Email phishing scanner·AI-powered

Show us anythingfrom the email.

Sender, subject, body — or just a screenshot. Our AI reads everything you give it and runs ten parallel reputation checks in the background. One paste, one verdict, in seconds.

Address never storedVision OCR on screenshotsFree for everyone
address · Gmail line · raw headers
Paste whatever you see — bare address, Gmail's "via X" line, or raw headers. If you upload a screenshot we'll OCR the sender from there too.
0 / 998
Helps the AI weigh the threat — urgency, brand impersonation, or scam-pattern phrasing in the subject line are strong signals.
0 / 32,000
Required unless a screenshot is uploaded below.
The new pasteable scanner

Give it as much — or as little — as you have.

The only hard rule is body OR screenshot. Sender and subject are optional. The AI sees every field you provide and cross-checks them against the reputation engine in parallel.

Optional
01

Sender

address · Gmail line · raw headers

  • Brand impersonation
  • Domain age
  • Via-domain analysis
  • Auth (SPF/DKIM/DMARC)
Optional
02

Subject

the line that lands in your inbox

  • Urgency cues
  • Brand mimicry
  • Scam-pattern phrasing
One required
03

Body

the message text itself

  • Phishing language
  • Credential prompts
  • Embedded URLs
  • AI red flags
One required
04

Screenshot

what you actually see in your inbox

  • OCR'd From line
  • Visible URLs
  • Brand logos
  • Visual deception
Inputs in parallelAI analyst weighs everythingOne verdict
Six independent signals

Why this scanner sees what others miss.

Most “email validators” stop at MX records. We bolt on the detectors that actually catch modern phishing — display-name impersonation, throwaway via-domains, and a vision model that reads your screenshot the way you do.

Display-name impersonation

Catches "PayPal Support" sending from xyz.us — names that claim a brand the sender domain isn't authorised for.

Via-domain forensics

High-entropy throwaway relays vs known ESPs vs aligned senders. The shape of the path matters as much as the address.

Brand-lookalike radar

Typosquats (paypa1.com), homoglyphs (Cyrillic 'а' for Latin 'a'), Levenshtein-1 mimics of the top 50 phished brands.

Breach + reputation

HIBP, DNSBL, RDAP age, MX/SMTP — the structural infrastructure picture that tells you if mail to this address is even real.

Vision OCR

A multimodal analyst reads your screenshot — extracts the From line, body text, visible URLs, and rates visual phishing tells.

AI analyst verdict

Reasoning model weighs every signal above against the message material and produces phishing likelihood + recommendation.

Privacy by design

We never store the raw address.

Every address is SHA-256 hashed before it reaches the database. The report URL /email-scan/<64-hex> IS the hash. We keep the local-part and domain separately so the report can display them — the original raw input is never written. Screenshots are decoded once for the vision pass and discarded; the bytes never touch persistent storage.

Frequently asked

Common questions

What's the minimum I need to paste?

Either the message body OR a screenshot. Everything else — sender, subject — is optional. The AI does the heavy lifting with whatever you give it. If you just have a screenshot, drop it in; vision OCR will read the From line, subject, and body for you.

Do you store the email address I check?

No. We hash every address with SHA-256 before it touches the database. The report URL IS the hash — `/email-scan/<64-hex>`. We keep the local part and domain separately so the report can display them, but the original raw input (including any display name) is never written anywhere.

What does the screenshot upload give me that pasting text doesn't?

Phishing emails often LOOK identical to legitimate ones. Vision OCR catches things text alone can't: a fake Microsoft logo that's just a lookalike PNG, a Reply button that goes to a different colour scheme, a footer address that's a known scam template. It also extracts URLs that wouldn't appear in pasted text (image-mapped buttons, etc.).

Will my check trigger an alert at the email provider?

The MX / RDAP / DNSBL / HIBP checks are passive lookups — the recipient never knows. The optional SMTP probe opens a TCP connection to their mail server, says 'would you accept mail for X?' and disconnects without sending anything. Most large providers (Gmail, Outlook) accept all probes regardless to defeat enumeration, so the probe usually returns 'unknown' for those.

What's the difference between 'safe' and 'inconclusive'?

'Safe' means we ran the checks and they all came back clean. 'Inconclusive' means too many checks failed or were skipped to give a confident answer (e.g. RDAP blocked, DNSBL timed out). When you see 'inconclusive', look at the individual check cards — they'll tell you what we couldn't see.

Got another suspicious email?

Free for everyone. No account required. Sign in with your forum account to unlock 100 scans per hour and a personal scan history.