What is the Forensic view?
Every message you open in Mbox Viewer has three tabs in the top right: Preview, Raw and Forensic. The first two show the email as you would normally read it, or as plain source text. The Forensic tab does something different: it unpacks the hidden technical layer behind the email and tells you, in plain language, whether the message is probably genuine or whether something does not add up.
Most phishing emails look perfectly fine at a glance. They use your bank's logo, a tidy signature and a sender name you trust. What they cannot hide is the technical trail every email carries with it: which server sent it, whether the sender was actually allowed to send on behalf of that domain, and which route it travelled to reach you. That is exactly what the Forensic view makes readable.
Everything stays on your own device
Mbox Viewer runs 100% locally and offline. The forensic analysis happens entirely inside your own browser. No email, header or IP address is ever sent to a server or the cloud. Your data lives in a local database (IndexedDB) on your device and you can wipe it anytime via Settings, Clear database. Learn more about the extension at https://mbox-viewer.online.
The suspicion score (0 to 100)
At the top of the Forensic tab you will see a suspicion score between 0 and 100. This is a quick summary: the higher the number, the more warning signals Mbox Viewer found in the email. A score near 0 means everything the extension could check looks fine. A high score means you should be careful.
The score is a tool, not a verdict. It adds up the individual signals explained below. Use it to quickly spot which messages deserve a closer look, then read the details to understand why a message is suspicious.
Always start at the score, finish at the details
The score tells you where to look. The sections beneath it tell you why. A message scoring 70 only because it contains external images is very different from a 70 caused by name spoofing plus a mismatched Reply-To. So always read on.
SPF, DKIM and DMARC: is this sender allowed?
In the Authentication block you will see three abbreviations with a result: pass or fail. Together they answer one question: did this email really use the domain shown at the top, or is someone pretending?
- SPF checks whether the server that sent the mail was allowed to send for the sender's domain. Every domain publishes a short list of approved servers. If the sending server is not on that list, SPF fails. That is a strong sign someone is impersonating the domain.
- DKIM is a digital signature the sending domain places on the email. On arrival it is checked whether the signature is valid and whether the content was not altered in transit. DKIM pass means the mail provably comes from that domain and was not tampered with along the way.
- DMARC is the overarching rule that decides what should happen if SPF or DKIM fails, and whether the visible sender (the one you see in your inbox) matches the domain that passed the check. DMARC pass is the strongest sign the sender is genuine.
In short: three passes is reassuring. One or more fails on a message that appears to come from an important organisation (a bank, a government body, your employer) is a serious red flag.
Pass means genuine, not safe
SPF, DKIM and DMARC only prove that an email genuinely comes from a particular domain. They say nothing about intent. A scammer can set up their own domain so it passes all three cleanly. So always read the other phishing signals too, and never trust a pass on its own.
The transport chain: the journey the email took
Every server that touches an email along the way adds a Received line at the top. Together these lines form the transport chain: a kind of stamp book of the path the mail travelled, from the sender to your mailbox. You read it from bottom to top; the first server is at the bottom, the last one at the top.
For each step (hop) the Forensic tab shows the server's IP address, the time and whether the connection used TLS (encryption). This is useful for two reasons. First, you see where the mail truly came from, regardless of the sender name shown in the message. Second, an odd route stands out: a mail supposedly from a local bank that arrived through an unknown server in a faraway country deserves extra suspicion.
Timestamps: do the clocks match?
An email has a Date field (the time the sender claimed) and Received times (when servers actually passed it on). Normally these are close together. A large gap between the stated Date and the real delivery time can mean a date was forged or a message was backdated. The Forensic tab places both side by side so you can spot the difference at a glance.
Hashes: is an attachment unchanged?
For every attachment Mbox Viewer calculates hashes: SHA-256, SHA-1 and MD5. A hash is a kind of unique fingerprint of a file. Change even a single character in the file and the whole fingerprint changes. This helps in two ways: you can prove an attachment was not altered (the fingerprint stays the same), and you can look up a suspicious attachment in public databases of known malicious files without having to share the file itself.
Geolocation of IP addresses
For the servers in the transport chain, the tab shows roughly where the IP addresses are located. This tells you in plain terms whether the route makes sense. If a supposedly local message arrives through a country where the sender has no business being, that is another piece of the puzzle pointing towards phishing.
The phishing signals Mbox Viewer recognises
Beyond the score and authentication, the Forensic view actively looks for known scam tricks. These are the signals it flags:
- Name spoofing: the displayed sender name (for example "Your Bank") does not match the real email address behind it.
- Mismatched Reply-To: your reply would go to a completely different address than the sender. A classic trick to quietly redirect your response.
- Punycode domains: a web address faked with special characters so it resembles a well-known brand (for example a character that looks like an ordinary letter but is not).
- Failed authentication: SPF, DKIM or DMARC fails, as explained above.
- Date difference: the stated send date differs sharply from the real delivery time.
- Missing Message-ID: legitimate mail servers give every message a unique identifier. If it is missing, that is unusual.
- Suspicious TLD: the domain ends in an extension often linked to abuse, such as .tk, .ml or .ga.
- Tracking pixel: an invisible, tiny image that tells the sender you opened the mail. Mbox Viewer blocks external images by default precisely to prevent this.
- Link mismatch: the text of a link promises one address, but the link actually goes somewhere else. One of the most common phishing tricks.
Checking a suspicious message step by step
Assess an email forensically
- Open your email file by dragging it onto the Mbox Viewer window (drag and drop). Supported formats include .mbox, .eml, .emlx, .msg and Maildir folders.
- In the list on the left, click the message you want to investigate.
- Click the Forensic tab in the top right.
- First read the suspicion score at the top for a quick overall picture.
- Check the Authentication block: are SPF, DKIM and DMARC pass or fail?
- Work through the transport chain: do the countries and the route make sense, and did the traffic use TLS?
- Compare the timestamps: is the stated Date close to the real delivery time?
- Read through the list of phishing signals and see which ones are flagged.
- Still unsure? Open the Raw tab to read the full source text yourself.
Recording a case as evidence
Want to keep your findings, for example to file a report or inform a colleague? Select the message (press x) and export a Forensic case file. That is a ZIP containing the emails themselves, forensic PDF reports, the hashes and a manifest. You can optionally protect it with an AES-256 password. This gives you a complete, verifiable dossier, without anything ever needing to travel over the internet.
Handy shortcuts while investigating
Use j and k to move through the list, Enter to open a message, x to select, Shift+A to select all, and / to search. With the search operator is:suspicious you can filter in one go for messages the extension marked as suspicious.
Does a high score prove it is definitely phishing?
No. The suspicion score is a sum of signals meant to guide your attention. A high score can also come from harmless things, such as a message with many external images. So always read the individual sections, like the authentication result and the phishing signals, to understand why the score is what it is.
If SPF, DKIM and DMARC all pass, is it safe?
Then it is established that the email genuinely comes from the stated domain and was not altered in transit. That says nothing about the sender's intent, though. A scammer can make their own domain pass cleanly. So judge the other signals too, such as a mismatched Reply-To or a link mismatch.
Are my emails or IP details sent anywhere for this analysis?
No. The entire forensic analysis runs locally inside your own browser. There are no uploads, no servers and no telemetry. Your data stays in a local database on your device and can be wiped via Settings, Clear database.
Why can I not see images in a suspicious mail?
Mbox Viewer blocks external images by default to protect your privacy and stop tracking pixels. You can still load them per message with a button, but do so deliberately, because with a phishing mail this may tell the sender that you opened it.
What is a transport chain again, in plain words?
It is the list of servers the email touched along the way, from sender to your mailbox. Each server added a stamp with the time, IP address and whether the connection was encrypted. You read it from bottom to top and use it to see where the mail truly came from.
Can I record my findings as evidence?
Yes. Select the messages and export a Forensic case file: a ZIP with the emails, forensic PDFs, hashes and a manifest, optionally protected with an AES-256 password. Everything is assembled locally, with no internet connection.