CheckThis — Tutorials

Written guides for every feature in CheckThis. Work through them in order for a complete introduction, or jump to any section using the contents list.

1 First Launch & Mail Extension Setup

What you'll learn: getting CheckThis running and enabling the Mail Extension so incoming messages are pre-screened automatically.

Steps

  1. Launch CheckThis. The Welcome screen explains what the app does and shows a one-time setup notice. Read the disclaimer — CheckThis is an analysis tool that helps you make better decisions, not a guarantee.
  2. Grant permissions if prompted. CheckThis needs Automation access to Apple Mail so it can read the email you drag in. When macOS shows the Automation permission dialog, click Allow. If you accidentally denied it, go to System Settings → Privacy & Security → Automation and enable CheckThis.
  3. Enable the Mail Extension. Open Settings → Extension inside CheckThis. Click "Open Mail Settings." In Apple Mail, go to Settings → Extensions. Find CheckThis in the list and tick its checkbox. Close Mail Settings.
  4. Return to CheckThis. The extension status in Settings → Extension should now show as active. From this point, incoming mail in Apple Mail is pre-screened and coloured dots appear on flagged messages before you open them — no manual step required.
Note: The Mail Extension is optional. You can use CheckThis entirely by dragging emails manually — the extension just automates the process.

2 Checking Your First Email

What you'll learn: the three ways to get an email into CheckThis.

Method A — Drag from Apple Mail

  1. Open Apple Mail alongside CheckThis.
  2. Find a message you want to check. Drag it from the Mail message list directly onto the CheckThis window. Drop it anywhere on the app — the drop zone accepts it.
  3. CheckThis extracts the full email source automatically. Analysis begins immediately.

Method B — Copy & Paste Raw Email Source

  1. In Apple Mail, select a message. Go to View → Message → Raw Source (⌥⌘U). The raw headers and body appear in a window.
  2. Select all (⌘A) and copy (⌘C).
  3. In CheckThis, paste (⌘V) into the drop zone. Analysis begins immediately.

Method C — Open an .eml File

  1. If you have a saved .eml file, drag it onto the CheckThis window, or use File → Open.
What happens during analysis: CheckThis works through four stages shown in the status bar — Parsing headers → Looking up domain & origin → Extracting signals → Scoring. The full process typically takes 2–5 seconds.

3 Reading the Verdict

What you'll learn: how to interpret the verdict banner and confidence indicator.

The verdict banner

After analysis, a large icon and verdict label appear at the top of the results view. There are four possible verdicts:

VerdictMeaningWhat to do
SafeNo significant risk signals found.Proceed normally. The email appears legitimate.
Likely OKMinor anomalies — likely legitimate but worth a glance.Check the signal list. Usually safe to act on.
SuspiciousMultiple concerning signals. Treat with caution.Do not click links or open attachments until verified.
High RiskStrong indicators of phishing, fraud, or impersonation.Do not interact. Delete or report. Do not click anything.

The "What to do" card

Below the banner, a plain-English card explains the verdict and gives specific guidance — including what makes this particular email suspicious (or safe). Read this card first before acting on any email flagged as Suspicious or High Risk.

Confidence

A confidence bar shows how certain the verdict is. High confidence means many consistent signals all pointing the same direction. Low confidence means the signals are mixed — treat the verdict as a starting point, not a definitive answer.

Action bar

At the bottom of the result view, up to four buttons appear:

  • Check Another Email — resets the app for a new email.
  • Forensic Details — opens the full raw-data view (see Tutorial 5).
  • Add to Safe Senders — marks this sender's domain as trusted. Future emails from this domain skip to Safe immediately.
  • Add to Block List — marks this sender's domain as blocked. Future emails from this domain immediately receive a High Risk verdict without analysis.

Once you add a sender to either list the corresponding button is replaced by a confirmation label and the other list button disappears.

4 Understanding the Signal List

What you'll learn: how to read the individual signals that drove the verdict.

Below the "What to do" card, the Signal List shows every factor CheckThis detected — both risk factors and trust factors. Each row shows:

  • Signal name — what CheckThis detected (e.g., "Lookalike domain", "DMARC authenticated")
  • Value — the specific data found (e.g., the domain name, the IP address)
  • Explanation — plain English: why this signal matters and what it means in context
  • Source badge — where the signal came from: Local (header analysis), DNS (domain lookup), AI (AI layer), or User (your Safe/Blocked lists)

Signal types you'll commonly see

SignalWhat it means
Reply-To mismatchThe Reply-To address differs from the From address — a classic phishing technique so your reply goes to the attacker's mailbox.
Lookalike domainThe sending domain closely resembles a well-known brand (e.g., paypa1.com vs paypal.com).
Domain ageThe sending domain was registered recently — newly registered domains are disproportionately used for fraud.
DMARC authenticatedThe email passed DMARC authentication — a strong positive signal. Legitimate senders like banks and major services almost always pass DMARC.
Urgency languagePhrases designed to pressure you into acting immediately without thinking ("Your account will be closed in 24 hours").
Brand impersonationThe email mentions a well-known brand name (Apple, PayPal, etc.) but the sending domain does not match that brand's legitimate domain.
Marketing platform detectedThe email was sent through a bulk mailing service (Mailchimp, HubSpot, etc.) — not inherently suspicious but reduces the weight of some other signals.
Routing anomalyThe email's path through mail servers is inconsistent with a legitimate sender.
Green signals reduce risk; red signals increase it. CheckThis combines all signals using a weighted scoring model. A single red signal doesn't automatically mean fraud — it's the overall pattern that drives the verdict.

5 Forensic Details

What you'll learn: using the Forensic Details view to inspect raw headers, routing, and DNS data.

Tap Forensic Details in the result action bar to open the full raw-data inspector. This is for advanced users who want to verify CheckThis's conclusions or dig deeper into an anomaly.

Headers tab

Shows the complete raw email headers exactly as received — every Received, From, To, Reply-To, Return-Path, DKIM-Signature, and DMARC header. Search within the text to find any specific field.

Routing tab

Visualises the hop-by-hop path the email took through mail servers before arriving in your inbox. Each hop shows the server hostname, IP address, and timestamp. Geographic data is shown where available. Unexpected routing hops (e.g., an email from a US company that was relayed through servers in an unrelated country) are flagged here.

DNS / WHOIS tab

Shows the DNS analysis CheckThis performed on the sending domain:

  • SPF record — whether the sender's domain authorises the sending IP
  • DKIM signature — whether the message body was cryptographically signed by the sender
  • DMARC policy — what the domain's policy says to do with failed authentication
  • Domain registration date — how old the domain is
  • MX records — whether the domain has mail exchange records (MX-only domains with no web presence are a warning sign)
Forensic Details is read-only. Nothing you do here affects the verdict or your Safe/Blocked lists. It is purely for inspection.

6 Safe Senders & Blocked Senders

What you'll learn: managing your personal allow-list and block-list to refine verdicts for known contacts.

Safe Senders

Adding a domain to Safe Senders tells CheckThis that you trust all email from that domain. Any future email from a domain on this list instantly receives a Safe verdict — CheckThis skips all signal analysis and shows "This domain is on your Safe Senders list."

To add a domain:

  1. After analysing an email you trust, click "Add to Safe Senders" in the action bar. The sender's domain is added automatically.
  2. Or go to Settings → Senders and type any domain manually.
Use Safe Senders for high-volume trusted senders — your bank, your employer's domain, newsletters you've subscribed to. Don't add domains you don't recognise just because an email looked legitimate once.

Blocked Senders

Adding a domain to Blocked Senders immediately flags any email from that domain as High Risk — regardless of what the signals say. This is a permanent manual override.

To block a domain:

  1. Go to Settings → Senders.
  2. Type the domain in the Blocked Senders field and press ↩.

Managing your lists

Both lists are editable in Settings → Senders. To remove a domain, click the × next to it. Changes take effect immediately — the next email from that domain will be treated according to the updated list.

7 AI Analysis Setup

What you'll learn: enabling the AI analysis layer, which detects social engineering and pressure tactics that rule-based analysis may miss.

CheckThis has two analysis modes: rule-based (always on) and AI (optional). The AI layer adds a second pass that looks for social engineering patterns — urgency, authority impersonation, fear tactics, and subtle manipulation — that don't always leave obvious technical traces.

Option A — Apple Intelligence (recommended)

  1. Apple Intelligence requires macOS 26 or later, Apple Silicon, and Apple Intelligence enabled in System Settings.
  2. In CheckThis, go to Settings → AI. Select Apple Intelligence.
  3. AI analysis is now active. No API key needed, no data leaves your Mac.

Option B — OpenRouter (any Mac)

  1. Create an account at openrouter.ai and generate an API key.
  2. In CheckThis, go to Settings → AI. Select OpenRouter.
  3. Paste your API key. Select a model from the dropdown (Claude or GPT-4o recommended).
  4. AI analysis is now active. Your email content is sent to OpenRouter's servers for analysis.

How AI results appear

When AI analysis is active, the signal list includes rows tagged with an AI source badge. These signals describe patterns the AI found — for example, "High-pressure deadline combined with authority impersonation" or "Text attempts to bypass critical thinking with fear of account loss." The AI result contributes to the overall verdict score.

AI is off by default. Rule-based analysis catches the vast majority of phishing attacks without AI. The AI layer adds depth for sophisticated social engineering attacks that are harder to detect technically.

8 History

What you'll learn: using the History panel to review past checks and find a previous result.

  1. On the home screen, a recent history strip shows your last three checked emails. Click any row to re-open that result immediately.
  2. To see all history, click the History button (clock-arrow icon) on the home screen. The full History panel opens.
  3. Every email you have checked is listed with sender, subject, date, and verdict. The most recent is at the top.
  4. Click any row to re-open that result. The full verdict, signal list, and forensic details are available exactly as they were when you originally checked it.
  5. Delete an entry by right-clicking it and selecting Remove, or by selecting it and pressing ⌫.
  6. Clear all history using the Clear All button at the top of the History panel.
History is stored locally on your Mac — it is never uploaded or shared. Clearing history is permanent and cannot be undone.

9 Settings Reference

A complete guide to every setting in CheckThis.

Settings has six tabs: AI, Extension, Privacy, Safe Senders, Blocked, and Licence.

AI

  • AI mode — choose between Apple Intelligence (on-device), OpenRouter (cloud, requires API key), or Rule-based only (no AI) to disable the AI layer entirely and rely solely on header and DNS analysis.
  • Model — when using OpenRouter, select from available models. Claude Sonnet is the default.
  • API Key — your OpenRouter API key. Stored securely in your Mac's Keychain.
  • Test Connection — sends a test request to verify your key is working before analyzing a real email.

Extension

  • Open Mail Settings — shortcut to Mail → Settings → Extensions so you can enable or disable the Mail Extension.
  • Extension status — shows whether the extension is currently active in Mail.
  • Indicator style — choose how the verdict appears in Mail's message list.

Privacy

  • Privacy note — a summary of what data leaves your Mac (nothing, unless AI is configured with OpenRouter).
  • Privacy Policy and Terms of Use links.

Safe Senders

  • Domains that always receive a Safe verdict. Add, remove, or clear the list. Any future email from a listed domain skips all analysis.

Blocked

  • Domains that always receive a High Risk verdict. Add, remove, or clear the list.
  • Export Block List… — saves the blocked list as a text file for backup or sharing.

Licence

  • View your licence status and activation code. Use this tab to enter a new licence key or transfer activation to another Mac.