Email By Fernanda Schmidt, OSINT Analyst June 20, 2026 7 min read

How to Tell If an Email Is Fake or a Scam

To tell if an email is fake or a scam, check three things in order: the real sender address (not the display name), the message header for failed SPF/DKIM/DMARC checks, and the domain it claims to come from. If the display name says "PayPal" but the address ends in a lookalike or random domain, and authentication fails, it is almost certainly phishing.

Scammers win by rushing you. A legitimate company rarely demands that you confirm a password, pay a fee, or click within minutes. The fastest defense is to slow down for sixty seconds and read the email like an investigator instead of a reader — the signals are usually right there in plain sight.

This guide walks through the exact checks a fraud analyst runs: reading the From line, inspecting headers, verifying domain reputation, and confirming an address before you trust anything attached to it.

espectro · email module

Query

[email protected]

Sources checked

Domain reputationBreach dataHeader/SPFGoogleLookalike check+

Correlated result

Display name"Account Security Team"
Real addresssupport@suspicious-s•••.com
Domain ageRegistered 6 days ago
SPF / DMARCBoth failed
Seen in breach dataNo legitimate footprint

Check this email → Illustrative example with masked data. Real results vary by what's public.

Shortcut: Not sure about a message sitting in your inbox? Run the address through a free email reputation check and see the domain, header, and breach signals in one place.

Key takeaways

The display name lies, the address doesn't. Always expand the real From address before reacting to who an email claims to be from.
Headers don't lie either. A failed SPF, DKIM, or DMARC result is a strong phishing signal you can read for free.
Lookalike domains are the #1 trick. Watch for swapped letters, extra words, and free-mail addresses pretending to be a brand.
Urgency plus a link equals risk. "Act now or lose access" is engineered to stop you from checking.
Verify out-of-band. Confirm the sender through a channel you already trust — never the contact details inside the suspicious email.

How do you read the real sender address?

The single most common mistake is trusting the display name. Email lets anyone set that name to whatever they want — "Apple Support," "HR Department," your bank — while the actual address behind it is something else entirely. Tap or hover on the sender to expand the full address before you read another word.

Once you see the real address, ask one question: does the part after the @ belong to the company it claims to be? A message from a global brand will not arrive from a free Gmail or Outlook account, and it will not come from a domain stuffed with extra words like secure-login-verify.com. When in doubt, a quick reverse email lookup tells you whether that address has any legitimate history at all.

Display name vs. address mismatch: the name says a brand, the address doesn't match it.
Free-mail impersonation: a "company" writing from @gmail.com or @outlook.com.
Reply-To swap: the visible sender looks fine but replies route to a different, unrelated address.

Rule of thumb: if the address after the @ isn't the company's real domain, stop reading and start verifying.

What does the email header tell you?

Every email carries a header — a hidden block of routing data most people never open. It records which servers the message passed through and, crucially, whether the sending domain passed authentication. Three checks matter: SPF (was the server allowed to send for this domain?), DKIM (was the message signed and untampered?), and DMARC (does the domain's policy say to trust it?).

You can view the header in most clients under "Show original," "View source," or "Message details." Look for the authentication-results line. If you see SPF or DKIM marked as fail while the email claims to be from a major brand, that is one of the clearest fake-email signals available — and it costs nothing to read.

spf=fail or dkim=fail on a message claiming to be from a big company.
Originating server in a region that makes no sense for the supposed sender.
A long chain of unfamiliar relay servers before delivery.

Authentication failures are not a guarantee of fraud, but combined with a suspicious address they push the verdict firmly toward phishing.

How do you verify the domain's reputation?

The domain after the @ is the heart of the scam. Attackers register lookalike domains that read correctly at a glance but differ by a swapped letter, an added word, or a different ending. A brand-new domain registered days before it emails you is a major red flag — legitimate companies almost never message customers from a domain with no history.

Beyond age, reputation matters. Check whether the domain has a real website, valid contact records, and a footprint that matches the brand it claims to be. When the story doesn't add up, it helps to investigate the domain itself: who registered it, when, and whether security feeds have already flagged it for abuse.

Character swaps: rnicrosoft.com (r-n) reading as "microsoft," or a zero standing in for an O.
Bolt-on words: paypal-security-center.com instead of the plain brand domain.
Fresh registration: a domain only days or weeks old that already wants your credentials.
Wrong ending: a known brand suddenly writing from an unusual top-level domain.

What are the classic phishing red flags?

Beyond the technical signals, scam emails share a behavioral fingerprint. They manufacture urgency, dangle a reward or a threat, and push you toward a single action: click this link, open this attachment, or reply with sensitive information. Recognizing the pattern is often faster than any header analysis.

Generic greetings ("Dear Customer"), small grammar slips, and links whose visible text doesn't match their real destination are all giveaways. Hover over any link — without clicking — and read the address it actually points to. If the visible label and the real URL disagree, treat the whole message as hostile.

Artificial urgency: "Your account will be suspended in 24 hours."
Unexpected attachments: invoices, shipping labels, or "documents" you never requested.
Credential or payment requests: any email asking you to confirm a password or pay a fee by link.
Mismatched links: the button says one site, the hover preview shows another.

Urgency is the tell. Real institutions give you time; scammers cannot afford to.

How should you verify before you trust an email?

When something feels off, verify out-of-band — through a channel you already trust, never the contact details inside the suspicious message. Open the company's website by typing the address yourself, log in directly, and check for the alert there. Or call the number printed on your card or a past statement, not the one in the email.

For a faster read, run the sender address through a checker that pulls domain reputation, header signals, and breach history at once. A legitimate address tends to have a consistent footprint; a throwaway scam address usually has none. Pairing that with a habit of checking whether your data has leaked helps you understand how the scammer got your address in the first place.

Type the official URL yourself instead of clicking the email's link.
Call a number you already have, not one provided by the message.
Cross-check the sender address against domain and breach data before replying.

Frequently Asked Questions

How can I tell if an email is fake in just a few seconds?

Expand the real sender address and look at the part after the @. If it isn't the company's genuine domain — or it's a free Gmail or Outlook account claiming to be a brand — that's your fastest signal it's fake. Add a quick scan for urgency and link mismatches and you can triage most scams in under a minute.

Can a scam email come from a real, legitimate address?

Yes. Attackers sometimes send from genuine accounts that were hijacked through stolen passwords, so authentication may even pass. That's why behavior still matters: an unexpected payment request, a strange link, or an out-of-character tone from a known contact warrants a direct, out-of-band confirmation before you act.

What is the difference between a fake email and a phishing email?

"Fake" usually means the email is forged or impersonating someone it isn't. "Phishing" describes the goal: tricking you into handing over credentials, money, or data. Most phishing emails are fake in some way, but the defining feature of phishing is that it's trying to extract something valuable from you.

Is it safe to open a suspicious email to check it?

Opening an email to read it is generally low-risk on modern clients, especially with images blocked. The danger is in acting — clicking links, opening attachments, or enabling content. Read the message and headers, but don't interact with anything inside until you've verified the sender through a separate, trusted channel.

What should I do after I confirm an email is a scam?

Don't click, reply, or download anything. Report it as phishing in your email client so the provider can act, then delete it. If you already clicked or entered credentials, change that password immediately, enable two-factor authentication, and check whether the affected account or address shows up in known data breaches.

Conclusion

Telling a fake or scam email from a real one comes down to a repeatable habit: read the true sender address, check the header for failed authentication, verify the domain, and confirm anything important through a channel you already trust. None of it requires special tools — only the discipline to slow down before you click. Next time a message pressures you to act fast, run the sender through a quick email reputation check first and let the signals decide for you.