Related explainers
Understand the signal.
Do you understand your domain’s email authenticity surface?
When a suspicious email, invoice request or impersonation attempt appears, the first question is often simple: what can be observed about the domain?
ThreatScope Check Email Surface reads public email-authentication signals and separates observed evidence from unavailable context, bounded interpretation and suggested next actions.
No login. No email sent. No inbox testing.
It does not prove protection or predict delivery. It helps make the visible email-authentication surface easier to inspect, explain and review.
①
Observe
Read publicly avalable email-authentication signals.
→
②
Interpret
Translate the signals into a reviewable interpretation.
→
③
Limit
Show what email-authentication signals can and cannot prove.
→
✔
Act
Export the evidence along with a staged sequence of next actions to support sender‑validation planning and enforcement decisions.
Privacy-safe by design.
Everything happens on your device. It runs in your browser, uses DNS‑over‑HTTPS, and never sends an email. No login, no tracking, no data leaving your hands.
Impersonation scenario
The impersonation scenario adds context to the bounded interpretation using the same observed DNS evidence. It does not run extra checks, send email, perform an attack, or test inbox delivery.
Enter a domain like example.com.au.
Do not include https://, paths, or query strings.
Checks run live.
Do not include https://, paths, or query strings.
Checks run live.
Adds scenario context to the bounded interpretation. No extra lookup is run.
1 · Observed signals
Advanced observed evidence
3 · Bounded interpretation
Interpretation boundaries
4 · Suggested next actions
Rollout caution
5 · Evidence export
Evidence export
Export the raw DNS queries and responses used for this posture check.
How the Email-authenticity surface check works
1) Observe signals
We read public DMARC, SPF, DKIM selector, MTA-STS and TLS-RPT signals using DNS-over-HTTPS.
The result is a live view of observable email-authentication posture, with no login, no tracking and no email sent.
2) Bound interpretation
We separate what is observed from what remains unavailable, then provide a bounded, standards-informed interpretation.
This is not inbox deliverability testing and does not predict mailbox placement.
3) Evidence and next actions
For each observed gap or unavailable context item, the surface provides:
- staged suggested next actions,
- standards references, and
- a downloadable evidence bundle for review.
ThreatScope Check
The Email Surface focuses on observable email-authentication signals for one domain. The main ThreatScope Check Domain Trust Check looks across the broader visible trust surface of a domain, including DNS, mail, web delivery, registration and certificate signals where available.
Use the Email Surface when you want to inspect mail-authentication posture in more detail. Use the Domain Trust Check when you want a wider view of what the domain exposes publicly at the time of inspection.
Both views are evidence surfaces, not assurance statements. They help separate observed signals from unavailable context, interpretation limits and suggested next actions.