CheckThis — Tutorials
Written guides for every feature in CheckThis. Work through them in order for a complete introduction, or jump to any section using the contents list.
1 First Launch & Mail Extension Setup
What you'll learn: getting CheckThis running and enabling the Mail Extension so incoming messages are pre-screened automatically.
Steps
- Launch CheckThis. The Welcome screen explains what the app does and shows a one-time setup notice. Read the disclaimer — CheckThis is an analysis tool that helps you make better decisions, not a guarantee.
- Grant permissions if prompted. CheckThis needs Automation access to Apple Mail so it can read the email you drag in. When macOS shows the Automation permission dialog, click Allow. If you accidentally denied it, go to System Settings → Privacy & Security → Automation and enable CheckThis.
- Enable the Mail Extension. Open Settings → Extension inside CheckThis. Click "Open Mail Settings." In Apple Mail, go to Settings → Extensions. Find CheckThis in the list and tick its checkbox. Close Mail Settings.
- Return to CheckThis. The extension status in Settings → Extension should now show as active. From this point, incoming mail in Apple Mail is pre-screened and coloured dots appear on flagged messages before you open them — no manual step required.
2 Checking Your First Email
What you'll learn: the three ways to get an email into CheckThis.
Method A — Drag from Apple Mail
- Open Apple Mail alongside CheckThis.
- Find a message you want to check. Drag it from the Mail message list directly onto the CheckThis window. Drop it anywhere on the app — the drop zone accepts it.
- CheckThis extracts the full email source automatically. Analysis begins immediately.
Method B — Copy & Paste Raw Email Source
- In Apple Mail, select a message. Go to View → Message → Raw Source (⌥⌘U). The raw headers and body appear in a window.
- Select all (⌘A) and copy (⌘C).
- In CheckThis, paste (⌘V) into the drop zone. Analysis begins immediately.
Method C — Open an .eml File
- If you have a saved
.emlfile, drag it onto the CheckThis window, or use File → Open.
3 Reading the Verdict
What you'll learn: how to interpret the verdict banner and confidence indicator.
The verdict banner
After analysis, a large icon and verdict label appear at the top of the results view. There are four possible verdicts:
| Verdict | Meaning | What to do |
|---|---|---|
| Safe | No significant risk signals found. | Proceed normally. The email appears legitimate. |
| Likely OK | Minor anomalies — likely legitimate but worth a glance. | Check the signal list. Usually safe to act on. |
| Suspicious | Multiple concerning signals. Treat with caution. | Do not click links or open attachments until verified. |
| High Risk | Strong indicators of phishing, fraud, or impersonation. | Do not interact. Delete or report. Do not click anything. |
The "What to do" card
Below the banner, a plain-English card explains the verdict and gives specific guidance — including what makes this particular email suspicious (or safe). Read this card first before acting on any email flagged as Suspicious or High Risk.
Confidence
A confidence bar shows how certain the verdict is. High confidence means many consistent signals all pointing the same direction. Low confidence means the signals are mixed — treat the verdict as a starting point, not a definitive answer.
Action bar
At the bottom of the result view, up to four buttons appear:
- Check Another Email — resets the app for a new email.
- Forensic Details — opens the full raw-data view (see Tutorial 5).
- Add to Safe Senders — marks this sender's domain as trusted. Future emails from this domain skip to Safe immediately.
- Add to Block List — marks this sender's domain as blocked. Future emails from this domain immediately receive a High Risk verdict without analysis.
Once you add a sender to either list the corresponding button is replaced by a confirmation label and the other list button disappears.
4 Understanding the Signal List
What you'll learn: how to read the individual signals that drove the verdict.
Below the "What to do" card, the Signal List shows every factor CheckThis detected — both risk factors and trust factors. Each row shows:
- Signal name — what CheckThis detected (e.g., "Lookalike domain", "DMARC authenticated")
- Value — the specific data found (e.g., the domain name, the IP address)
- Explanation — plain English: why this signal matters and what it means in context
- Source badge — where the signal came from: Local (header analysis), DNS (domain lookup), AI (AI layer), or User (your Safe/Blocked lists)
Signal types you'll commonly see
| Signal | What it means |
|---|---|
| Reply-To mismatch | The Reply-To address differs from the From address — a classic phishing technique so your reply goes to the attacker's mailbox. |
| Lookalike domain | The sending domain closely resembles a well-known brand (e.g., paypa1.com vs paypal.com). |
| Domain age | The sending domain was registered recently — newly registered domains are disproportionately used for fraud. |
| DMARC authenticated | The email passed DMARC authentication — a strong positive signal. Legitimate senders like banks and major services almost always pass DMARC. |
| Urgency language | Phrases designed to pressure you into acting immediately without thinking ("Your account will be closed in 24 hours"). |
| Brand impersonation | The email mentions a well-known brand name (Apple, PayPal, etc.) but the sending domain does not match that brand's legitimate domain. |
| Marketing platform detected | The email was sent through a bulk mailing service (Mailchimp, HubSpot, etc.) — not inherently suspicious but reduces the weight of some other signals. |
| Routing anomaly | The email's path through mail servers is inconsistent with a legitimate sender. |
5 Forensic Details
What you'll learn: using the Forensic Details view to inspect raw headers, routing, and DNS data.
Tap Forensic Details in the result action bar to open the full raw-data inspector. This is for advanced users who want to verify CheckThis's conclusions or dig deeper into an anomaly.
Headers tab
Shows the complete raw email headers exactly as received — every Received, From, To, Reply-To, Return-Path, DKIM-Signature, and DMARC header. Search within the text to find any specific field.
Routing tab
Visualises the hop-by-hop path the email took through mail servers before arriving in your inbox. Each hop shows the server hostname, IP address, and timestamp. Geographic data is shown where available. Unexpected routing hops (e.g., an email from a US company that was relayed through servers in an unrelated country) are flagged here.
DNS / WHOIS tab
Shows the DNS analysis CheckThis performed on the sending domain:
- SPF record — whether the sender's domain authorises the sending IP
- DKIM signature — whether the message body was cryptographically signed by the sender
- DMARC policy — what the domain's policy says to do with failed authentication
- Domain registration date — how old the domain is
- MX records — whether the domain has mail exchange records (MX-only domains with no web presence are a warning sign)
6 Safe Senders & Blocked Senders
What you'll learn: managing your personal allow-list and block-list to refine verdicts for known contacts.
Safe Senders
Adding a domain to Safe Senders tells CheckThis that you trust all email from that domain. Any future email from a domain on this list instantly receives a Safe verdict — CheckThis skips all signal analysis and shows "This domain is on your Safe Senders list."
To add a domain:
- After analysing an email you trust, click "Add to Safe Senders" in the action bar. The sender's domain is added automatically.
- Or go to Settings → Senders and type any domain manually.
Blocked Senders
Adding a domain to Blocked Senders immediately flags any email from that domain as High Risk — regardless of what the signals say. This is a permanent manual override.
To block a domain:
- Go to Settings → Senders.
- Type the domain in the Blocked Senders field and press ↩.
Managing your lists
Both lists are editable in Settings → Senders. To remove a domain, click the × next to it. Changes take effect immediately — the next email from that domain will be treated according to the updated list.
7 AI Analysis Setup
What you'll learn: enabling the AI analysis layer, which detects social engineering and pressure tactics that rule-based analysis may miss.
CheckThis has two analysis modes: rule-based (always on) and AI (optional). The AI layer adds a second pass that looks for social engineering patterns — urgency, authority impersonation, fear tactics, and subtle manipulation — that don't always leave obvious technical traces.
Option A — Apple Intelligence (recommended)
- Apple Intelligence requires macOS 26 or later, Apple Silicon, and Apple Intelligence enabled in System Settings.
- In CheckThis, go to Settings → AI. Select Apple Intelligence.
- AI analysis is now active. No API key needed, no data leaves your Mac.
Option B — OpenRouter (any Mac)
- Create an account at openrouter.ai and generate an API key.
- In CheckThis, go to Settings → AI. Select OpenRouter.
- Paste your API key. Select a model from the dropdown (Claude or GPT-4o recommended).
- AI analysis is now active. Your email content is sent to OpenRouter's servers for analysis.
How AI results appear
When AI analysis is active, the signal list includes rows tagged with an AI source badge. These signals describe patterns the AI found — for example, "High-pressure deadline combined with authority impersonation" or "Text attempts to bypass critical thinking with fear of account loss." The AI result contributes to the overall verdict score.
8 History
What you'll learn: using the History panel to review past checks and find a previous result.
- On the home screen, a recent history strip shows your last three checked emails. Click any row to re-open that result immediately.
- To see all history, click the History button (clock-arrow icon) on the home screen. The full History panel opens.
- Every email you have checked is listed with sender, subject, date, and verdict. The most recent is at the top.
- Click any row to re-open that result. The full verdict, signal list, and forensic details are available exactly as they were when you originally checked it.
- Delete an entry by right-clicking it and selecting Remove, or by selecting it and pressing ⌫.
- Clear all history using the Clear All button at the top of the History panel.
9 Settings Reference
A complete guide to every setting in CheckThis.
Settings has six tabs: AI, Extension, Privacy, Safe Senders, Blocked, and Licence.
AI
- AI mode — choose between Apple Intelligence (on-device), OpenRouter (cloud, requires API key), or Rule-based only (no AI) to disable the AI layer entirely and rely solely on header and DNS analysis.
- Model — when using OpenRouter, select from available models. Claude Sonnet is the default.
- API Key — your OpenRouter API key. Stored securely in your Mac's Keychain.
- Test Connection — sends a test request to verify your key is working before analyzing a real email.
Extension
- Open Mail Settings — shortcut to Mail → Settings → Extensions so you can enable or disable the Mail Extension.
- Extension status — shows whether the extension is currently active in Mail.
- Indicator style — choose how the verdict appears in Mail's message list.
Privacy
- Privacy note — a summary of what data leaves your Mac (nothing, unless AI is configured with OpenRouter).
- Privacy Policy and Terms of Use links.
Safe Senders
- Domains that always receive a Safe verdict. Add, remove, or clear the list. Any future email from a listed domain skips all analysis.
Blocked
- Domains that always receive a High Risk verdict. Add, remove, or clear the list.
- Export Block List… — saves the blocked list as a text file for backup or sharing.
Licence
- View your licence status and activation code. Use this tab to enter a new licence key or transfer activation to another Mac.