Free Scam Email Checkers: Tools to Use

Senders end up checking suspicious emails for two main reasons: someone is impersonating your brand and you need to confirm the source, or you are auditing a vendor (list provider, ESP, outreach tool) that may be selling or sending fraudulent traffic. Either way, the toolchain is mostly the same and most of it is free.

This guide focuses on what's actually useful from a sender-side perspective — not consumer "is this email a scam?" content. For consumer guidance, the FTC and major ISP help centers are better resources.

What "scam email" means in practice

Three overlapping categories show up in sender investigations:

1. Phishing — fraudulent messages designed to steal credentials or financial info, often spoofing legitimate brands
2. Malware delivery — messages with malicious attachments or links to drive-by-download URLs
3. Spam and abuse — bulk unsolicited mail from compromised or malicious infrastructure

The detection toolchain overlaps because the indicators overlap: bad sending IPs, bad URLs, bad domain reputations, missing or fraudulent authentication.

The free stack

Blacklist and reputation checks

MXToolbox Blacklist Check — queries 100+ DNSBLs (Spamhaus, Barracuda, SORBS, etc.) for an IP or domain. Free for individual lookups. Useful first stop for any suspicious sender.

Spamhaus Domain Block List (DBL) and IP lookups — directly query Spamhaus for the most authoritative reputation data. The DBL covers domains used in spam, phishing, and malware campaigns.

URLhaus by abuse.ch — community database of URLs used to deliver malware. Searchable for any URL or domain. Free API.

URL and content scanning

VirusTotal — scans URLs and domains against 70+ antivirus engines and reputation databases. Free for non-commercial use. Returns engine-by-engine verdicts.

urlscan.io — visits the URL in a sandboxed browser and records the full page load, screenshots, DOM, and network requests. Free public scans are visible to all users (use private scans for sensitive investigations on a paid tier).

PhishTank — community-submitted phishing URL database. Free API. Submission lag means recent campaigns may not yet be listed.

Authentication and spoofing detection

MXToolbox SPF, DKIM, DMARC checks — verify a domain's published authentication records. If an email claims to come from paypal.com but the sending IP is not in PayPal's SPF and the message fails DKIM, it is almost certainly spoofed.

DMARC report aggregators (Postmark DMARC Digests, Dmarcian free tier, Mailhardener) — if you own the domain being impersonated, DMARC reports show who is sending mail claiming to be you. See our DMARC setup guide.

Practitioner note: When a client gets reports of phishing using their brand, the first three things I check are: their DMARC policy (is it actually p=reject?), their DMARC aggregate reports for the past 30 days (where is the spoofing originating?), and their own domain in Spamhaus DBL (have they been compromised?). The answer to "who is impersonating us?" usually emerges from DMARC data within an hour.

A workflow for investigating a suspicious sender

When a suspicious message lands and you need to know what you're dealing with:

1. Pull full headers from the message
2. Extract: sending IP, From domain, Return-Path, DKIM-Signature d=
3. Check sending IP in MXToolbox blacklist check
4. Check From domain in Spamhaus DBL
5. Scan any URLs in VirusTotal and urlscan.io
6. Verify SPF/DKIM/DMARC alignment for From domain
7. If domain is yours and DMARC failed, check DMARC reports

This takes about 10 minutes per message and produces a defensible verdict.

When the free tools aren't enough

Free tools are triage. For systematic protection, senders need:

• DMARC with aggregate reporting at rua= to a dashboard you actually read
• BIMI to give legitimate mail visual confirmation in supporting inboxes
• Brand monitoring (paid services like Memcyco, Bolster, RedMarlin) for typo-squatting and domain registration alerts
• Takedown services if you experience repeated phishing campaigns

For the foundational layer, see our guides on DMARC, BIMI, and email authentication.

What scam checkers cannot tell you

Practitioner note: A clean reputation lookup does not mean a domain is safe. New phishing domains are registered daily and may not appear in any blocklist for hours or days. URL scanners can be evaded by URLs that serve benign content to scanner IPs and phishing content to real users. Use behavioral signals (urgency, unusual sender, mismatched display name) alongside automated checks.

The most sophisticated phishing operations rotate infrastructure, use legitimate compromised servers, and serve scanner-evading content. No free tool will catch all of these. Defense in depth matters: authentication, monitoring, user training, and incident response.

Self-checks for senders

Run these monthly against your own domain to catch problems before customers report them:

Check	Tool	What it tells you
Spamhaus DBL	spamhaus.org	Your domain on a major blocklist
MXToolbox blacklist	mxtoolbox.com	Sending IPs on any DNSBL
Google Postmaster Tools	gmail.com/postmaster	Gmail-side reputation
DMARC reports	rua= aggregator	Who is sending as you
URLhaus	urlhaus.abuse.ch	Your domain hosting malware (if compromised)

If any of these light up, you have a problem worth solving immediately. See our blacklist removal guide and email blacklists guide for remediation.

If you need help investigating brand impersonation, setting up DMARC monitoring, or auditing whether your domain has been compromised, book a consultation. I run authentication and reputation audits for senders dealing with active phishing campaigns.

Sources

• Spamhaus: Domain Block List Documentation
• URLhaus by abuse.ch
• VirusTotal API Documentation
• urlscan.io API
• RFC 7489 — DMARC
• Anti-Phishing Working Group (APWG)

---

v1.0 · May 2026