FAQ
Frequently asked questions
Common questions about forwarding emails, how data is stored, what the results mean, and how to use Rubiscout's features.
Forwarding emails
Why does my forwarded email show no SPF, DKIM, or DMARC results?+
When you forward an email using your client's standard "Forward" button, your mail server creates a brand-new outbound message. The original authentication headers are gone — any SPF, DKIM, or DMARC results now reflect your forwarding server, not the original sender.
To get full authentication results, forward the email as an attachment instead. This sends the original message as an .eml file with all headers intact:
• Gmail: open the email → ⋮ (More) → "Forward as attachment"
• Outlook (desktop): Ctrl+Alt+F
• Apple Mail: Option+Cmd+F (or Message → Forward as Attachment)
• Yahoo Mail: ⋯ (More) → "Forward as attachment"
Rubiscout will show a green banner when it successfully extracted the original headers from an attachment.
Why does the Routing tab show no hops for my forwarded email?+
Same root cause as above. The original Received: headers that record each mail server the message passed through are replaced by your forwarding server's headers when you forward inline. Forward as an attachment to preserve the full routing chain.
I forwarded a spam email but the analysis seems incomplete. Why?+
You most likely used inline forwarding (the default "Forward" button). Rubiscout detects inline-forwarded emails and analyzes the embedded header block from the body text, but inline forwarding strips authentication and routing data.
For a complete analysis, forward the email as an attachment. If you've already forwarded it inline, you can still get partial results — Rubiscout will show an amber banner explaining what data is limited and why.
How do I get the most complete analysis when forwarding?+
Forward the email as an attachment (message/rfc822) rather than inline. This preserves the full original header — routing chain, SPF/DKIM/DMARC results, ARC chain, and all.
Per-client steps:
• Gmail: ⋮ (More) → "Forward as attachment"
• Outlook (desktop): Ctrl+Alt+F
• Outlook 365 (web): More actions → "Forward as attachment"
• Apple Mail: Option+Cmd+F
• Yahoo Mail: ⋯ (More) → "Forward as attachment"
• Thunderbird, ProtonMail, Fastmail: look in the "More" or "Options" menu
What email clients does the forward-to-analyze feature support?+
Attachment forwarding (recommended) works with any client that supports "Forward as attachment" — which includes Gmail, Outlook, Apple Mail, Yahoo, Thunderbird, ProtonMail, Fastmail, and most others.
Inline forward detection works automatically with Gmail, Outlook (desktop / 365 / mobile), Apple Mail, Yahoo, Thunderbird, ProtonMail, Fastmail, HEY, AOL, and Hotmail. Rubiscout detects the forwarded block by its formatting markers — it does not rely solely on "Fwd:" in the subject line.
Privacy & data
Is my email stored? What data do you keep?+
Rubiscout stores email headers only — never the email body. The recipient address (To:, Delivered-To:) is redacted before anything is written to the database.
What is stored: sender address and domain, subject line, authentication results (SPF/DKIM/DMARC), routing hops, originating IP, live DNS records captured at analysis time, and the AI-generated analysis output. Analyses are accessible via their permanent shareable link.
Does Rubiscout store the body of my email?+
No. When you forward an email to analyze@rubiscout.com, the body is stripped before any data is stored or sent for analysis. When you paste headers directly on the site, only what you paste is processed — the email body is never uploaded or involved.
Who can see my analysis? Is the link public?+
Analysis links are unlisted — not indexed by search engines, not listed anywhere on Rubiscout, and not discoverable through the site. Anyone who has the URL can view the analysis. If you need to keep an analysis private, do not share the URL.
How long are my analyses stored?+
We are establishing a formal retention policy and will update this page when it is finalized. Currently, analyses persist indefinitely via their shareable link.
Understanding results
What do the risk levels — Critical, High, Medium, Low — mean?+
• Critical: A clear attack. Phishing, spoofing, or malware delivery. Do not interact with the email, click any links, or open attachments. Report to your IT team immediately.
• High: Strong indicators of malicious intent or significant authentication failure. Treat with high suspicion. Verify through a separate channel before taking any action.
• Medium: Some concerning signals, but not conclusive. Verify the sender through a separate channel before acting — do not reply to the email itself.
• Low: Passed authentication checks and shows no significant red flags. Normal caution applies.
Each risk score includes 2–4 specific signals that drove it, so you can see exactly what Rubiscout found.
What is SPF, DKIM, and DMARC?+
These are three email authentication standards that let receiving mail servers verify an email was genuinely sent from where it claims:
• SPF (Sender Policy Framework): checks whether the sending IP address is on the list of servers authorized to send email for that domain. A domain publishes its authorized senders as a DNS TXT record.
• DKIM (DomainKeys Identified Mail): checks a cryptographic signature added to the email headers. If the signature is valid, the message has not been tampered with since it left the sender's server.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): checks that SPF or DKIM passes AND that the authenticated domain matches the From: address. DMARC also lets the domain owner specify what happens to mail that fails — none (monitor only), quarantine (send to spam), or reject (block delivery).
All three must be properly configured for an email to pass full authentication.
Why do legitimate emails sometimes get flagged?+
A few common reasons:
• Weak infrastructure: many legitimate companies have misconfigured email — SPF softfail, no DMARC record, or a DMARC policy of "none" (monitoring only) is common even among real senders.
• Marketing emails: bulk emails sent through ESPs like SendGrid or Mailchimp often show unusual routing patterns and SRS-encoded bounce addresses that can look suspicious.
• Forwarding: inline-forwarded emails lose authentication data, which can lower the score for a legitimate email.
Rubiscout's verdict explains which specific signals drove the score. If the reasoning says "DMARC policy is none — domain not enforcing authentication" rather than "SPF hard fail from known phishing IP," use your judgement about the actual risk.
Features & how-to
How do I find the email headers in Gmail, Outlook, or Apple Mail?+
On the main Rubiscout page, click "How to find headers" for step-by-step instructions covering Gmail, Outlook (desktop), Outlook Web, Apple Mail, and Yahoo Mail.
The easiest approach for most people is to skip header extraction entirely — just forward the email as an attachment to analyze@rubiscout.com and get a full analysis reply within seconds.
Can I share my analysis with my IT team?+
Yes. Every analysis has a permanent URL (e.g., rubiscout.com/analysis/abc123). The full analysis — verdict, auth results, routing, DNS checks, IP reputation, raw header, and AI bench — is available to anyone with the link. No login required. Copy the URL from your browser's address bar on the analysis page.
How do I get a PDF of the analysis?+
On any analysis page, click "Print Report." This opens a professional printable incident report covering verdict, risk score, authentication results, sender details, routing path, and recommendations — suitable for forwarding to IT, HR, or law enforcement.
In the browser print dialog, choose "Save as PDF" instead of a physical printer.
API & automation
How do I get an API key?+
Sign up for a free account at rubiscout.com/dashboard. Once logged in, click "Create Key" — you can hold up to 5 active keys at a time. The full key is shown once at creation; copy it immediately and store it somewhere secure (a password manager or secrets vault).
Keys authenticate with the Authorization: Bearer <key> header on both /api/v1/analyze and /api/v1/investigate. Free keys allow 50 requests per day. Full endpoint docs are at rubiscout.com/api-reference.
What is the Investigative Bench, and how does the agentic mode work?+
The Investigative Bench is an AI chat panel on every analysis page. It loads the full email context — headers, routing, auth results, and body — so you can ask follow-up questions without re-pasting anything. Four tailored prompts are generated for each analysis based on the specific signals found.
The streaming investigation API (POST /api/v1/investigate) is the programmatic version. It runs an autonomous agent (Claude Opus) that executes five live tools in sequence:
• DNS record lookup — SPF, DMARC, MX, TXT records for the sender domain
• DNSBL reputation check — tests the originating IP against Spamhaus, SpamCop, and others
• URL reputation scan — checks any URLs found in the email body
• IP geolocation — country, ASN, and ISP for the sending IP
• Domain WHOIS — registration age, registrar, and abuse contacts
The agent synthesizes the tool results into a structured threat report with IOCs, TTPs, MITRE ATT&CK technique IDs, and SOC workflow recommendations. Results stream over SSE in real time as each tool completes, so you see progress live rather than waiting for a single response.
How do I use the Rubiscout CLI?+
Install the CLI globally and configure your API key:
npm install -g rubiscout
rubiscout config set-key YOUR_API_KEY
Key commands:
• rubiscout analyze email.eml — analyze a .eml file (or pipe raw headers via stdin)
• rubiscout list — list your recent analyses with IDs, dates, and risk levels
• rubiscout get <id> — fetch a specific analysis as JSON
All commands support --json for machine-readable output suited to shell pipelines or SIEM ingestion. Full setup instructions including MCP server configuration and Python streaming examples are in the docs at rubiscout.com/docs.