Most people know a phishing email “feels off,” but a defender needs a repeatable way to confirm it. This checklist turns a gut feeling into a decision you can document and act on — all without clicking anything dangerous.
1. Read the message headers first
The visible From name is trivial to fake. The headers tell the real story: the sending IP, the return path, and the authentication results. Look for a mismatch between the display domain and the actual sending domain, and note whether the message travelled through servers that have nothing to do with the claimed sender.
2. Check SPF, DKIM, and DMARC
These three tell you whether the sending server was authorized and whether the message was altered in transit. SPF checks the sending IP against the domain’s allowed senders. DKIM verifies a cryptographic signature. DMARC ties them together and states what to do on failure. A legitimate message from a well-run domain usually passes all three; repeated failures on a “bank” or “IT department” email are a strong red flag.
3. Inspect links without visiting them
Hover to reveal the true destination, and compare it to the anchor text. Watch for lookalike domains that swap characters or add a subdomain to impersonate a brand. Never open a suspicious link in your normal browser session — inspect the URL as text, and if you must resolve it, use an isolated environment or a URL analysis tool.
4. Weigh the pressure tactics
Phishing leans on urgency, authority, and fear: an account will close, a payment failed, a manager needs a gift card “right now.” Legitimate senders rarely combine urgency with a request for credentials, payment, or one-time codes. When those signals stack up, treat it as hostile until proven otherwise.
5. Decide and record
Once you have the evidence, make a call: report, quarantine, or release. Preserve the original message and headers so your team can build detections from it. If the email impersonated your own organization, that is a signal to review your DMARC policy and staff awareness.
This workflow is for analyzing messages sent to you or to systems you are authorized to defend. Do not use it to target, probe, or investigate accounts you do not own.