Phishing Email Evidence: How to Collect and Preserve It Properly

Introduction: Preserving a Phishing Email as Evidence

When a malicious message lands in an inbox, the first instinct is usually to delete it — or to snap a quick screenshot and move on. For an IT or security professional, both reactions destroy value. Whether you are running an incident response, building an HR case against an internal sender, or filing a complaint with a bank or the authorities, the email itself is the evidence, and how you collect it decides whether anyone can rely on it later. This guide walks through preserving phishing email evidence the right way: keeping the original message, capturing the full headers, and locking each artifact with a cryptographic hash and an integrity certificate using e-Dex (formerly Hash Calculator) — all offline, on your own machine.

Why a Screenshot Isn't Enough

A screenshot captures pixels, not the message. It shows the rendered subject and body, but it throws away everything an investigator actually needs: the full internet headers, the raw HTML source, the real destinations behind disguised links, and any embedded tracking content. You cannot trace a sender from a picture of an email, and you cannot prove the message was not edited before the screenshot was taken. The goal of evidence collection is to preserve the original message in a form a reviewer can re-open, re-parse, and re-verify — and that means saving it as a file, with its headers, not as an image.

How to Export the Original Without Altering It

The cardinal rule is: do not forward the message inline. Forwarding rewrites the headers, strips the original routing path, and re-encodes the body — you end up preserving your own mail server's handling instead of the attacker's. Leave the message in place and export it to disk instead. Most desktop mail clients offer a Save As or export option that writes the message out as a .eml file (a plain-text copy of the complete message source) or a .msg file. If you must move it between mailboxes, send it as an attachment rather than inline, so the original is wrapped untouched. Save the file to a clean working folder, give it a clear name with a date, and stop touching it from that point on.

Reading the Headers: Sender Path and Authentication Hints

The headers are the heart of a phishing investigation. Open the message source or "view internet headers" and save that text separately as well. Read the Received lines from the bottom up to reconstruct the path the message took across mail servers, and compare the originating address against the address the message claims to be from — a mismatch is a classic spoofing signal. Then look at the authentication results: SPF checks whether the sending server was authorised for the domain, DKIM checks a cryptographic signature on the message, and DMARC ties the two to the visible sender. A fail or none result on these, or a Reply-To that diverges from the From, are strong indicators the message is not what it pretends to be. Record what you observe, but preserve the raw headers verbatim — your notes are commentary, the headers are the evidence.

Hash and Certify Each Artifact at Collection

Once you have the saved .eml or .msg file, the exported headers, and any extracted attachments, lock their state immediately. A cryptographic hash is a fixed-length fingerprint of a file's exact contents; change a single byte and the fingerprint changes completely. By computing hashes the moment you collect, you create a baseline that proves later the artifacts have not drifted. e-Dex hashes each file with several algorithms — MD5, SHA-1, SHA-256, SHA-512 and BLAKE3 — and produces an incident response evidence certificate that lists every file with its hashes and a plain MATCH / MISMATCH verdict. Anyone who receives the bundle can re-hash the files months later and confirm they are bit-for-bit identical to what you collected.

Reporting It

With the artifacts preserved and certified, hand the bundle to whoever needs it: your internal security or SOC team for an active incident, HR if the sender is an employee, or your bank, CERT-In or the local cyber-crime unit if it is fraud. Submit the saved .eml/.msg, the raw headers, the attachments, and the integrity certificate together, and keep your own copy. Because every file is hashed, the recipient can verify nothing changed in transit, and you retain a defensible record of exactly what you collected and when. This turns a vague "I got a suspicious email" report into a structured, verifiable evidence package.

Frequently Asked Questions

Why isn't a screenshot of a phishing email enough as evidence?
A screenshot only captures what the screen rendered. It loses the full message headers, the original HTML source, any hidden tracking links and the file-level data a reviewer needs to trace the sender and verify authenticity. To preserve phishing email evidence properly you must keep the original message as a file (.eml or .msg) together with its complete headers, not just an image of it.

How do I export a phishing email without altering it?
Do not forward the message inline, because that rewrites the headers. Instead use your mail client's Save As or export to save the email to disk as a .eml or .msg file, which keeps the full source intact. Also save the internet headers or message source separately. Then hash each saved file immediately so its state is locked at the moment of collection.

What can email headers tell me about a phishing message?
The headers record the path a message took across mail servers, the originating addresses, timestamps and the results of sender-authentication checks such as SPF, DKIM and DMARC. A failed or missing authentication result, or a sending path that does not match the claimed sender, is a strong indicator that the message was spoofed. The headers are often the single most useful artifact in a phishing investigation.

Why should I hash a phishing email at the moment of collection?
A cryptographic hash is a fixed-length fingerprint of a file. Computing it the moment you save the .eml, .msg and header files lets you prove later that the artifacts have not changed since collection. If a single byte is altered the hash changes, so a matching hash is defensible proof the evidence is unaltered. e-Dex records multiple algorithms per file and prints a MATCH or MISMATCH verdict.

Does e-Dex send my phishing email anywhere to certify it?
No. e-Dex runs fully offline on your own Windows machine. Hashing the saved email files and generating the integrity certificate happen locally, so the phishing message and any sensitive content never leave your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp.

Conclusion

A phishing email is only useful as evidence if it survives collection intact. Skip the screenshot, save the original message and its headers as files, and hash and certify every artifact the moment you collect it. Done this way, your report carries proof — not just a claim — that the evidence is exactly what arrived. See how the full workflow fits together on our incident response evidence page, and produce your own integrity-backed certificate offline, free, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite.