Paste the raw headers of any email and instantly see whether it passed SPF, DKIM and DMARC, whether the visible sender matches the real one, and the path it actually travelled to reach you.
| # | From server | Received by | Delay |
|---|
Headers can't catch a convincing scam written on a clean domain. The Phixo extension scans the sender, links, and the actual language of every email you open in Gmail or Outlook — automatically.
From, Reply-To and Return-Path, the oldest trick in invoice fraud.Honest limits: header analysis proves where an email came from — not whether its content is a scam. A phisher on a freshly registered domain can pass all three checks. And servers below the first trusted hop can forge earlier Received lines. Treat a failure as a strong warning; treat a pass as one good sign, not a verdict. And if you’ve already clicked a link in the email you’re checking, start with our step-by-step guide on what to do if you clicked a phishing link.
No. This tool is plain JavaScript running in your browser — nothing you paste is sent anywhere, stored, or logged. You can verify it yourself: open your browser's developer tools, watch the network tab, and click Analyze. No request fires.
Not necessarily. Passing means the email genuinely came from the domain it claims — but scammers register their own domains with perfect authentication. A pass on paypa1-secure.com proves only that the scammer controls paypa1-secure.com. Always read the domain itself.
Usually forwarding: when a mail server forwards an email, the forwarding server isn't in the original domain's SPF record. That's exactly the problem DKIM survives (the signature travels with the message), and why DMARC accepts either one passing.
This tool inspects one email's envelope, manually, when you think to check. The Phixo extension checks authentication automatically on every email you open — plus the things headers can't show: the links, the language, brand impersonation, and known-phishing intelligence.