Paste raw email headers to check SPF, DKIM, DMARC, sender mismatches, and routing clues that can expose spoofed mail.
Use the original header data from your mail client so ScamKit can inspect authentication results, relay path, and signs of sender spoofing.
Best for suspicious invoices, fake account alerts, and emails that look real but still feel off. Paste headers, not just the body text.
ScamKit reads the raw email headers and checks SPF, DKIM, and DMARC — the authentication records that show whether the mail really came from the domain it claims. A failing or misaligned result is the strongest technical sign of a spoofed sender.
Reviewed by Isaiah Shawver · Last updated June 2026 · See the ScamKit methodology.
Check the raw headers for SPF, DKIM, and DMARC results. If the visible From address claims a brand but those checks fail or point at an unrelated domain, the sender is likely spoofed.
SPF verifies the sending server is authorized, DKIM verifies the message was signed and unaltered, and DMARC verifies the From address aligns with both. Legitimate brand email normally passes all three.
Yes. Scammers can pass authentication with their own lookalike domains, so a pass only proves which domain sent it. Check the domain itself, and treat urgent payment or login requests with suspicion — the phishing patterns guide shows real examples.