Prove an email is authentic — in one PDF
Upload an .eml or .msg and get a single evidence report: a SHA-256 fingerprint of the original file, the complete Received (hop) chain, the Message-ID and Return-Path, and the SPF/DKIM/DMARC results as recorded by the receiving server. No message body, no attachments — just the authenticity record.
- SHA-256 fingerprint of the exact original file
- Full Received chain + SPF/DKIM/DMARC results
- Optional PDF/A for long-term archiving
A forwarded screenshot is not evidence
Without a proper record
- A screenshot or a printed email proves nothing — anyone can edit it.
- The headers that actually prove authenticity (Received, SPF, DKIM) are hidden and get lost on print.
- There is no fingerprint linking the PDF back to the untouched original.
- A generic “email to PDF” renders the body but throws the authenticity layer away.
With an evidence report
- A SHA-256 hash anchors the report to the exact bytes of the source file.
- The full Received chain is captured in order, oldest to newest.
- SPF, DKIM and DMARC results are shown exactly as the receiving server stamped them.
- A clear disclaimer states what is reported versus independently verified — so the PDF holds up.
How it works
Email Authenticity Report
Generated by PDFen
Integrity
SHA-256
3a7bd3e2360a3d29eea436fcfb7e44c735d117c4...
Authentication (as reported)
Received chain
- mta1.sender.com
- relay.example.net
- mx.receiver.com
Values reported by the receiving server, not independently verified by PDFen.
Upload the original email
Drop the raw .eml or .msg file — the unmodified message you received, including its headers. Multiple files become one report each (a ZIP for several).
We read the headers and hash the file
PDFen computes a SHA-256 of the original, extracts the Received chain, Message-ID, Return-Path and the Authentication-Results, and normalises the SPF/DKIM/DMARC verdicts.
Download the evidence PDF
You get a one-page authenticity report — no body, no attachments. Optionally archived as PDF/A-2b for long-term retention.
What the report contains
Every field a reviewer needs to assess authenticity and integrity.
SHA-256 integrity fingerprint
A cryptographic hash of the original file, computed before any processing. Re-hash the source and compare — any change breaks the match.
Full Received (hop) chain
Every mail server the message passed through, in transport order, so the delivery path is on the record.
SPF / DKIM / DMARC results
The authentication verdicts as reported in the Authentication-Results header, labelled with the server that stamped them.
PDF/A archival output
Optionally export the report as PDF/A-2b — the ISO format for documents that must stay readable for years.
Who uses email evidence reports
Legal & disputes
Attach an authenticity record to correspondence used in a claim, contract dispute or e-discovery file.
HR & investigations
Preserve a tamper-evident copy of an email before it is forwarded, quoted or deleted.
Insurance & claims
Document the email that triggered or supports a claim, with its delivery path and authentication intact.
Compliance & audit
Keep a consistent, archivable evidence trail for emails that fall under retention or audit requirements.
Honest about what is — and isn’t — verified
The SHA-256 hash certifies the integrity of the source file as you supplied it. The SPF/DKIM/DMARC results and the Received chain are read from that file and shown exactly as the receiving mail server recorded them — they are not independently re-verified by PDFen, and the report says so plainly. That honesty is what gives the document its value: it never claims more than it can prove.
Frequently asked questions
What is in the evidence PDF?
A single page with the message details (From, To, Subject, Date, Message-ID, Return-Path, Reply-To), a SHA-256 hash of the original file with its size and the conversion timestamp, the SPF/DKIM/DMARC results, and the full Received chain — plus a disclaimer. The message body and attachments are deliberately not rendered.
How is this different from “Email to PDF”?
Email to PDF renders the message and its attachments as a readable document. This tool produces only the authenticity report — the forensic layer — without the body. If you want both, use Email to PDF and tick “Add evidence page”.
Does PDFen verify the DKIM signature itself?
No. The report shows the SPF/DKIM/DMARC results as recorded by the receiving server in the Authentication-Results header. It does not re-check the cryptographic DKIM signature against DNS — and it states this clearly, so the document never overclaims.
Which files can I upload?
Standard email files: .eml and .msg. Upload several at once and you get one evidence PDF per email (delivered as a ZIP when there are multiple).
Is the message body or attachment content stored or shown?
No. This tool reads only the headers and computes the hash; it does not render or include the body or attachments in the output.
What does it cost?
1 credit per email file. New accounts start with free credits, so you can try it right away.
Get a court-ready email evidence PDF
Upload your .eml or .msg — the authenticity report is ready in seconds.