The TRACE Field Guide

Phishing Forensics quick reference. Print this page for a quick reference at your desk.

---

Section 1: TRACE 5-Step Summary

Step	What to Do
T	Take a snapshot. Preserve evidence — screenshot + forward-as-attachment. Don't delete.
R	Reveal the real. Find the "View Original" button. Three lines tell you what you need.
A	Authenticate the sender. SPF/DKIM/DMARC as one question — pass, fail, or missing?
C	Check the landing. Where does the link really go? Hover, copy, unshorten, sandbox. Never click.
E	Escalate. Report to IT / APWG / brand / law enforcement depending on the message type.

---

Section 2: "View Original" Shortcut Reference

Client	How to Get the Raw Source
Gmail (web)	Open message → three-dot menu on the message → "Show original"
Outlook (web / M365)	Open message → three-dot menu → "View" → "View message source"
Apple Mail (macOS)	Message → View → Message → "All Headers" OR "Raw Source"
Thunderbird	View → Message Source (Ctrl+U / Cmd+U)

---

Section 3: Three-Line Decoder

---

Section 4: Authentication Quick Table

Protocol	Pass	Fail	Missing
SPF	Authorized sending server.	Not authorized. Very suspicious.	No SPF record — domain hasn't set it up.
DKIM	Content intact, legit signature.	Signature broken or invalid.	Message wasn't signed.
DMARC	Policy accepts this message.	Policy rejects this message.	No policy published.

---

Section 5: URL Safety Checklist

1. Hover — desktop shows the real URL in the status bar. Don't trust it alone — it can lie.
2. Copy — right-click → Copy link (desktop) / long-press → Copy (mobile). No navigation.
3. Unshorten — paste into unshorten.it / checkshorturl.com / wheregoes.com to see the final destination.
4. Sandbox — urlscan.io / any.run lets a robot click for you in an isolated browser.

---

Section 6: Reporting Decision Tree

---