Email Forensics

Email header forensics is a vital technique for investigating phishing attacks, business email compromise (BEC), spam campaigns, and email spoofing. Every email message contains headers that record the complete delivery path from sender to recipient, including each mail server hop, timestamps, authentication results, and routing decisions. The Sherlock OSINT Email Forensics tool parses these headers to provide a clear visualization of the email's journey and verify its authenticity.

The analysis includes verification of SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records, which are the primary email authentication mechanisms used to prevent spoofing and phishing. By examining the originating IP address, delivery delays, and authentication chain, investigators can determine whether an email is legitimate or has been forged. This tool is essential for incident response teams, SOC analysts, and digital forensic investigators handling email-based threats.