Did you get an email that looks like it’s from your bank, PayPal, Amazon, or a delivery company — but something feels off? Scammers can make the sender name say anything they want. The one thing they can’t easily fake is the email header: the hidden technical record of where the message really came from.
Paste your email’s raw header into the free tool below. It checks the message’s authentication (SPF, DKIM, DMARC), compares the visible sender against the real sending domain, and flags the classic tricks used in phishing and spoofing — all privately, right in your browser. Nothing you paste is uploaded anywhere.
100% private · nothing leaves your device
Disclaimer & Terms of Use
This tool provides an automated risk assessment for informational purposes only and is not legal, financial, or security advice. It cannot detect every scam or spoofed email, and a low score does not guarantee an email is genuine. You are solely responsible for any decisions you make. whatsappstatusline.com accepts no liability for any loss or damage arising from use of, or reliance on, this tool. By using the tool you confirm that you have read, understood, and agreed to this disclaimer. If you do not agree, do not use the tool.
How to find your email’s header
The header is easy to grab once you know where to look:
- Gmail (desktop): open the email, click the three-dot menu (⋮) at top right, then choose Show original. Copy everything on that page.
- Gmail (app): the full header isn’t available in the app — open the message in a browser and use Show original.
- Outlook (desktop): open the email, go to File → Properties, and copy the text in the Internet headers box.
- Outlook.com / Hotmail: open the email, click the three-dot menu, then View → View message source.
- Apple Mail: select the email, then View → Message → All Headers (or Raw Source).
- Yahoo Mail: open the email, click More (the three dots), then View raw message.
What the analyzer looks for
A genuine email from a real company almost always passes a set of behind-the-scenes security checks. A spoofed one usually trips at least one of them. Here’s what each signal means:
- SPF (Sender Policy Framework) — confirms the server that sent the mail is actually allowed to send on behalf of that domain. An SPF fail is a strong sign the sender is forged.
- DKIM (DomainKeys Identified Mail) — a cryptographic signature proving the message wasn’t altered in transit. A DKIM fail suggests tampering or impersonation.
- DMARC — the domain owner’s policy that ties SPF and DKIM together. A DMARC fail means the email broke the brand’s own anti-spoofing rules.
- From vs. Return-Path mismatch — the address you see isn’t always the address that really sent the mail. When they don’t match, it’s a classic spoofing move.
- Reply-To redirection — some scams display a real-looking sender but quietly route your reply to a different inbox they control.
- Brand name on a free email — “PayPal Security” sending from a random gmail.com or .xyz address is a giveaway. Real companies use their own domain.
If an email looks fake, what should you do?
Don’t click any links and don’t download attachments. Don’t reply, even to “unsubscribe.” If the message claims to be from a company you use, open a new browser tab and type the company’s real website address yourself, or call the number on the back of your card — never the number in the suspicious email. Then delete the message.
Leave a Comment