Privacy-first email exposure review, domain signals and incident plan
Most “is my email breached?” tools have a tell. To answer, they make you hand the address over to someone else first. Weird, right? I wanted a step before that. So this one reads the address right here in your browser. It scores how much of a target the account is, flags a role mailbox or a plus-alias, and (if you let it) peeks at the domain’s mail records. Need a fingerprint for your notes? It hashes the address locally. Then it hands you a plain plan: rotate the password, switch on 2FA, go re-check your recovery options before you forget.
No breached-account API gets called here. The only thing that may go out is a DNS query for the domain, never the full email address.
A breach checker shouldn’t hand you a second privacy problem
So the usual move, when you want to know whether an address leaked, is to type it into yet another website. Sometimes that’s genuinely fine. Reputable provider, you know why you’re asking. But as a default for step one? It bugs me. Before I send an address anywhere, I want to know what I’m even holding. Is this a shared role mailbox or an admin login? Has it been scraped off some public page a hundred times already? Did I reuse it somewhere stupid? Is the domain’s mail security just wide open?
That’s the gap this fills. It confirms the address is real and scores how much attention the account deserves. It explains why role addresses and admin logins draw fire. When it can, it reads the domain’s public mail records. Keep notes? It spins up a local SHA-256 fingerprint. And it gives you a plan you can actually follow. What it won’t do is call the address “breached” or “clean.” It never touches a breach database, so saying either would be a lie.
What to do if an address might be exposed
Hit the accounts that actually hurt to lose first. Mailbox, password manager, hosting, domain registrar, admin panels, cloud consoles, anything that takes a payment, plus the recovery accounts sitting behind all of them. Swap out reused passwords. Kill active sessions, switch on 2FA, and while you’re in there, read your forwarding rules and double-check the recovery email and phone on file. Then keep half an eye on the login alerts for a few days. If this is a team address, write down what changed and whose job it is to follow up. “Someone” never does it.
- Your inbox goes first. It’s the master key. Almost everything else resets through it.
- Role mailboxes like admin, support, billing? Basically guessable. Attackers don’t need a leak to find them.
- 2FA is your seatbelt for the day a password gets reused or phished, and that day comes.
- DMARC, SPF and DKIM are the domain owner’s job. They make spoofing your domain a lot harder.
- Unique passwords beat changing one password in fifty places. Reuse is what turns a single leak into ten.
A few real situations, and what I’d actually do
Newsletter address catching phishing? Annoying. Don’t lose sleep over it. Filter it, glance at it now and then, and spend your real energy on accounts that can actually hurt you. Admin address showing up in public? Now I’d think hard about an alias and tighter sign-in. Custom domain with no DMARC policy? That’s an open door for anyone who wants to spoof you. Close it. And if you’ve been tagging signups with plus-aliases like me+shop@, well, when the spam lands you’ll know exactly which site sold you out.
Common questions
Does this tell me whether an email is in a breach?
No. That’s the whole point, it never makes that lookup. When you genuinely need a breach-database search, go straight to a service you trust and do it there. Think of this as the step you take first.
Why check DNS for the domain?
Because the MX, SPF and DMARC records show whether the domain has its basic mail-authentication act together. Totally different question from “was this mailbox breached.” DNS can’t answer that one. Neither can I, sitting out here.
Should I paste a real work email?
You can. The analysis runs in your browser, and the DNS checks only ever touch the domain, never the full address. Still, if your security policy gets twitchy, just fake it. Same domain, similar local part, and you’ll get the same read.
How does a breach check work without exposing my email?
The privacy-preserving ones hash your address and send only a short prefix of that hash. So the full thing never travels in the clear. The server matches on the prefix, then you compare the rest yourself, locally. Reputable services don’t keep what you type either. Confirm that in the privacy policy before you trust any of them, though.
My email appeared in a breach. What should I do?
Change the password on that service first. Then everywhere you reused it, and be honest about how many places that actually is. More than you’d like, probably. Turn on two-factor. Move to unique passwords in a manager so this stops being a recurring fire drill. The leaked password is the dangerous part here, not the email sitting in some list.
Does a breach mean my account is hacked?
Not necessarily. It means your data ended up in a dataset that got dumped somewhere. The real risk is the fallout. Reused credentials get tried elsewhere, and phishing starts name-dropping your details to sound legit. Rotate the password that leaked. And stay sharp about any message that suddenly knows a little too much about you.
