PeopleAreGeek
FR

Breach-Safe Email Checker

Size up an email address in your browser, score the risk, check the domain records, hash it locally and get a clear action plan.

This breach-safe email checker sizes up an address right in your browser, so it never gets handed to a breach database first. Most exposure tools make you submit the address before they answer, which is a privacy problem on its own. This one runs locally instead. It confirms the address is real, scores how much of a target the account is, and flags the role mailboxes and plus-aliases attackers go after. When you allow it, the tool reads the domain public mail records (MX, SPF and DMARC) without ever sending the full address, and it builds a local SHA-256 fingerprint for your notes. It never calls a breach API, so it will not label the address breached or clean. Instead it hands you a plain action plan, rotate the password, switch on 2FA, recheck recovery, plus an incident timeline, and none of it touches a server.

100% in your browser. Nothing you type ever leaves this page.

Privacy-first email exposure review, domain signals and incident plan

Most "is my email breached?" tools have a tell. To answer, they make you hand the address over to someone else first. Weird, right? I wanted a step before that. So this one reads the address right here in your browser. It scores how much of a target the account is, flags a role mailbox or a plus-alias, and (if you let it) peeks at the domain's mail records. Need a fingerprint for your notes? It hashes the address locally. Then it hands you a plain plan: rotate the password, switch on 2FA, go re-check your recovery options before you forget.

No breached-account API gets called here. The only thing that may go out is a DNS query for the domain, never the full email address.

A breach checker shouldn't hand you a second privacy problem

So the usual move, when you want to know whether an address leaked, is to type it into yet another website. Sometimes that's genuinely fine. Reputable provider, you know why you're asking. But as a default for step one? It bugs me. Before I send an address anywhere, I want to know what I'm even holding. Is this a shared role mailbox or an admin login? Has it been scraped off some public page a hundred times already? Did I reuse it somewhere stupid? Is the domain's mail security just wide open?

That's the gap this fills. It confirms the address is real and scores how much attention the account deserves. It explains why role addresses and admin logins draw fire. When it can, it reads the domain's public mail records. Keep notes? It spins up a local SHA-256 fingerprint. And it gives you a plan you can actually follow. What it won't do is call the address "breached" or "clean." It never touches a breach database, so saying either would be a lie.

What to do if an address might be exposed

Hit the accounts that actually hurt to lose first. Mailbox, password manager, hosting, domain registrar, admin panels, cloud consoles, anything that takes a payment, plus the recovery accounts sitting behind all of them. Swap out reused passwords. Kill active sessions, switch on 2FA, and while you're in there, read your forwarding rules and double-check the recovery email and phone on file. Then keep half an eye on the login alerts for a few days. If this is a team address, write down what changed and whose job it is to follow up. "Someone" never does it.

  • Your inbox goes first. It's the master key. Almost everything else resets through it.
  • Role mailboxes like admin, support, billing? Basically guessable. Attackers don't need a leak to find them.
  • 2FA is your seatbelt for the day a password gets reused or phished, and that day comes.
  • DMARC, SPF and DKIM are the domain owner's job. They make spoofing your domain a lot harder.
  • Unique passwords beat changing one password in fifty places. Reuse is what turns a single leak into ten.

A few real situations, and what I'd actually do

Newsletter address catching phishing? Annoying. Don't lose sleep over it. Filter it, glance at it now and then, and spend your real energy on accounts that can actually hurt you. Admin address showing up in public? Now I'd think hard about an alias and tighter sign-in. Custom domain with no DMARC policy? That's an open door for anyone who wants to spoof you. Close it. And if you've been tagging signups with plus-aliases like me+shop@, well, when the spam lands you'll know exactly which site sold you out.

Frequently asked questions

Does this tell me whether an email is in a breach?

No. That's the whole point, it never makes that lookup. When you genuinely need a breach-database search, go straight to a service you trust and do it there. Think of this as the step you take first.

Why check DNS for the domain?

Because the MX, SPF and DMARC records show whether the domain has its basic mail-authentication act together. Totally different question from whether a mailbox was breached. DNS can't answer that one. Neither can I, sitting out here.

Should I paste a real work email?

You can. The analysis runs in your browser, and the DNS checks only ever touch the domain, never the full address. Still, if your security policy gets twitchy, just fake it. Same domain, similar local part, and you'll get the same read.

How does a breach check work without exposing my email?

The privacy-preserving ones hash your address and send only a short prefix of that hash. So the full thing never travels in the clear. The server matches on the prefix, then you compare the rest yourself, locally. Reputable services don't keep what you type either. Confirm that in the privacy policy before you trust any of them, though.

My email appeared in a breach. What should I do?

Change the password on that service first. Then everywhere you reused it, and be honest about how many places that actually is. More than you'd like, probably. Turn on two-factor. Move to unique passwords in a manager so this stops being a recurring fire drill. The leaked password is the dangerous part here, not the email sitting in some list.