1. What does this analyzer measure?
It measures authentication status, sender alignment, route visibility, and notable anomalies in raw email headers. The score helps prioritize suspicious messages for manual review.
Analyze Raw Email Headers
Paste the original raw header block from your mail client or gateway.
Example Data Table
| Scenario | SPF | DKIM | DMARC | Alignment | Hops | Risk Score | Verdict |
|---|---|---|---|---|---|---|---|
| Corporate newsletter from aligned infrastructure | PASS | PASS | PASS | Strong | 4 | 9 | Low |
| Marketing relay with missing DKIM and extra hops | PASS | NOT FOUND | NONE | Partial | 8 | 44 | Elevated |
| Brand spoof with auth failures and domain mismatch | FAIL | FAIL | FAIL | Weak | 2 | 86 | Critical |
Formula Used
Risk Score = clamp(0, 100, (Auth Points + Alignment Points + Routing Points + Anomaly Points − Bonus Points) × Sensitivity Multiplier)
Auth points come from SPF, DKIM, and DMARC outcomes. Alignment points reflect sender-domain consistency across From, Reply-To, Return-Path, and Message-ID. Routing points measure relay-path complexity and missing transport evidence. Anomaly points cover missing headers, private or reserved IP exposure, and weak observability signals.
The calculator converts the weighted total into a 0 to 100 risk score. Lower scores suggest healthier trust signals. Higher scores indicate stronger spoofing, routing, or authenticity concerns that deserve manual review.
How to Use This Calculator
- Copy the raw email headers from your email client, secure gateway, or mailbox trace view.
- Paste the entire header block into the raw headers field.
- Select a sensitivity profile that matches your review environment.
- Adjust the scoring weights if your team values certain signals more heavily.
- Set the hop threshold for normal routing in your environment.
- Press Analyze Headers to calculate the score and review the breakdown.
- Export the results to CSV or PDF for case notes, handoffs, or audit records.
FAQs
2. Is a low score always safe?
No. A low score means the supplied headers look more consistent. Content, links, attachments, and user context can still make a message risky.
3. Why can a legitimate email still score high?
Forwarding services, broken sender policies, legacy relays, or missing gateway headers can raise the score. Always combine header analysis with delivery context.
4. What is domain alignment here?
Domain alignment compares the visible sender with Reply-To, Return-Path, and Message-ID domains. Strong alignment generally improves authenticity confidence.
5. Why are private IP addresses flagged?
Private or reserved IPs may appear in internal relays or redacted traces. They are not automatically malicious, but they reduce route transparency.
6. Can I use custom weights?
Yes. The calculator lets you change authentication, alignment, routing, and anomaly weights so the scoring fits your environment or playbook.
7. Does the calculator replace analyst judgment?
No. It is a decision-support tool. Investigators should still validate content, infrastructure reputation, user reports, and mailbox telemetry.
8. What headers should I paste?
Paste the original raw headers, including Received, Authentication-Results, Received-SPF, From, Reply-To, Return-Path, Date, and Message-ID whenever available.