Free Download

Sherlock Forensics EML Viewer Open EML Files Without an Email Client

Since 2006. CISSP certified. SHA256 verified. Read any RFC-822 .eml file with forensic-grade analysis.

Sherlock Forensics EML Viewer is a free Windows application that opens RFC-822 .eml email files with forensic analysis. It provides SMTP transport chain visualization, SPF/DKIM/DMARC authentication results, anomaly detection and SHA256 hash verification. Analyze single files or entire folders of EML exports from Thunderbird, Gmail Takeout or forensic tools. Forensic Edition at $67 adds attachment extraction and PDF reports.

Format

What Is an EML File

EML is the RFC-822 standard email format used by nearly every email system outside of Microsoft Outlook. Each .eml file is a plain-text document with MIME encoding that contains a single email message with full headers, body content and encoded attachments.

The format is human-readable at its core. Open any .eml file in a text editor and you will see the raw headers followed by the message body. MIME boundaries separate plain text from HTML content and base64-encoded attachments. This transparency makes EML the preferred format for forensic examination because nothing is hidden behind proprietary encoding.

EML files are produced by Thunderbird, Windows Mail, Gmail Takeout, forensic acquisition tools and email server exports. They are the most universal email format outside of Microsoft's ecosystem. Any tool that claims to handle email evidence must be able to parse EML correctly.

Sources

Where EML Files Come From

EML files appear in forensic casework and IT administration from a wide range of sources.

  • Mozilla Thunderbird — default export format when saving or dragging messages from the client
  • Google Takeout — Gmail export produces individual .eml files for every message in the archive
  • Forensic acquisition tools — X-Ways, Autopsy and FTK extract email artifacts as .eml files from disk images
  • IMAP client downloads — programmatic IMAP fetch operations save messages in EML format
  • Email server backups and migrations — Postfix, Dovecot and other MTAs store mail as individual EML files in Maildir format
  • Incident response evidence collection — suspicious emails forwarded as attachments arrive as .eml files
  • Court-ordered email productions — opposing counsel or service providers may produce email evidence in EML format

Analysis

Forensic Analysis of EML Files

Sherlock Forensics EML Viewer applies the same forensic rigor to .eml files that examiners expect from enterprise forensic suites. Every EML opened receives an automatic forensic readout alongside the standard message preview.

SMTP Transport Chain

Every Received: header in the EML file is parsed into a chronological hop-by-hop trail. Each entry shows the sending host, receiving host, IP address and protocol used. The viewer reconstructs the complete path from origin to destination, presenting a single-line summary that answers "where did this message actually come from" at a glance. Forged headers and inconsistent timestamps are visible immediately when the full chain is laid out in sequence.

Authentication Results

SPF, DKIM and DMARC verdicts are extracted from the Authentication-Results header and displayed with plain-English explanations. A passing SPF result means the sending IP was authorized by the domain owner. A valid DKIM signature confirms the message body was not altered in transit. DMARC alignment ties SPF and DKIM together under the sender's domain policy. When any of these checks fail, the viewer flags the result and explains what the failure means in practical terms.

Anomaly Detection

The viewer automatically flags suspicious patterns in every EML file. Missing sender addresses, authentication failures, Message-ID domains that do not match the From: domain, unusual header ordering and other indicators are surfaced without requiring the examiner to read raw headers manually. These flags serve as triage markers when processing large volumes of email evidence.

Raw Headers

One click exposes the full RFC-822 headers for independent verification. Every header field is displayed exactly as stored in the .eml file with no parsing or reformatting applied. This allows examiners to verify the tool's automated analysis against the raw source data or to identify header fields that fall outside standard automated checks.

Batch Processing

Batch Analysis with Folder Mode

Point the viewer at a directory of EML files and every message becomes a browsable list. Folder mode supports optional recursive scanning for nested subdirectories, which is essential when processing forensic disk images or email server exports that organize messages in deep folder hierarchies.

Sort the loaded messages by sender, date, subject or anomaly flags. Check off messages that require further examination. The anomaly column provides immediate visual triage: messages with authentication failures or suspicious header patterns rise to the top without manual review of each file.

This capability is particularly valuable for Gmail Takeout archives. A single Google Takeout export can produce thousands of individual EML files spread across label-based folder structures. Folder mode with recursive scanning loads the entire export in one operation. The transport chain analysis on each message reveals whether forwarded emails were actually forwarded by Gmail's servers or fabricated after the fact.

Compare

Free vs Forensic Edition

Free Edition ($0)
Read any EML file or folder of EML files. View message body and attachments inline. Full forensic analysis including SMTP transport chain visualization, SPF/DKIM/DMARC authentication results and anomaly detection. SHA-256 hashing for every file opened. Chain of custody logging. No trial period. No feature expiry.
Forensic Edition ($67 USD)
Everything in the free edition plus byte-level attachment extraction with per-attachment SHA-256 hashing. Court-ready PDF forensic reports with per-message hash verification and sender IP attribution. Mbox export for archival. Priority email support. One-time payment with no subscription.

Use Cases

Use Cases

Gmail Takeout Analysis

Google Takeout exports produce EML files. Folder mode handles thousands of exported messages in a single load with recursive scanning across label-based directories. The transport chain reveals whether forwarded emails were actually forwarded by Gmail's infrastructure or fabricated after export. Essential for divorce proceedings and employment disputes where Gmail archives are produced as evidence.

Incident Response

Open a suspicious EML attachment from a phishing report. The SMTP transport chain and authentication results reveal the actual origin of the message in under 30 seconds. Anomaly flags highlight authentication failures and header inconsistencies that indicate spoofing. No email client installation required on analysis workstations, reducing the attack surface during incident triage.

Legal Discovery

Email productions in EML format from opposing counsel or service providers. Batch load entire productions using folder mode. Triage by anomaly flags to identify messages with authentication failures or header irregularities. Generate per-custodian forensic reports with SHA-256 hashing for court submission. Pairs with our expert witness services for testimony support.

Guide

How to Open and Analyze EML Files

  1. Download Sherlock Forensics EML ViewerDownload the free installer from this page. Under 5 MB. SHA256 verified for integrity.
  2. Install and LaunchRun the installer on Windows 10 or 11. No admin privileges required. Launch from the Start menu.
  3. Open an EML File or FolderClick Open File to load a single .eml message. Use Folder Mode to load an entire directory of EML files with optional recursive scanning for nested subdirectories.
  4. Review Transport Chain and AuthenticationExamine the SMTP transport chain showing every hop from sender to recipient. Check SPF, DKIM and DMARC authentication results. Review anomaly flags for suspicious patterns.
  5. Generate Forensic ReportForensic Edition users can mark relevant messages and generate court-ready PDF reports with per-message SHA-256 hashing, sender IP attribution and chain of custody documentation.

Questions

EML Viewer FAQ

What is an EML file?
EML is the RFC-822 standard email format. It stores a single email message as plain text with MIME encoding. Used by Thunderbird, Gmail Takeout, forensic tools and most non-Outlook email systems.
Can I open EML files on Windows without an email client?
Yes. Sherlock Forensics PST Viewer reads EML files directly without any email client installed. Download the free edition, open any .eml file and view the full message with forensic analysis included.
Where do EML files come from?
Email clients (Thunderbird, Windows Mail), Google Takeout exports, forensic acquisition tools, email server backups, IMAP downloads and incident response evidence collection.
Can I analyze a folder of EML files at once?
Yes. Folder mode loads all EML files from a directory with optional recursive scanning for nested subdirectories. Sort by sender, date, subject or anomaly flags for rapid triage.
What is SMTP transport chain analysis?
The viewer parses every Received: header in the EML file to reconstruct the path the message traveled from sender to recipient. Each hop shows the sending host, receiving host, IP address and protocol used.

Get Started

Download Sherlock Forensics EML Viewer Today

Free for viewing, analysis and hash verification. Forensic Edition at $67 USD for attachment extraction, PDF reports and chain of custody logging. Built by the same team that delivers expert witness testimony and forensic investigations in Canadian courts. See also: PST Viewer, MSG Viewer and MSG + EML support in v0.1.6.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Sherlock Forensics EML Viewer is provided for lawful use. Terms of Service

Checkout - PST Viewer Forensic Edition

$67.00 USD. One-time payment. License key delivered to your email.

Secure via Stripe 30-day money back No subscription

Download

Enter your details to download. We will send you update notifications for new versions.