/ AI phishing analysis

Not sure that email is real? Get a verdict.

Drop in a suspicious email and this tool inspects what senders can't fake — SPF, DKIM, and DMARC authentication — checks every link against threat-intelligence databases, then has an AI read the content for social-engineering patterns. Verdict in about ten seconds.

Live analyzer
No file? · Or forward it to check@fredsprivacy.com

The email you submit is processed by AWS and analyzed by Anthropic's Claude. Don't submit messages containing passwords, financial details, or personal data you wouldn't share with a cloud service. Results are advisory — when real money or credentials are at stake, verify with the sender through a channel you already trust.

~10stypical time to verdict
3threat-intel feeds: VirusTotal, urlscan.io, PhishTank
2AI models — fast first pass, stronger second opinion
50automated tests behind every deploy
/ Coverage

Three layers of inspection, one verdict

Deterministic checks establish the facts. Threat intelligence corroborates them. AI reads for intent. No single layer decides alone.

/ Headers

Authentication analysis

SPF, DKIM, and DMARC results, weighted the way mail servers actually trust them: DMARC is the senior signal, and a DKIM failure on legitimately forwarded mail won't trigger a false alarm.

/ Links

URL & domain reputation

Every URL is extracted — including ones hidden in HTML — and checked for shorteners, IP-literal hosts, anchor-text bait, homoglyph lookalikes of major brands, and known-malicious reputation in VirusTotal, urlscan.io, and PhishTank.

/ Content

AI intent review

An AI model reads the message for the patterns humans fall for: manufactured urgency, authority impersonation, credential prompts, and payment redirection — grounded in the header facts, not overruled by them.

/ Pipeline

How a verdict gets made

Serverless end to end: your email enters via SES or this page's upload, and one Lambda function runs the whole pipeline.

Ingest

Email arrives via SES or the web upload. Rate limits and loop protection run before anything else touches it.

Parse

Headers, body, and every URL are extracted — from plain text and from HTML anchor tags where phishing kits hide targets.

Enrich

SPF/DKIM/DMARC weighting, sender-alignment checks, lookalike-domain detection, and threat-intel lookups produce hard signals.

Analyze

Claude Haiku reads content against the hard signals; uncertain verdicts escalate to Claude Sonnet for a second opinion.

Verdict

A structured verdict — tier, confidence, indicators, recommendation — returns by email reply or right here as JSON.

SES → S3 → Lambda (Python 3.13) → header analysis + URL reputation + Claude Haiku 4.5 / Sonnet → verdict → reply / JSON → CloudWatch telemetry

Trust your inbox again.

Check it here, or forward the suspicious email as an attachment to check@fredsprivacy.com.

Analyze an email