.
When to use it
- A message header needs a quick spoofing review before escalation.
- The email body looks normal but the header paths disagree.
- You want to compare a pasted header block with a trusted sender domain.
How to use it
- Paste the raw email headers into the input.
- Optionally compare the message against a trusted domain.
- Run Analyze locally and review the Email header findings panel.
- Copy the Markdown report if you need to share evidence.
FAQ
- Does this tool fetch suspicious links? No. All analysis runs locally in your browser and the tool does not open or fetch pasted URLs.
- Can I paste raw email headers? Yes. Paste raw headers and the inspector checks From, Reply-To, Return-Path, Authentication-Results, and related spoofing indicators locally.
- Does the inspector send my input to a server? No. Everything stays in your browser. Nothing you paste is sent to a server or third-party API.
- What kinds of spoofing does it look for? It looks for invisible characters, bidi controls, mixed scripts, confusable domains, Punycode hostnames, misleading subdomains, credential-in-URL tricks, and sender mismatches.
- Can it compare a suspicious value against a trusted domain? Yes. You can enter an optional trusted domain so the inspector can compare the pasted content against a known-good brand or host locally.
Related guides
Low risk
0/100
No obvious spoofing indicators were found.
Recommended action
Entities detected
Input kind
Entities
Findings
Network access