top of page

5 Rules for Phishing Reporter Analysis: How to scan emails for phishing or malicious content?

Review the Email Header

In Outlook, select "View message details" to see the raw email. In Gmail, select "Show original" to see the raw email.

Review the header to make sure it follows the rules below, if it breaks one or more of these rules the message could be a phishing message.

Rule 1: If the domains in the fields below do not match, it could be a phish.

  • smtp.mailfrom

  • Return-Path

  • From:

  • Reply-to/Bounces-to

Rule 2: If the email travel path is less than 2 it could be a phish. An email should travel through at least two email servers, the "sending" server and the "receiving" server. See the "Received" items in the header to review the email server travel path.

The "Received" item should be consistent with the origin country of the message. If you see China or Russia in the originating "Received" item it could be a phish.

Rule 3: If the email does not pass the DKIM or SPF check, it could be a phish. The email header should show the following:

  • spf=pass

  • dkim=pass

Review the Attachments

Rule 4: If the attachment has one of the following extensions, it could be a phish. Please use an email security scanning tool or private cloud sandbox to scan the attachment. Do not download the file onto your machine locally.

  • .html

  • .zip

  • .bat

  • .exe

  • .xls

  • .doc

  • .rtf

  • .pdf

  • .img

  • .iso

Review the Links

Rule 5: Hover over the link. If the displayed link does not match the linked URL, it could be a phish. If the linked URL does not match the context of the email, it could be a phish.

Final Thoughts

These are the five basic rules for analyzing phishing emails that are sent via the HacWare Reporter Tool.

We highly recommend investing in an email security tool and gateway that will quarantine suspicious emails and attachments. Or hire an expert managed service provider (MSP) to manage your information security needs.

If you have any questions or need a recommendation for an MSP please reach out to us at


Learn more about HacWare: MSP partners can decrease the likelihood their end users will click on a phishing email by 60%. Let us educate your end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to keep user attention and improve learning outcomes.

Learn more about our partner program and how we can support your MSP's growth!

bottom of page