Email Phishing Checker | SPF DKIM DMARC | LegalAudit

Email is still the highest-volume entry vector for fraud: business email compromise (BEC), invoice redirect, fake bank alerts, fake courier (DHL, UPS, La Poste, Swiss Post) lockouts, fake HR documents, fake tax refund notices. The Email Phishing Checker handles the boring-but-essential parts of email forensics that browsers and standard email clients hide: full header chain decoding, authentication record verification (SPF + DKIM + DMARC), display-name vs. envelope-sender mismatch detection, URL deobfuscation through redirect chains, and attachment static analysis.

We support two modes. Forward the suspicious email to a unique inbox we provision (your account inbox is hash-prefixed for privacy), and we return the verdict by reply within ~60 seconds. Or paste the raw .eml / .msg source directly into the chat. Both modes produce the same forensic verdict: GREEN / AMBER / RED with the specific reasons (e.g., 'DKIM failed for cited brand domain', 'envelope-sender belongs to a free Gmail mailbox while display name impersonates UBS', 'attached PDF contains launch action').

How it works

Forward the email or paste the source

Forward the suspicious email to the address Mythos assigns to your account (e.g., yourhash@scan.legalaudit.ch), or open the email in your client → View source / Show original → copy/paste the full text into Mythos.

Wait ~20 seconds for the verdict

Mythos runs the full header chain, authenticates against the cited brand domains, scores every URL, and statically analyzes attachments without executing them.

Read the structured verdict

You get GREEN / AMBER / RED with the specific reasons (e.g., 'DKIM=fail for ubs.com', 'attached PDF contains JavaScript launch action'), the decoded URL destinations, and a recommendation (delete / report-to-IT / safe-with-caveats).

Generate the dossier (optional)

For incident response, regulatory filing (under DORA / NIS-2), or internal escalation, generate the forensic dossier — full header chain as exhibit, SHA-256 of every attachment, methodology citation.

What we detect

SPF / DKIM / DMARC verification against the cited brand

Display-name vs envelope-sender impersonation

Reply-To header divergence (classic BEC marker)

URL deobfuscation through redirect chains

URL similarity to legitimate brand domains (typosquat)

Attached PDF / DOCX / XLSM static analysis

Embedded image-only-text obfuscation (anti-spam-filter trick)

International punycode domain detection (IDN homograph)

X-Originating-IP geolocation and reputation

Cross-reference with 388-entry international scam corpus

Frequently asked questions

Do you store the emails I forward?

The decoded forensic analysis is stored if you generate the dossier (otherwise the email is hashed and discarded within 24h). For the in-memory triage mode, no email body is persisted beyond the verdict. Attachments are SHA-256'd; the binary itself is purged after analysis unless you explicitly choose to keep it as a dossier exhibit. Full data flow: legalaudit.ch/en/trust/data-flow.

What if SPF / DKIM / DMARC all pass — does that mean the email is safe?

No. Authentication passing only means the email was technically sent by the domain it claims (or by an authorized sender for that domain). It says nothing about content intent. A scammer who registered legitimate-looking-bank-name.com can pass SPF / DKIM / DMARC trivially. Our verdict combines authentication checks with brand impersonation analysis (was the cited brand actually the legitimate brand the message implies?) and content analysis (typical phishing call-to-action patterns), which is where most pure-authentication tools fail.

Can I forward the email from a forwarder / alias?

Yes, but the analysis quality drops if your forwarder modifies headers. Best signal comes from the original .eml source — most email clients have a 'View source' / 'Show original' option. Gmail: three-dot menu → Show original → Copy to clipboard → paste into Mythos. Outlook: File → Properties → Internet headers. The forensic dossier explicitly notes whether the analysis was on the original or on a forwarded copy.