If you work in a SOC or manage email infrastructure, you've almost certainly used MxToolbox. It's fast, free for basic use, and covers the essentials — paste a header, get a structured breakdown, check a domain against blacklists. For a quick sanity check, it's hard to beat.
But security workflows have changed. Phishing attacks now routinely embed QR codes, use homoglyph domains, attach malicious files, and chain multiple redirects through legitimate services. When your analysis starts at the raw header and stops there, you're leaving most of the attack surface uninspected.
This article compares MxToolbox and DFIR Platform honestly — what each does well, where each falls short, and how to decide which tool fits which part of your workflow.
What MxToolbox Does Well
MxToolbox has been around long enough to earn genuine trust in the industry. Its strengths are real:
Header parsing. Paste any raw email header and MxToolbox produces a structured, readable breakdown of the routing hops, timestamps, and authentication results. It's accurate, fast, and requires no account for basic use. For email header analysis, it remains one of the quickest free options available.
Blacklist monitoring. MxToolbox checks domains and IPs against over 100 DNS-based blacklists simultaneously. For mail administrators watching sender reputation, this is genuinely useful. The Pro plan ($129/month) adds continuous monitoring and alerting.
DNS and SMTP diagnostics. MxToolbox's DNS lookup, MX record checker, and SMTP diagnostics tools are solid utilities for mail server configuration and troubleshooting. If you're setting up SPF, DKIM, or DMARC records and want to validate them quickly, MxToolbox covers the basics.
Free web access and brand recognition. No registration required for most features. It's a tool you can share with a colleague or reference in a runbook without any friction.
These are real strengths, and nothing in this article is meant to dismiss them.
Where MxToolbox Stops
MxToolbox is built around DNS tooling and header inspection. That scope is intentional — and it means there are entire categories of phishing analysis it simply doesn't address.
No full .eml file analysis. MxToolbox accepts pasted header text. It does not process a complete .eml file. That distinction matters: the full email file contains the MIME structure, body content, and attachments — all of which are relevant in a forensic investigation.
No attachment inspection. If a phishing email carries a malicious PDF, a weaponized Office document, or an HTML smuggling attachment, MxToolbox won't examine it. You'd need a separate sandbox or analysis tool for that step.
No QR code decoding. QR code phishing (also called "quishing") has grown significantly as a way to bypass email security gateways. Attackers embed QR codes in image attachments or inline images. MxToolbox has no capability to detect or decode them.
No AI-assisted verdict. MxToolbox presents data — it doesn't interpret it. For analysts handling high volumes of suspicious emails, the absence of any triage scoring or verdict means every alert still requires manual review.
No IOC extraction. Indicators of Compromise — URLs, domains, IPs, file hashes — are not automatically extracted and structured for downstream use. You'd need to parse them manually or pipe to another tool.
Limited API for phishing-specific workflows. MxToolbox does offer API access, but it's oriented toward DNS lookups and blacklist checks. There is no API endpoint designed for submitting a full email and receiving a structured phishing analysis in return.
What DFIR Platform Adds
DFIR Platform is built specifically for email forensics and phishing triage. The scope is different from MxToolbox by design.
Full .eml File Analysis
You submit a complete .eml file — not just the header. The platform processes the entire message: MIME structure, body, inline images, and attachments. This gives you a complete picture of what the email actually contained, not just how it was routed.
26+ Analysis Modules
A single email submission runs through more than 26 individual analysis checks, including:
- Authentication chain: SPF, DKIM, DMARC, and ARC validation with detailed pass/fail reasoning
- Homoglyph detection: Unicode character substitution in domains and display names — a common technique to impersonate trusted brands
- QR code extraction and decoding: Images in the email are scanned for QR codes; detected codes are decoded and the resulting URLs are analyzed
- URL reputation: Extracted links are checked against threat intelligence feeds
- Attachment analysis: File types are identified and flagged
- AI verdict: The platform produces a structured triage verdict — clean, suspicious, or malicious — with supporting reasoning
This isn't a list of aspirational features. Each module runs automatically on every submission.
IOC Extraction
After analysis, all identified Indicators of Compromise are available in structured form: domains, IPs, URLs, file hashes. These can be exported or consumed via API for direct integration into your SIEM, ticketing system, or threat intelligence platform.
API-First with CLI
The DFIR Platform API is designed specifically for email analysis workflows. You can submit .eml files programmatically, retrieve structured JSON results, and integrate the output into automated pipelines. A CLI client is available for teams that prefer command-line workflows or need to script bulk submissions.
Part of a Broader Toolkit
DFIR Platform is one component of a broader suite that includes IOC enrichment and exposure scanning. For SOC teams running investigations that extend beyond a single email — tracing infrastructure, pivoting on domains, checking for organizational exposure — the interconnected tooling reduces the need to context-switch between unrelated platforms.
Side-by-Side Comparison
| Feature | MxToolbox | DFIR Platform |
|---|---|---|
| Email header parsing | Yes | Yes |
| Full .eml file analysis | No | Yes |
| Attachment inspection | No | Yes |
| QR code detection | No | Yes |
| Homoglyph detection | No | Yes |
| SPF / DKIM / DMARC / ARC | Basic display | Full validation + reasoning |
| URL reputation check | No | Yes |
| IOC extraction | No | Yes (structured) |
| AI triage verdict | No | Yes |
| Blacklist monitoring | Yes (100+ lists) | No |
| DNS / SMTP diagnostics | Yes | No |
| API for phishing analysis | No | Yes |
| CLI client | No | Yes |
| Free tier | Yes (web, limited) | Yes (100 credits/month) |
| Paid plans | From $129/month | From $29/month (Starter) |
When to Use MxToolbox
MxToolbox is the right tool when:
- You need a fast, free header check and don't want to create an account
- You're validating DNS records — MX, SPF, DKIM, DMARC — during email server setup or troubleshooting (see DNS Security)
- You want to check a domain or IP against blacklists quickly
- You need SMTP diagnostics to test mail server connectivity
- You're working a one-off question, not a repeatable workflow
For these use cases, MxToolbox is genuinely good and there's no reason to replace it.
When to Use DFIR Platform
DFIR Platform is the right tool when:
- You're triaging suspected phishing emails and need more than header data
- You want to submit a full
.emlfile and get a complete forensic breakdown automatically - You're building an automated phishing analysis pipeline via API
- Your threat actors are using QR codes, homoglyph domains, or HTML attachments
- You need structured IOC output for downstream consumption
- You're running volume — the free tier provides 100 credits per month, and the CLI supports scripted bulk submissions
For teams handling more than a handful of suspicious emails per day, manual header-paste workflows don't scale. API-driven analysis with structured output does.
Using Both Together
These tools are not mutually exclusive. Many security teams run them in parallel against different parts of their workflow.
A practical split: use MxToolbox for DNS lookups, blacklist checks, and quick sender reputation checks as part of your initial triage signal. Use DFIR Platform for full email forensics — processing the .eml file, running all analysis modules, and extracting IOCs for your investigation.
MxToolbox answers "is this sender domain on a blacklist and are the DNS records configured correctly?" DFIR Platform answers "what did this email actually contain, is it malicious, and what infrastructure is behind it?"
Both questions matter. They just require different tools.
Run a real email through the analysis endpoint. The DFIR API Playground takes a raw .eml and returns headers, SPF/DKIM/DMARC verdicts, URL reputation, and an AI verdict in a single JSON response — the layer MxToolbox stops short of. 10 free calls per week, no signup, so you can judge whether content-level analysis adds enough to complement your existing DNS tooling.
Conclusion
MxToolbox is a well-established, genuinely useful tool for DNS-based email security checks. If your workflow is built around blacklist monitoring, header parsing, and DNS validation, it serves those needs well.
If your workflow involves phishing analysis — processing full email files, detecting QR code attacks, extracting IOCs, or running automated triage at scale — DFIR Platform covers ground that MxToolbox was never designed to handle.
Try DFIR Platform free. No credit card required — start with 100 credits per month at dfir-lab.ch/phishing-check. Full API documentation is at platform.dfir-lab.ch/docs/phishing. Use code LAUNCH50 for 50% off your first paid month.