Phishing Email Analyzer — Domain Link Risk Score
Hostname phishing heuristics for domains extracted from reported email links and spoofed senders
How to Use This Tool
- Extract the domain from the suspicious email link or sender hostname.
- Paste into the domain field — URLs strip to hostname automatically.
- Server runs punycode, keyword, TLD, hyphen, digit, depth, and length heuristics.
- riskScore maps to riskLevel low, medium, or high with signals explaining each hit.
- Optional HTTPS HEAD reports reachable when domain validates.
- Document signals in tickets before blocklist or filter rule changes.
About This Tool
Users forward suspicious emails with opaque URLs — analysts need fast hostname triage on linked domains without detonating malware in a sandbox first. VSPIC phishing email analyzer calls the phishing-domain action with the domain field — paste the hostname or URL from the email link, Reply-To domain, or Return-Path anomaly — and receives riskScore, riskLevel, signals array, punycode flag, hyphen and digit counts, optional reachable HEAD status, and summary text from weighted heuristics.
Server-side analysis queries public HTTPS for optional reachability and evaluates hostname patterns — not email body NLP or attachment scanning. Core scoring matches phishing-domain-checker. Strip paths and paste bare domains when possible. High scores flag common phishing patterns; human review remains essential before user-wide blocks.
Common use cases
- •Check if a VPN or proxy is detected on your connection
- •Validate SSL certificates before launch
- •Scan for email addresses in known breaches
Why use VSPIC for ?
- Phishing email workflow framing on phishing-domain heuristics.
- Punycode homograph detection for IDN impersonation links.
- Transparent signals array for SOC ticket documentation.
- riskScore thresholds for SOAR automation cutoffs.
- No full page fetch — safer first pass than sandbox detonation.
- Free instant hostname analysis — no account required.
Phishing email analysis workflow
Typical triage extracts three hostnames — link href domain, visible From domain, and Return-Path bounce domain — which often differ in sophisticated spoofing. Run this analyzer on each extracted hostname separately. Mismatch between From and link domain without aligned authentication in headers strengthens phishing verdict when combined with high riskScore.
Use email-header-analyzer on full raw headers for SPF DKIM DMARC alignment before relying on hostname score alone.
phishing-domain action and result fields
Backend action phishing-domain returns suspicious boolean, riskScore, riskLevel, signals string array, punycode, hyphenCount, digitCount, reachable, and summary. Each signal documents a heuristic hit — Suspicious keyword: login, Punycode IDN detected, Risky TLD, and similar entries.
Server-side handler — your domain input is processed on our infrastructure to run heuristics and optional HEAD probe.
Punycode links in email HTML
HTML emails hide homograph domains behind friendly anchor text — users see Trusted Bank while href points to xn-- branded homograph. punycode true triggers strong penalty regardless of anchor text display.
Train users to hover and inspect hostname before click — this tool automates the hostname inspection step for analysts.
Keyword and TLD signals in campaign URLs
Bulk phishing registers secure-login-verify-label.example.tk patterns. Keyword hits add twelve points each; risky TLD adds twenty. signals array lists matched tokens for filter rule authoring.
Avoid automatic org-wide blocks on keyword alone — marketing uses verify and account legitimately.
reachable HEAD probe caveats
reachable true means HTTPS responded — phishing pages routinely return 200. reachable false does not mean benign — geo-fencing and bot detection block probes. Core riskScore is hostname-derived independent of HTTP status.
Relationship to phishing-domain-checker
Identical phishing-domain API and JSON. phishing-domain-checker uses general phishing domain SEO; phishing-email-analyzer targets analysts processing user-reported email links.
GET /ip-tools/api/extended?action=phishing-domain&domain=example.com
Pairing with threat-intelligence-lookup
After high riskScore here, run threat-intelligence-lookup on same domain for DNSBL listing, resolved ipThreat, and emailAuth context. Composite evidence strengthens block decisions.
Low heuristic score with DNSBL hit still warrants investigation — campaigns reuse aged domains with clean hostname patterns.
Privacy and responsible triage
Submit only domains from authorized abuse reports — user forwards, SOC tickets, or internal test campaigns. HEAD probe briefly contacts public HTTPS endpoints.
Heuristic flags are investigative signals — not public accusations without review.
What this does not analyze
Attachment hashes, macro documents, QR codes, and tel: links require separate pipelines. Body social engineering tone is out of scope. This tool answers whether the linked hostname looks like known phishing registration patterns.
Important notes & limitations
- Server-side API — domain submitted to our phishing-domain handler.
- Does not parse full email MIME, headers, or attachments.
- Heuristic patterns only — legitimate marketing domains may score medium.
- Clean score does not prove link safety — verify through official channels.
- Does not detect credential form content on landing pages.
Frequently Asked Questions
Yes. VSPIC offers this phishing email analyzer at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. You manually paste the domain or URL extracted from a suspicious email. Server-side phishing-domain analysis runs on that input only.
Yes. Scheme and path strip to hostname before heuristics run.
No. Clean heuristics do not prove safety. Verify through official channels and header authentication.
Same phishing-domain API. This page emphasizes email link triage workflows and reported-phishing vocabulary.
Server-side. phishing-domain action runs heuristics and optional HEAD probe on our extended API.
phishing-domain with the domain parameter.
Next step for your check
Continue with phishing domain checker on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
Phishing Domain Checker
Heuristic phishing risk — punycode, keywords, TLD abuse, hostname patterns
Use Free →Email Header Analyzer
Parse email headers to trace sender route and authentication
Use Free →Threat Intelligence Lookup
Aggregate IP or domain threat brief — reputation, Spamhaus, phishing, DNSBL
Use Free →Malware URL Scanner
URL reputation scan — single or batch, phishing & malware signals
Use Free →SSL Checker
Validate SSL/TLS certificates and expiration dates
Use Free →Blacklist Checker
Check if an IP is listed on spam and abuse blacklists
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS