Email Importance Content Analysis

Use a subject/title-first triage, then perform technical verification (headers/links/attachments) only when warranted, and only then validate with content analysis. Treat sender display name, badges, labels, and “From” appearance as untrusted.

Workflow (title → technical → content)

1) Title/subject + sender triage (cheap first-pass)

Use only: subject line + sender (display name + email address/domain as shown). Do not click anything.

Important: treat sender as weak signal (can be spoofed). Use it for triage only.

1A) Fast-drop rules (save time)

If the sender looks obviously sloppy/spoofed AND the email is not expected, classify as Likely scam/ads and stop (do not spend time on technical verification). Examples of fast-drop signals:

• Display name claims a bank/government/major brand but the address is from a free mailbox (gmail/outlook/163/qq) or unrelated domain
• Lookalike domains / typo-squatting: paypaI (I/l), micros0ft (0/O), extra -secure/-verify, weird punctuation
• Suspicious TLDs or brand stuffed into subdomain: brand.security-check.example.com
• Very unprofessional local-part patterns (random digits/strings) while claiming official identity
• Pure promo patterns (promo/marketing/news) + obvious sales subject ⇒ treat as ads

1B) Escalate rules (to technical verification)

Escalate for technical verification if subject OR sender implies any of:

• Money/settlement: 扣款/圈存/付款/退款/發票/帳單/對帳單/繳費
• Account/security: 登入/驗證/密碼重設/異常登入/停權/封鎖/安全警告
• Delivery/download: 文件下載/取件號碼/包裹/物流失敗
• Urgency/threat: 最後通知/24小時內/立即/否則將…
• Execution: 附件/請下載/請開啟/啟用巨集

If the subject is clearly marketing/newsletter and no action is implied ⇒ usually stop here (Low).

If it triggers the fast-drop rules, you may label it as:

• Importance: Low
• Risk: Medium–High (spoof attempt)
• Next step: Do not click; optionally mark as spam/block

2) Technical verification (only for emails that passed title triage)

Prefer evaluating raw email headers / “Show original” output (or via gog gmail get). Check:

• Authentication-Results: SPF / DKIM / DMARC results (pass|fail|neutral) and note which domain they authenticate
• Alignment: whether DKIM d= domain / SPF MAIL FROM / DMARC aligns with the visible From domain
• From vs Reply-To mismatch
• Links and attachments:
  • Expand the real target domain (hover/copy link) — don’t trust anchor text
  • Note risky attachments (e.g., .zip, .iso, .js, .vbs, .docm, password-protected archives)

If headers are not available, mark Technical verdict = Unknown and increase caution.

3) Extract the actionable claims (facts only) — only if technical verification passes

From the email body, list:

• What happened / what they claim happened
• What they want the recipient to do (and by when)
• What account/system/money is involved
• What evidence they provide (order id, invoice id, ticket id, last-4 digits, timestamps)

4) Classify the required action (drives importance)

Rank higher if it requires any of:

• Account access / authentication: login, password reset, 2FA codes, device approval
• Money movement: payment, wire, subscription renewal, invoice settlement, refunds
• Permissions / security posture: granting access, changing roles, API keys, OAuth consent
• Software execution: download/open an attachment, run a file, enable macros
• Data disclosure: personal/company info, documents, ID numbers

5) Content risk patterns (red flags)

Increase risk if the content shows:

• Urgency / threat: “within 24h”, “account will be closed”, “legal action”, “final notice”
• Secrecy / bypass: “don’t tell others”, “use personal email”, “avoid normal process”
• Mismatch / vagueness: generic greeting, unclear context, missing specifics the real sender would know
• Odd requests: asking for OTP, gift cards, crypto, remote access, or direct bank changes
• Link/attachment pressure: “click to verify”, “download to view”, “enable macros”

6) Choose safe verification (do not trust the email path)

Even if SPF/DKIM/DMARC pass, for sensitive actions recommend out-of-band verification:

• Navigate via known official entry points (typed URL, app, bookmark), not email links
• If it claims an account issue: check account status by logging in from official site/app
• If it’s a vendor/payment issue: verify using the invoice/order id inside the official portal
• If it’s workplace related: verify via internal chat/phone using known contacts

7) Output: priority + next action

Always provide:

• Title triage verdict: Escalate / Ignore
• Technical verdict: Pass / Fail / Unknown
• Importance level: Critical / High / Medium / Low
• Risk level: High (likely phishing) / Medium / Low
• Recommended next step: what to do now, what not to do, and how to verify

Decision Heuristics (quick)

• Technical FAIL (SPF/DKIM/DMARC fail or obvious mismatch) + any call-to-action ⇒ Risk: High (treat as phishing) regardless of “importance”.
• Critical: money/credentials/permissions + urgency OR any request for OTP/macro/remote access.
• High: requires action soon, could cause loss of access/service interruption, but can be verified safely via official channels.
• Medium: informational but relevant; no immediate sensitive action.
• Low: newsletters, marketing, generic updates with no action.

Response Template (use in replies)

• Title triage (why it escalates / why it can be ignored):
• Technical verification (SPF/DKIM/DMARC + alignment + From/Reply-To + link/attachment notes):
• Summary (1–2 lines):
• What it’s asking you to do:
• Why it may matter (impact if ignored):
• Red flags (if any):
• Safe verification path:
• Recommendation (do / don’t):