ZeroTrace OSINT
Email Analysis
Parse, validate, and reputation-score an email — with SPF / DMARC verdict, Gravatar, role-account flag, and breach-domain check.
The email analyzer takes an email address and returns everything publicly knowable about it without sending a single byte to the inbox. Parts, validity, MX records, disposable-provider check, free-mail-provider flag, role-account flag, deliverability score, Gravatar, breach-domain check.
It is the right first tool when an email lands in your investigation and you need to know "is this a real person, a role address, a disposable, a corporate, a personal."
What you get
| Field | What it tells you |
|---|---|
| Local part | The part before @ |
| Domain | The part after @ |
| MX records | Mail exchangers that accept mail for the domain |
| Disposable flag | Whether the domain is a known disposable / temp-mail service (Mailinator, 10MinuteMail, etc.) |
| Free-provider flag | Whether the domain is a major free-mail provider (Gmail, Outlook, ProtonMail, etc.) |
| Role-account flag | Whether the local part is a role address (info@, admin@, abuse@, noreply@, etc.) |
| Catch-all flag | Whether the domain accepts any local part (DNS-only check, no SMTP probing) |
| SPF record | Sender Policy Framework record, with strict-mode flag |
| DMARC record | Domain-based Message Authentication, with policy (p=) |
| DKIM presence | Whether the domain publishes a DKIM key |
| Deliverability score | Composite 0-100 based on SPF strict, DMARC reject, DKIM present, free-provider, role-account |
| Gravatar | Avatar URL + size variants (the email's MD5 hash, against gravatar.com) |
| Breach-domain hint | Whether the domain appears in the public list of breached domains |
Disposable vs. free-mail vs. role
These three flags categorise most emails into one of:
- Personal email at a free provider — Gmail, Outlook, ProtonMail, Yahoo. Probably a real person; one of many possible aliases for them.
- Personal email at a paid provider or vanity domain — anything not on the free-provider list. Often higher signal of a real, identifiable person.
- Role address —
info@,support@,admin@. Probably an organisation, not a person. - Disposable — single-use, will not exist in a few hours. Often a signal of throwaway intent.
For triaging "is this a real lead worth following up?" the four-way classification is most of the answer.
Catch-all detection
A "catch-all" domain accepts mail at any local part. From an OSINT standpoint, a catch-all means "the existence of a particular local part at this domain proves nothing" — every local part exists by definition.
The tool detects catch-alls by issuing a DNS-only MX probe against a random-UUID local part. No SMTP traffic is generated; the existence check is purely DNS-based. A wildcard-shaped MX response indicates catch-all.
Catch-all detection is critical when checking "does name@domain.com exist?" — for catch-all domains, the existence check is meaningless. Any local part exists by domain configuration.
Deliverability score
A 0-100 composite of:
- SPF presence and strictness (
-allstrict,~allsoft, missing). - DMARC policy strength (
rejectstrong,quarantinemedium,noneweak, missing). - DKIM presence.
- Whether the domain is on the free-mail-provider list (slightly downweights deliverability — many free providers are aggressive about spam filtering).
- Whether the local part is a role account (slightly downweights — role addresses often forwarded or filtered).
The score is a heuristic for whether mail to this address is likely to land in the inbox. It is not a vouch for the address being real.
Gravatar
Gravatar identifies users by the MD5 hash of their email address. The tool computes the hash and constructs the gravatar URL. If a Gravatar exists, the avatar is a strong identity signal — the same email has been used to register on Gravatar-aware services.
The tool surfaces:
- The Gravatar URL.
- A small thumbnail preview.
- Size-variant URLs (32, 64, 128, 256, 512 px).
A pivot from the Gravatar feeds directly into the reverse image composer — same workflow as profile-photo cross-platform matching.
Breach-domain hint
The tool checks whether the email's domain appears in HIBP's public list of breached domains. A "yes" tells you the domain has been the source of a known breach; for a more specific check on the email itself, use the breach lookup tool.
Pivots
| Click on... | Pivot to |
|---|---|
| Domain | DNS lookup, WHOIS, certificate transparency, site analysis |
| MX hostname | DNS lookup |
| Local part | Username search (treat the local part as a handle) |
| Breach lookup, person investigation composer | |
| Gravatar URL | Reverse image composer |
Bulk email analysis
Bulk paste accepts many emails and runs the full analysis against each. Aggregate table shows the four-way classification, deliverability score, and breach-domain hint per email — fast triage of a list dropped from a CRM, a marketing leak, or a phishing report.
Sources
- DNS resolution against the system resolver for MX, SPF, DMARC, DKIM, catch-all probe.
- Bundled lists of disposable providers, free-mail providers, role-account local parts.
- The HIBP public breached-domains list.
- Direct construction of the Gravatar URL (no fetch — the URL is the artefact).