Security teams are drowning in phishing emails. If you're building security automation or managing an email security pipeline, you already know that manual phishing analysis doesn't scale — and that a reliable phishing email analysis API is the missing piece between a flooded inbox and an automated, repeatable triage workflow.
This article walks through what a phishing analysis API should actually do, how to get started with the DFIR Lab phishing API, and how to integrate it into your existing SOAR playbooks, SIEM pipelines, or email gateways.
The Problem: Manual Phishing Triage Doesn't Scale
The average enterprise SOC receives hundreds to thousands of user-reported phishing emails per week. Each one requires inspection of email headers, URLs, attachments, and sender authentication records before a verdict can be issued. Done manually, a single analyst might triage 20–30 emails per hour — under pressure, with inconsistent results.
Automation is the only answer. But building your own phishing detection logic from scratch is a substantial engineering investment: parsing raw .eml files, implementing SPF, DKIM, and DMARC validation, detonating URLs safely, decoding QR codes, catching homoglyph attacks, and layering an AI verdict on top. Most teams don't have months to build and maintain that stack.
A well-designed phishing detection API lets you skip straight to integration.
What a Phishing Analysis API Should Do
Not all email security APIs are equal. A production-grade API to detect phishing emails needs to cover the full analysis surface — not just check a URL against a blocklist. Here's what to look for:
Email authentication validation The API should validate SPF, DKIM, DMARC, and ARC records, and surface failures clearly. A DMARC pass doesn't mean an email is safe, but a DMARC fail is a strong signal.
Header analysis
Spoofed display names, mismatched Reply-To and From addresses, suspicious Received chain hops, and forged X-Mailer headers are all indicators of compromise that should be parsed and flagged automatically.
URL and link analysis Every URL in the body and headers should be extracted, expanded (following redirects), and checked against reputation feeds. The API should also detect link-display mismatches — where the visible text says one domain but the href points to another.
Homoglyph and domain impersonation detection
Attackers register domains like microsоft.com (with a Cyrillic о) that are visually identical to legitimate domains. A proper phishing analysis API performs Unicode normalization and similarity scoring against known brand domains.
QR code decoding QR code phishing (quishing) has exploded as a technique to bypass link-scanning gateways. The API should extract and decode QR codes from image attachments, then analyze the embedded URL.
Attachment inspection Malicious macro-enabled Office documents, PDFs with embedded JavaScript, and archive files containing executables are common delivery vectors. The API should identify file types, extract metadata, and flag suspicious characteristics.
AI-powered verdict scoring Individual signals can be ambiguous. An AI layer that synthesizes all module outputs into a single verdict and confidence score is what makes the difference between a list of flags and an actionable triage decision.
Getting Started with the DFIR Platform Phishing API
Step 1: Sign Up (Free, No Credit Card)
Create a free account at platform.dfir-lab.ch. The free tier gives you 100 credits per month with no credit card required — enough to analyze a meaningful volume of emails and validate your integration before committing to a paid plan.
Step 2: Get Your API Key
Once logged in, navigate to the API Keys section of your dashboard. Generate a new key and store it securely — treat it like a password. You'll pass it as a Bearer token in every request.
Step 3: Make Your First API Call
The base URL is api.dfir-lab.ch/v1 and the phishing analysis endpoint accepts POST requests to /phishing/analyze.
curl example:
curl -X POST https://api.dfir-lab.ch/v1/phishing/analyze \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: multipart/form-data" \ -F "file=@suspicious_email.eml"The endpoint accepts .eml files (the standard format exported by most email clients and gateways) as well as raw email headers if you want a lighter-weight check. The full API reference is at platform.dfir-lab.ch/docs/phishing.
Code Examples
Python (requests library)
import requests API_KEY = "your_api_key_here"API_URL = "https://api.dfir-lab.ch/v1/phishing/analyze" def analyze_email(eml_path: str) -> dict: headers = { "Authorization": f"Bearer {API_KEY}" } with open(eml_path, "rb") as f: files = {"file": (eml_path, f, "message/rfc822")} response = requests.post(API_URL, headers=headers, files=files) response.raise_for_status() return response.json() result = analyze_email("suspicious.eml")print(result)This function opens a local .eml file, sends it to the API with your Bearer token, and returns the parsed JSON response. Add your own error handling and logging before using in production.
What the response contains:
The JSON response includes a top-level verdict field (clean, suspicious, or phishing) along with a confidence score between 0 and 1. Below that, a modules object contains per-module results — each module returns its own status, findings, and any extracted indicators. The response also includes an iocs array listing all extracted indicators of compromise (URLs, domains, file hashes, IPs), and a credits_used field so you can track consumption.
curl with raw headers
If you only have access to email headers rather than the full .eml, you can POST the raw header block as plain text:
curl -X POST https://api.dfir-lab.ch/v1/phishing/analyze \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: text/plain" \ --data-binary @headers.txtHeader-only analysis runs a subset of modules (authentication checks, header anomaly detection, display name spoofing) and consumes fewer credits than a full .eml analysis.
CLI Alternative
If you prefer a command-line workflow without writing API code directly, the DFIR CLI wraps the same endpoint:
dfir-cli phishing analyze email.emlThe CLI handles authentication from your local config, formats the output for terminal readability, and supports --json for piping into other tools. Install and configure it via the platform dashboard.
Integrating into Your Workflow
SOAR Playbook Integration
A SOAR platform is the natural home for phishing analysis automation. The typical playbook pattern is:
- Trigger on a new phishing report ticket or email forwarded to an abuse mailbox.
- Extract the
.emlattachment. - Call
POST /phishing/analyzeand await the response. - Branch on
verdict: auto-close ifcleanwith confidence > 0.95; escalate to analyst ifsuspicious; auto-block sender/domain and notify user ifphishing. - Write the full
iocsarray back to the ticket and to your threat intelligence platform.
Most SOAR platforms (Palo Alto XSOAR, Splunk SOAR, Tines, Torq) support custom HTTP integrations or have a generic REST action you can configure against the DFIR Lab API endpoint.
SIEM Alert Enrichment
When a SIEM fires an alert on an inbound email event (from an email gateway log source), you can enrich the alert with phishing analysis results in near real-time. Feed the raw headers from the SIEM event into the API and attach the verdict and IOCs to the alert before it reaches an analyst.
This turns a low-fidelity "suspicious email received" alert into a structured event with authentication failures, flagged URLs, extracted domains, and a machine-generated verdict — dramatically reducing alert triage time.
Email Gateway Automation
If your email gateway supports webhook callbacks or API-driven policy enforcement (common in platforms like Proofpoint TAP, Mimecast, or custom gateway builds), you can insert the DFIR Lab API as a pre-delivery analysis step. Emails scoring above a verdict threshold can be quarantined, re-routed to a sandbox, or tagged with a warning banner before they reach the recipient.
API Capabilities: 26+ Analysis Modules
The DFIR Lab phishing analysis engine runs over 26 specialized modules on each submission. Key capabilities include:
- SPF validation — checks whether the sending IP is authorized by the domain's SPF record
- DKIM validation — verifies the cryptographic signature against the public key in DNS
- DMARC validation — evaluates alignment between SPF/DKIM results and the From domain, per the domain's DMARC policy
- ARC chain validation — inspects Authenticated Received Chain headers for forwarded mail
- Homoglyph detection — Unicode normalization and visual similarity scoring against brand domain lists
- QR code decoding — extracts and analyzes URLs embedded in QR code images in the email body or attachments
- URL reputation — checks extracted URLs against multiple threat intelligence feeds
- Link-display mismatch detection — flags cases where anchor text and href point to different domains
- Redirect chain following — unrolls URL shorteners and multi-hop redirects to expose the final destination
- Attachment type identification — detects disguised file types regardless of extension
- Office macro detection — flags macro-enabled Office documents (
.docm,.xlsm, etc.) - PDF structure analysis — identifies embedded JavaScript, launch actions, and URI objects in PDFs
- Display name spoofing — compares the From display name against known impersonation targets
- Reply-To divergence — flags cases where
Reply-Todiffers fromFrom, a common credential-harvesting signal - Received header anomaly detection — analyzes the SMTP relay chain for inconsistencies
- AI-powered verdict — synthesizes all module outputs into a final verdict with a calibrated confidence score
Pricing
| Plan | Price | Credits/Month | Notes |
|---|---|---|---|
| Free | $0 | 100 | No credit card required |
| Starter | $29/mo | 1,000 | Full API access |
| Professional | $99/mo | 5,000 | Priority processing, SLA |
Credit costs:
- Basic analysis (headers, authentication, URL extraction): 1 credit
- Full
.emlanalysis with all modules: varies by modules triggered - AI-powered verdict: 10 credits
For teams evaluating a paid plan, use code LAUNCH50 for 50% off your first month.
Credit costs are designed so that the free tier covers meaningful development and testing volume. A typical integration test suite or low-volume production deployment (under 10 emails/day) fits comfortably within 100 credits/month.
Conclusion
A purpose-built phishing email analysis API is the fastest path from a flooded abuse mailbox to a structured, automated triage pipeline. Instead of maintaining your own parser stack, you get 26+ analysis modules — from SPF/DKIM/DMARC validation to AI-powered verdicts — behind a single REST endpoint.
The DFIR Lab API is designed for the security engineers and DevSecOps teams who need reliable, structured results they can act on programmatically: clean JSON responses, per-module findings, extracted IOCs, and a confidence-weighted verdict ready to feed into your SOAR playbook or SIEM enrichment workflow.
Get started in minutes:
- Create a free account at platform.dfir-lab.ch — no credit card required
- Generate an API key from the dashboard
- Read the full reference at platform.dfir-lab.ch/docs/phishing
- Use code LAUNCH50 for 50% off your first paid month
If you have questions or want to discuss a high-volume or enterprise deployment, reach out through the platform dashboard.