OSINT · Email Intelligence
SOC-grade email header analysis. Composite authentication scoring, BEC indicator detection, hop-by-hop delay anomaly analysis, IP enrichment with RBL checks, and Microsoft Exchange header intelligence — analyzed server-side and never stored.
Paste raw email headers
In Outlook: File → Properties → Internet headers. In Gmail: ⋮ → Show original → Copy to clipboard.
SPF, DKIM, and DMARC results are parsed and scored into a 0–100 composite trust score. Detects alignment bypasses where SPF passes but the envelope domain doesn't match the From: header — a classic BEC indicator.
Flags Reply-To redirection to a different domain, Return-Path envelope mismatches, display name spoofing where the visible name implies a different sender, and lookalike domain similarity scoring.
Each Received: hop is timestamped and visualized chronologically. Delays > 60 minutes flag potential hold-and-release delivery (a spam evasion technique). Forged Date headers and out-of-order hop sequences are also caught.
Sending IPs are geolocated with ASN and hosting provider classification (cloud VPS vs. residential ISP vs. corporate). Real-time blocklist checks run across 5 major RBLs via DNS-over-HTTPS — no API keys required.
Parses X-MS-Exchange-Organization-SCL/PCL/BCL (Spam, Phishing, Bulk Confidence Levels), X-Forefront-Antispam-Report category codes, X-Originating-IP leaks, and X-PHP-Originating-Script indicators — all surfaced in plain English.
One-click JSON export with all structured findings and IOCs, ready for import into any SIEM or ticket system. Copy a pre-formatted Markdown incident summary for pasting directly into Sentinel alerts, Jira, or team channels.
Privacy & Responsible Use: Raw email headers are transmitted over HTTPS to TheAdminStack servers for analysis. Headers are processed in memory and discarded immediately after the response — no header content, sender addresses, or IP addresses are logged or stored. IP geolocation and blocklist checks (RBLs) are performed directly from your browser via ipapi.co and Cloudflare DNS-over-HTTPS. Use this tool only on email you have lawful authority to analyze.