Cleanbox
Features Blog Pricing Developers
Sign in Start free trial
security phishing how-to

How to Check if an Email Is Legitimate (5-Step Verification)

How to Check if an Email Is Legitimate (5-Step Verification)

A well-crafted phishing email is nearly impossible to distinguish from a real one just by looking at it. The logo is right, the language is professional, and the sender name looks familiar. But something feels off, and you are not sure whether to trust it.

Rather than guessing, you can verify an email's legitimacy in five concrete steps. Each step catches a different type of deception, and together they cover the vast majority of phishing and scam techniques in use today.

Step 1: Check the actual sender address

The display name in your inbox ("PayPal Security Team") is cosmetic. Anyone can set it to anything. The part that matters is the email address itself.

What to look for:

  • Domain mismatch — An email claiming to be from PayPal should come from @paypal.com, not @paypa1-secure.com or @paypal.notifications-center.com. Look at the part after the @ sign carefully.
  • Subdomain tricks — Attackers use subdomains to hide the real domain: paypal.com.malicious-site.net looks like PayPal but the actual domain is malicious-site.net. Read the domain right-to-left from the @ sign.
  • Character substitution — The letter "l" replaced with "1", "rn" that looks like "m", or international characters that look identical to Latin letters. Zoom in or copy-paste the address into a text editor to spot these.

How to see the full sender address:

Email clientHow to reveal the address
Gmail (web)Click the small arrow next to "to me" below the sender name
Outlook (web)Click the sender name to expand the full address
Apple MailHover over the sender name to see the full address
iPhone MailTap the sender name, then tap again to see the address
ThunderbirdFull address is shown by default next to the sender name

Step 2: Hover over every link before clicking

Phishing emails work by directing you to a fake website. The link text might say "Verify your account" but the actual URL could point anywhere. Always check where a link goes before clicking it.

On desktop: Hover your mouse over the link without clicking. The actual URL appears in the bottom-left corner of your browser or email client. Compare the domain in the URL to the expected domain (e.g., paypal.com for PayPal).

On mobile: Long-press (tap and hold) the link. A preview will show the full URL. Do not tap the link directly.

Red flags in URLs:

  • The domain does not match the sender (email from "Netflix" but link goes to netflix-verify.site)
  • IP addresses instead of domain names (http://192.168.1.100/login)
  • Unusual top-level domains (.xyz, .top, .buzz) for a company that should use .com
  • Extra subdomains designed to mislead (secure-login.bank.malicious.com)
  • URL shorteners (bit.ly, tinyurl) in emails from companies that own their own domain

Step 3: Evaluate the content and context

Phishing emails create urgency to bypass your judgment. Before responding to any email that asks you to take action, pause and consider:

Warning signWhat it might mean
Urgency pressure ("Your account will be closed in 24 hours")Legitimate companies rarely threaten immediate account closure via email
Unexpected attachment (invoice, document, shipping label)If you did not expect it, do not open it — especially .exe, .zip, or macro-enabled Office files
Request for credentials ("Confirm your password")No legitimate company asks for your password via email. Ever.
Generic greeting ("Dear Customer" instead of your name)Companies you have an account with usually know your name
Payment redirect ("Our bank details have changed")Classic invoice fraud technique. Always verify payment changes by phone.
Too good to be true (prize, refund, inheritance)You did not win a contest you never entered

The phone test: If the email asks you to take an important action (change a password, send money, download something), call the supposed sender using a phone number you find independently (not the one in the email). This single step prevents most phishing attacks.

Step 4: Check the email headers

For emails that pass the first three checks but still feel suspicious, the headers contain the technical truth. Headers show where the email actually came from and whether it passed authentication checks.

How to view headers:

  • Gmail: Three dots menu → "Show original"
  • Outlook: Three dots → "View message source" or "View message details"
  • Apple Mail: View → Message → All Headers
  • Thunderbird: View → Message Source (Ctrl+U)

What to look for in headers:

Authentication results

Look for the Authentication-Results header. It shows whether the email passed SPF, DKIM, and DMARC:

Authentication-Results: mx.google.com;
    spf=pass smtp.mailfrom=paypal.com;
    dkim=pass header.d=paypal.com;
    dmarc=pass

All three should show "pass" for a legitimate email from a major company. If any show "fail" or "none," the email may not be from who it claims to be.

Return-Path

The Return-Path header shows the actual sending address. Compare it to the From address. A mismatch (From says support@paypal.com but Return-Path says bounce@mass-mailer.net) is suspicious, though some legitimate email services do use different return paths for bounce handling.

Received headers

Read the Received headers from bottom to top — they trace the email's path from sender to you. The last server before your provider should be a server associated with the claimed sender. If it originates from an unrelated server in an unexpected country, that is a strong red flag.

For a detailed guide on reading email headers, see Understanding Email Headers: A Complete Guide.

Step 5: Verify through external sources

When you are still unsure after the first four steps, use external verification:

  • Search the sender's email address — Paste the exact From address into Google. Known phishing addresses often appear in scam reports and security forums.
  • Check the URL on VirusTotal — If the email contains a suspicious link, paste the URL (not the email) into virustotal.com. It checks the URL against 70+ security services.
  • Look up the domain — Use a WHOIS lookup to check when the domain was registered. A brand-new domain (registered days ago) impersonating a major company is almost certainly malicious.
  • Contact the company directly — Go to the company's website by typing the URL yourself (not from the email) and contact their support team. Ask if they sent the email.

Quick reference: the 5-step checklist

StepCheckTime needed
1Verify the sender's actual email address (not just display name)5 seconds
2Hover over all links to check destinations10 seconds
3Evaluate urgency, context, and requests15 seconds
4Check headers for authentication results (if still unsure)1 minute
5Verify via external sources (VirusTotal, phone call, website)2 minutes

Steps 1 through 3 take less than 30 seconds and catch the vast majority of phishing emails. Steps 4 and 5 are for when something still feels wrong after the quick checks.

What Cleanbox does automatically

Cleanbox runs these verification steps automatically on every incoming email. Authentication is checked before the email reaches your inbox. Sender reputation is evaluated against multiple blocklists and behavioral signals. The X-Cleanbox-Explanation header on every delivered email shows exactly what was checked and what the results were — so you can verify at a glance whether an email passed or failed, without digging through raw headers yourself.

For emails that score near the spam threshold, Cleanbox quarantines them for your review rather than delivering or deleting them silently. This means suspicious emails that might be legitimate are not lost — they wait for your decision.

Ready to take control of your inbox?

Start protecting your email with Cleanbox — free plan available, no credit card required.

Get started free