Email Reputation Checker — Domain & Sender Threat Brief

True email reputation analysis combines header authentication results, body phishing models, attachment sandboxing, and historical sender volume. Our checker provides infrastructure-oriented signals — whether the sender domain shows phishing hostname patterns, appears on URI blocklists, publishes SPF and DMARC, and whether resolved hosting IPs carry malware DNSBL hits.

Use email-header-analyzer on raw headers for SPF DKIM alignment detail. Use this page when you already extracted a domain or egress IP and need threat context fast.

emailAuth summarizes SPF and DMARC presence from live DNS TXT lookups during the threat-intel domain brief. Missing DMARC on a domain that sends bulk mail increases spoofing risk. SPF absence does not prove malicious intent — many small senders misconfigure — but combined with high phishing riskScore and DNSBL listing, authentication gaps strengthen escalation.

Pair with spf-dkim-dmarc-checker for full record syntax validation beyond boolean presence flags.

phishing object returns riskScore, riskLevel, and signals from hostname heuristics — punycode, suspicious keywords, risky TLDs. dnsbl array shows DBL URIBL ZRD listing status for the domain label itself. Listed sender domains in active campaigns often appear on URI blocklists before mail filters catch volume.

Clean DNSBL does not prove benign mail — compromised legitimate domains send malware until takedown.

When you paste mail egress or relay IPv4, IP brief merges fraudScore, VPN proxy hosting botnet detection cards, and Spamhaus zen zone results. Mail operators investigate when outbound IP lands on zen SBL — often compromised account or open relay before content filters trigger.

Cross-link spamhaus-lookup for per-zone delisting detail after remediation.

Sender domains in phishing mail often resolve to bulletproof or freshly registered hosting. ipThreat embeds malware IP checker output for first A record IPv4 — malwareListHits, hosting, vpn, proxy flags. CDN-fronted corporate mail may show edge IP context unrelated to origin abuse — prefer direct egress IP when known from logs.

Both pages call action threat-intel with identical JSON — type, summary, nested phishing, dnsbl, emailAuth, reputation, spamhaus objects. threat-intelligence-lookup uses general threat intel SEO; email-reputation-checker targets operators searching email reputation terminology from deliverability and abuse desk workflows.

API consumers use threat-intel with query parameter interchangeably.

Run email-deliverability-checker on your own sending domain for MX SPF DKIM DMARC syntax. Run email reputation checker on suspicious inbound sender domains or unknown relay IPs from bounce diagnostics.

Document signal combinations in tickets — high phishing plus DNSBL plus missing DMARC warrants block; medium phishing on aged corporate domain may need header alignment review first.

GET /ip-tools/api/extended?action=threat-intel&query=example.com or query=203.0.113.10. Parse type, summary, emailAuth, phishing, dnsbl, ipThreat, reputation, spamhaus. Server-side request — not browser-local analysis.

Rate limits apply for automated polling — stagger bulk sender domain scans.

Queries for sender domains and IPs are processed server-side to fetch public DNS and threat APIs. Use for authorized mail abuse investigation — not for harassing legitimate senders based on heuristic flags alone.

We do not permanently store your searches — each lookup is request-scoped.