{
  "slug": "phishing-header-inspector",
  "name": "gizza-ai/phishing-header-inspector",
  "version": "0.1.0",
  "title": "Phishing Header Inspector — Check Email Headers | gizza.ai",
  "description": "Paste raw email headers to flag From/Return-Path mismatches, Reply-To detours, failed SPF/DKIM/DMARC, and suspicious Received hops locally.",
  "tags": [
    "email header analyzer",
    "phishing header checker",
    "spoofing detector",
    "spf dkim dmarc",
    "return path mismatch",
    "received headers",
    "email security"
  ],
  "category": "network",
  "urls": {
    "page": "https://gizza.ai/tools/phishing-header-inspector/",
    "markdown": "https://gizza.ai/tools/phishing-header-inspector/index.md",
    "descriptor": "https://gizza.ai/tools/phishing-header-inspector/tool.json",
    "deep_link_example": "https://gizza.ai/tools/phishing-header-inspector/?headers=From%3A%20Alerts%20%3Calerts%40example.com%3E%0AReturn-Path%3A%20%3Cbounce%40example.com%3E%0AAuthentication-Results%3A%20mx.example%3B%20spf%3Dpass%3B%20dkim%3Dpass%3B%20dmarc%3Dpass%0AReceived%3A%20from%20mail.example.com%20by%20mx.example&report_mode=detailed&check_received=true"
  },
  "cli": "gizza tool phishing-header-inspector \"From: Alerts <alerts@example.com>\nReturn-Path: <bounce@example.com>\nAuthentication-Results: mx.example; spf=pass; dkim=pass; dmarc=pass\nReceived: from mail.example.com by mx.example\"",
  "tool": {
    "description": "Inspect pasted raw email headers for offline phishing and spoofing indicators. The tool compares From, Return-Path, Reply-To, display-name, Message-ID, SPF, DKIM, DMARC, and Received-hop evidence; highlights mismatched sender domains, failed or missing authentication results, suspicious reply paths, short or missing Received chains, and private/internal relay references; and returns a deterministic MINIMAL/LOW/MEDIUM/HIGH/CRITICAL risk score. It never performs DNS, reputation, HTTP, SMTP, or mailbox lookups, so it is safe for private browser-local triage but not a final deliverability verdict.",
    "parameters": {
      "additionalProperties": false,
      "properties": {
        "check_received": {
          "default": true,
          "description": "Whether to inspect the Received header chain for missing/short relay paths and private/internal IP references. Disable for copied header snippets that intentionally omit Received lines.",
          "type": "boolean"
        },
        "headers": {
          "description": "Raw RFC 5322 email headers to inspect. Paste the header block including fields such as From, Return-Path, Authentication-Results, Received, Reply-To, DKIM-Signature, and Message-ID. The message body is ignored after the first blank line.",
          "type": "string"
        },
        "report_mode": {
          "default": "detailed",
          "description": "How much text to return: 'detailed' includes every finding and recommended checks; 'summary' returns identity/authentication fields plus the top findings.",
          "enum": [
            "detailed",
            "summary"
          ],
          "type": "string"
        }
      },
      "required": [
        "headers"
      ],
      "type": "object"
    }
  }
}