Under the hood

How It Works

Drop an email file. Get a verdict in under 60 seconds.
Here's exactly what happens, and what we never do.

01

You drop an .eml file

Export any suspicious email from Gmail, Outlook, Apple Mail, or Thunderbird as an .eml file and drop it on the scan page. MailArgus validates the file before anything leaves your device. Wrong format or over 5 MB is rejected immediately.

02

We parse the email & identify the key link

The file is parsed entirely in server memory: sender identity, SPF/DKIM/DMARC authentication, the full mail server routing chain, body text, all URLs, and attachment hashes. Then Claude Haiku reads the link list and identifies the 1–3 most likely call-to-action URLs (e.g. "Verify your account") so you can confirm which link to scan before anything is submitted to external services. The raw file is never written to disk or stored.

03

Four threat intel checks run in parallel

Once you confirm the link, four enrichment checks fire concurrently so nothing blocks anything else:

urlscan.io

A real headless browser loads the link, follows all redirects, and captures the final destination, domain, IP, and any phishing infrastructure. Submitted as unlisted. Your scan never appears in public results.

VirusTotal · Domain

The final destination domain (after all redirects) is checked against VirusTotal's 90+ security vendor database. Catches malicious domains even when the original link looks innocent.

VirusTotal · Attachments

SHA-256 hashes of any attachments are checked against 90+ antivirus engines. No file bytes are ever transmitted. Only the hash.

Google Safe Browsing

The final destination URL is checked directly against Google's Safe Browsing API, the same database Chrome uses to warn users about dangerous sites.

04

Claude reasons over every signal

All extracted signals (headers, authentication, routing, body, URLs, and all threat intel results) are passed to Claude Sonnet. Claude weighs them in priority order: authentication failures first, then sender identity spoofing, then external URL and domain verdicts, then content signals like urgency language. A Phishing verdict requires at least two corroborating signals. Claude won't flag a legitimate email on urgency language alone.

05

You get a verdict

Results come back as one of three verdicts with a plain-language summary, key findings, and immediate advice. The Stats for Nerds panel shows the full technical breakdown: authentication badges, urlscan report, VirusTotal domain and attachment results, Google Safe Browsing status, signal-by-signal analysis, and AI confidence.

Safe

No meaningful red flags. Authentication passes, sender checks out, no malicious URLs, domain, or attachments.

Suspicious

Something is off but evidence is incomplete. One strong signal without corroboration. Treat with caution and verify through official channels.

Phishing

Strong corroborating evidence of malicious intent. Multiple signals confirm it. Do not click any links. Delete immediately.

What we never do

Your email file is processed in memory and discarded. No email content, addresses, or URLs are logged. Your IP is HMAC-hashed before rate-limit storage. The raw IP is never saved. Attachments never leave our server as bytes. Only their SHA-256 hash is sent to VirusTotal. External scans use unlisted visibility. We store no accounts and no email data. Ever.

MailArgus is free with 5 scans per day per IP address. Each analysis has real running costs: AI API calls, threat intel queries across four services. If you find it useful, buy me a coffee to support the project.

Scan an Email

MailArgus is a research tool. AI-generated verdicts may be incorrect. Always apply your own judgment. Not a substitute for professional security advice.