shield_lock
JinDaGe
Back to skills
extension
Category: OtherNo API key required

Email Header Analyzer

Parses email headers to detect spoofing, phishing, SPF/DKIM/DMARC failures, routing anomalies, and provides forensic analysis of email authenticity.

personAuthor: snipercat69hubclawhub
open_in_newRepositorydownloadDownload package

Email Header Analyzer

Skill Name: email-header-analyzer Version: 1.0.0 Category: Security / Email Forensics Price: Lifetime: $39 / Optional Monthly: $7/mo (includes all Pro features permanently) Author: EdgeIQ Labs OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux

What It Does

Parses and analyzes email headers (RFC 5322) to detect spoofing, phishing indicators, SPF/DKIM/DMARC authentication failures, routing anomalies, and suspicious origin servers. Extracts forensic details from headers to determine if an email is legitimate or a spoof/impersonation attempt.

⚠️ Legal Notice: Only analyze emails you own or have explicit authorization to audit. Not for intercepting or analyzing others' communications without consent.

Features

  • SPF validation — checks Sender Policy Framework authentication result
  • DKIM verification — parses DKIM signature and verification result
  • DMARC analysis — evaluates Domain-based Message Authentication policy
  • From/Reply-To mismatch detection — flags when reply address differs from sender
  • Received headers path analysis — traces email route across mail servers
  • Suspicious routing anomalies — detects forged hops, unexpected relay chain
  • IP reputation lookup — checks originating mail server IP against blocklists
  • Domain age/check — flags newly registered domains in headers
  • Attachment analysis — checks filenames, MIME types, content disposition
  • JSON export — structured forensic report

Tier Comparison

| Feature | Free | Lifetime ($39) | Optional Monthly ($7/mo) | |---------|------|----------------|----------------------| | Full header parse | ✅ (5 emails) | ✅ (unlimited) | ✅ (unlimited) | | SPF/DKIM/DMARC check | ✅ | ✅ | ✅ | | From/Reply-To mismatch | ✅ | ✅ | ✅ | | Mail server IP reputation | ✅ | ✅ | ✅ | | Domain age lookup | ✅ | ✅ | ✅ | | Received path analysis | ✅ | ✅ | ✅ | | Attachment metadata | ✅ | ✅ | ✅ | | JSON export | ✅ | ✅ | ✅ |

Installation

cp -r /home/guy/.openclaw/workspace/apps/email-header-analyzer ~/.openclaw/skills/email-header-analyzer

Usage

Basic header scan (free tier)

python3 email_analyzer.py --header "Received: from mail.example.com..."

Paste raw headers from email (Pro)

EDGEIQ_EMAIL=your_email@gmail.com python3 email_analyzer.py \
  --file /path/to/raw_headers.txt --pro

JSON report output

EDGEIQ_EMAIL=your_email@gmail.com python3 email_analyzer.py \
  --header "$(pbpaste)" --bundle --output email-report.json

As OpenClaw Discord Command

In #edgeiq-support channel:

!emailheader Received: from server... Authentication-Results: spf=fail...
!emailheader --file /path/to/headers.txt --pro

Parameters

| Flag | Type | Default | Description | |------|------|---------|-------------| | --header | string | — | Raw email headers (single line or multi-line) | | --file | string | — | Path to text file containing raw headers | | --pro | flag | False | Enable Pro features | | --bundle | flag | False | Enable Bundle features | | --output | string | — | Write JSON report to file |

Output Example

=== Email Header Analyzer ===
Analyzing headers for: phishing-suspicion@attacker.com

  [1m[91m🔴 SPF FAIL — sender IP not authorized[0m
    SPF Result: fail
    From domain: company.com
    Sender IP: 203.0.113.45 (not in SPF允许列表)
    Recommendation: Block or mark as suspicious

  [1m[93m🟡 DKIM: NONE (no signature found)[0m
    Risk: Email has no cryptographic authentication

  [1m[91m🔴 DMARC POLICY FAIL[0m
    Policy: reject
    Alignment: relaxed
    Result: SPF fail + DKIM none = DMARC fail

  [1m[93m🟡 FROM/REPLY-TO MISMATCH[0m
    From:  legitimate@company.com
    Reply-To: refund@attacker-domain.com
    Risk: Likely phishing or business email compromise

  [1m[92m✔[0m Received path looks normal (3 hops)
    Hop 1: mail.attacker.com [203.0.113.45]
    Hop 2: relay.example.net [198.51.100.23]
    Hop 3: mail.company.com [203.0.113.1]

  Threat Level: HIGH — Multiple authentication failures + Reply-To mismatch

Authentication Results Explained

| Result | Meaning | |--------|---------| | SPF pass | Sender IP is authorized by the domain's SPF record | | SPF fail | Sender IP is NOT authorized — likely spoofing | | DKIM pass | Email digitally signed, signature valid | | DKIM fail | Signature tampered or invalid | | DMARC pass | Both SPF and DKIM aligned and passing | | DMARC fail | Alignment failed — domain claimed but auth didn't match |

Pro Upgrade

Full forensic analysis + IP reputation + domain age + path analysis:

👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

  • 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
  • 📸 Screenshot API — URL-to-screenshot API for developers
  • 🔔 uptime.check — URL uptime monitoring with alerts
  • 🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →