Problem
Header forensics shouldn’t be a debate club. But in real life, teams burn time arguing from screenshots and gut feel.
Why it matters
If you can’t extract signal fast, you either overreact (noise) or underreact (miss the real campaign). Both are expensive.
What it does
- Parses saved email headers (text)
- Surfaces authentication cues (SPF/DKIM/DMARC-related signals) and routing oddities
- Highlights obvious spoof patterns and “looks wrong” indicators
- Outputs a readable summary you can drop into triage notes
Use cases that triggered it
- “Is this a spoof or just a vendor with a messy mail setup?” — answer in minutes.
- Security mailbox triage: reduce noise, focus on the real threats.
- Teach juniors to read headers without hand-holding.
How to run
- Save headers into a
.txtfile (body not needed). - Run locally and point the script at the file.
Safe use & controls
- Treat headers as Confidential metadata (infra details leak easily).
- Sanitize domains/IPs before sharing outside your team.
- Keep outputs in restricted storage if used in incident artifacts.
Limitations
- Headers vary across gateways and clients; edge cases exist.
- This is triage tooling — not a full forensic pipeline.