How to Check if an Email Is Legitimate (5-Step Verification)
A well-crafted phishing email is nearly impossible to distinguish from a real one just by looking at it. The logo is right, the language is professional, and the sender name looks familiar. But something feels off, and you are not sure whether to trust it.
Rather than guessing, you can verify an email's legitimacy in five concrete steps. Each step catches a different type of deception, and together they cover the vast majority of phishing and scam techniques in use today.
Step 1: Check the actual sender address
The display name in your inbox ("PayPal Security Team") is cosmetic. Anyone can set it to anything. The part that matters is the email address itself.
What to look for:
- Domain mismatch — An email claiming to be from PayPal should come from
@paypal.com, not@paypa1-secure.comor@paypal.notifications-center.com. Look at the part after the @ sign carefully. - Subdomain tricks — Attackers use subdomains to hide the real domain:
paypal.com.malicious-site.netlooks like PayPal but the actual domain ismalicious-site.net. Read the domain right-to-left from the @ sign. - Character substitution — The letter "l" replaced with "1", "rn" that looks like "m", or international characters that look identical to Latin letters. Zoom in or copy-paste the address into a text editor to spot these.
How to see the full sender address:
| Email client | How to reveal the address |
|---|---|
| Gmail (web) | Click the small arrow next to "to me" below the sender name |
| Outlook (web) | Click the sender name to expand the full address |
| Apple Mail | Hover over the sender name to see the full address |
| iPhone Mail | Tap the sender name, then tap again to see the address |
| Thunderbird | Full address is shown by default next to the sender name |
Step 2: Hover over every link before clicking
Phishing emails work by directing you to a fake website. The link text might say "Verify your account" but the actual URL could point anywhere. Always check where a link goes before clicking it.
On desktop: Hover your mouse over the link without clicking. The actual URL appears in the bottom-left corner of your browser or email client. Compare the domain in the URL to the expected domain (e.g., paypal.com for PayPal).
On mobile: Long-press (tap and hold) the link. A preview will show the full URL. Do not tap the link directly.
Red flags in URLs:
- The domain does not match the sender (email from "Netflix" but link goes to
netflix-verify.site) - IP addresses instead of domain names (
http://192.168.1.100/login) - Unusual top-level domains (
.xyz,.top,.buzz) for a company that should use.com - Extra subdomains designed to mislead (
secure-login.bank.malicious.com) - URL shorteners (bit.ly, tinyurl) in emails from companies that own their own domain
Step 3: Evaluate the content and context
Phishing emails create urgency to bypass your judgment. Before responding to any email that asks you to take action, pause and consider:
| Warning sign | What it might mean |
|---|---|
| Urgency pressure ("Your account will be closed in 24 hours") | Legitimate companies rarely threaten immediate account closure via email |
| Unexpected attachment (invoice, document, shipping label) | If you did not expect it, do not open it — especially .exe, .zip, or macro-enabled Office files |
| Request for credentials ("Confirm your password") | No legitimate company asks for your password via email. Ever. |
| Generic greeting ("Dear Customer" instead of your name) | Companies you have an account with usually know your name |
| Payment redirect ("Our bank details have changed") | Classic invoice fraud technique. Always verify payment changes by phone. |
| Too good to be true (prize, refund, inheritance) | You did not win a contest you never entered |
The phone test: If the email asks you to take an important action (change a password, send money, download something), call the supposed sender using a phone number you find independently (not the one in the email). This single step prevents most phishing attacks.
Step 4: Check the email headers
For emails that pass the first three checks but still feel suspicious, the headers contain the technical truth. Headers show where the email actually came from and whether it passed authentication checks.
How to view headers:
- Gmail: Three dots menu → "Show original"
- Outlook: Three dots → "View message source" or "View message details"
- Apple Mail: View → Message → All Headers
- Thunderbird: View → Message Source (Ctrl+U)
What to look for in headers:
Authentication results
Look for the Authentication-Results header. It shows whether the email passed SPF, DKIM, and DMARC:
Authentication-Results: mx.google.com;
spf=pass smtp.mailfrom=paypal.com;
dkim=pass header.d=paypal.com;
dmarc=pass
All three should show "pass" for a legitimate email from a major company. If any show "fail" or "none," the email may not be from who it claims to be.
Return-Path
The Return-Path header shows the actual sending address. Compare it to the From address. A mismatch (From says support@paypal.com but Return-Path says bounce@mass-mailer.net) is suspicious, though some legitimate email services do use different return paths for bounce handling.
Received headers
Read the Received headers from bottom to top — they trace the email's path from sender to you. The last server before your provider should be a server associated with the claimed sender. If it originates from an unrelated server in an unexpected country, that is a strong red flag.
For a detailed guide on reading email headers, see Understanding Email Headers: A Complete Guide.
Step 5: Verify through external sources
When you are still unsure after the first four steps, use external verification:
- Search the sender's email address — Paste the exact From address into Google. Known phishing addresses often appear in scam reports and security forums.
- Check the URL on VirusTotal — If the email contains a suspicious link, paste the URL (not the email) into
virustotal.com. It checks the URL against 70+ security services. - Look up the domain — Use a WHOIS lookup to check when the domain was registered. A brand-new domain (registered days ago) impersonating a major company is almost certainly malicious.
- Contact the company directly — Go to the company's website by typing the URL yourself (not from the email) and contact their support team. Ask if they sent the email.
Quick reference: the 5-step checklist
| Step | Check | Time needed |
|---|---|---|
| 1 | Verify the sender's actual email address (not just display name) | 5 seconds |
| 2 | Hover over all links to check destinations | 10 seconds |
| 3 | Evaluate urgency, context, and requests | 15 seconds |
| 4 | Check headers for authentication results (if still unsure) | 1 minute |
| 5 | Verify via external sources (VirusTotal, phone call, website) | 2 minutes |
Steps 1 through 3 take less than 30 seconds and catch the vast majority of phishing emails. Steps 4 and 5 are for when something still feels wrong after the quick checks.
What Cleanbox does automatically
Cleanbox runs these verification steps automatically on every incoming email. Authentication is checked before the email reaches your inbox. Sender reputation is evaluated against multiple blocklists and behavioral signals. The X-Cleanbox-Explanation header on every delivered email shows exactly what was checked and what the results were — so you can verify at a glance whether an email passed or failed, without digging through raw headers yourself.
For emails that score near the spam threshold, Cleanbox quarantines them for your review rather than delivering or deleting them silently. This means suspicious emails that might be legitimate are not lost — they wait for your decision.
Ready to take control of your inbox?
Start protecting your email with Cleanbox — free plan available, no credit card required.
Get started free