How would you investigate this email?

Someone hands you an email address and a question — is this lead real, is this contractor who they say they are, is this person trying to scam my parent, is this match on a dating app a catfish? You are not a private investigator and you do not have hours. You have one email and a few minutes. This guide walks the same five layers a careful investigator would walk, twice — once by hand so you understand what each layer is actually telling you, and once through checkmate.bio. A note on the two checkmate.bio modes used throughout: the free scan returns category counts only — how many services the email is registered on, broken down by category. The paid detailed report unlocks the per-service rows: which exact services those are, with usernames, profile URLs, last-active dates, and confidence scores.

Start by writing down the question

Investigations drift when the goal is fuzzy. Before you open a single tab, write one sentence: "I want to know whether X." Whether the person is real. Whether they work where they claim. Whether the email is associated with a scam pattern. Whether this is the same person you met five years ago. The right answer rarely needs a full dossier — it needs three or four facts that line up. The five layers below produce those facts. You can collect them by hand, or you can paste the email into checkmate.bio and let it collect them in parallel — the layers are the same, the speed is not.

Layer 1 — what the email itself tells you

Before any external lookup, read the address. The local part (the bit before the @) and the domain often carry signal:

• Domain shape: a corporate domain (acme.com) ties the person to an organisation; a free-mail domain (gmail.com, outlook.com, icloud.com) does not.
• Disposable / throwaway domains: mailinator, guerrillamail, tempmail, 10minutemail, and dozens of clones — a strong signal that the sender wanted to be unreachable.
• Look-alike domains: acmme.com, acme-support.com, acme.co — easy to miss in a busy inbox, and the single most common phishing tactic. Compare letter-by-letter against the legitimate domain.
• Local-part patterns: 'firstname.lastname', 'firstinitial+lastname', 'nickname123' — naming conventions are leaky. A corporate first.last@ tells you the company's email scheme; matching that scheme on LinkedIn confirms identity in seconds.
• Plus-tags (alice+netflix@gmail.com): Gmail and a few other providers route 'alice+anything@' to the same inbox. The tag often reveals which service the address was used to register on.

Or you can drop the email into checkmate.bio and skip the manual read — the disposable-domain list, look-alike heuristics, and plus-tag normalization are all applied internally before the sweep runs, so the address is normalized for you before the public-footprint count even starts. (This step happens automatically on the free scan; you do not need the paid report to benefit from it.)

Layer 2 — does the domain exist and does it deliver?

An email address can look fine and still be dead on arrival. Two checks take ten seconds:

• MX records: a domain with no MX records cannot receive email at all. If you have terminal access, 'dig MX domain.com'. If not, any free MX-lookup tool online does the job.
• Domain age and ownership: a corporate domain registered last week and proxied through a privacy service is a different story than one registered in 2008. WHOIS lookups (who.is, viewdns.info) are free and immediate.

Or, again, checkmate.bio uses these signals internally as part of every scan — domain validity is checked before the sweep against 500+ services runs, so an email tied to a dead or look-alike domain gets flagged without you keeping a second tab open to a WHOIS tool. The flag is visible on both the free scan and the paid detailed report.

Layer 3 — the public footprint

This is the layer most people skip and where most of the answer actually lives. By hand, you would search the email in Google with quotes, check whether it appears on a personal site, and click through any LinkedIn or GitHub hit. That works, but it caps out at the few services that index emails publicly — most do not.

Or you can drop the email into checkmate.bio and let it sweep 500+ services in a minute. The free scan returns the amount of services the email is registered on, broken down by category — social, professional, dating, gaming, finance, adult, forums, shopping, crypto. It does not name the specific services on the free scan; that is what the paid detailed report unlocks. But the shape of those counts is already an answer:

• Zero matches across the board: either a brand-new email or a deliberately clean one. Both are notable for different reasons.
• Heavy professional + social, light everywhere else: a normal working adult who keeps a public LinkedIn and not much else. Reassuring baseline for B2B contexts.
• Heavy social + gaming + entertainment, light professional: typical consumer profile. Normal for personal contexts; suspicious for someone claiming to be a senior B2B contact.
• Concentrated in one suspicious category (e.g., adult-only or crypto-only with nothing else): worth a closer read in the detailed report.

Unlock the paid detailed report when the category counts raise a real question. The detailed view names the exact services behind each count and brings the per-service information from each one: usernames, display names, profile URLs, last-active dates, and confidence scores — the same fields you would have copied into a notebook one tab at a time, just collected in one place.

Layer 4 — cross-reference and pivot on usernames

A list of accounts is data; the answer comes from how those accounts agree or disagree. The investigative move is cross-referencing — taking a fact from one place and confirming it in another. By hand, that means:

• Username pivot: spot a likely handle in one profile and search it across other services (Reddit, GitHub, Steam, Twitch, Mastodon, forums). The same handle in three places is a much stronger identity signal than three unrelated handles. There are dedicated username-search tools, but they're slow and noisy.
• Photo cross-check: if a profile has an avatar, reverse-image-search it on Google Images, TinEye, and Yandex. Stock photos and stolen photos surface immediately. So do photos that originally belonged to a different person — a hard catfish indicator.
• Timeline consistency: a LinkedIn says they joined Acme in 2022; their personal site says 2019; an old GitHub bio still says a previous employer. Inconsistencies are not always lies, but they are always worth a second look.
• Email-to-phone bridge: free reverse-lookup tools (Truecaller, sync-contact tricks, password-reset hints on common services) sometimes reveal a partial phone number associated with the email. Match against any phone number the person already gave you.

Or you can let checkmate.bio do the username pivot for you — it does not just search by email, it extracts handles from the email matches and re-runs the sweep against those usernames automatically. On the free scan, the username-pivot results are folded into the category counts (so the count is already higher than a simple by-email lookup would return). On the paid detailed report, you see the deduplicated per-service rows — exactly which Reddit, GitHub, Steam, Twitch, or forum accounts came from the email, the username pivot, or both, with confidence scores per match. The thing you would otherwise do by hand for fifteen minutes happens in the background of one scan.

Layer 5 — breach exposure (with discipline)

Breach exposure is where most by-hand investigations stop short. Have I Been Pwned and similar services tell you whether the email appeared in known data breaches and which sites were involved. The 'which sites' is the useful part — it adds to the footprint picture (a breach mention of Adobe 2013 confirms a 2013-era account; a recent niche breach confirms a niche interest). Never look at leaked passwords, never attempt to use them — the legal and ethical line is sharp, and the investigative value is in the breach metadata, not the credentials.

Or you can let checkmate.bio cross-check breach exposure internally as part of the same scan. Breach-derived registrations on services that do not expose a public profile (forums, niche stores, shut-down platforms) are folded back into the footprint. On the free scan, those breach-derived accounts add to the category counts — so the count is more complete than a public-only search would return. On the paid detailed report, you see which exact services those are, including ones you would never have found through a search engine. Same discipline applies on the output side: checkmate.bio names the services the email appeared on, never the credentials.

Reading the result — green, yellow, red

After ten minutes by hand — or one minute through checkmate.bio — you usually land in one of three buckets:

• Green: corporate domain, MX records resolve, footprint matches the claimed identity, public profiles are consistent, breach exposure looks normal for someone of that age and tech adoption. Proceed with normal trust.
• Yellow: minor inconsistencies — a stale LinkedIn, a missing public profile, a free-mail address where you expected corporate, a recently registered domain. Not red flags individually; worth one clarifying question before committing.
• Red: disposable domain, no MX records, look-alike domain, zero footprint where you'd expect one, a profile photo that reverse-searches to a different person, claims that contradict timeline data. Stop, do not send money or sensitive information, and either disengage or escalate to a more thorough check.

Or you can use the checkmate.bio confidence scores directly. Confidence scores are part of the paid detailed report — they are not exposed on the free scan, which only shows the count. Once you have the detailed report: 80% and above means a match is essentially confirmed (treat as verified fact); 50–80% is a likely match (use as a lead, not a claim); below 50% is a low-confidence signal to investigate by hand if it matters. The traffic-light reading falls out of those scores without you having to weight five different sources by feel.

What this method does not do

Whether you do this by hand or through checkmate.bio, an email investigation tells you about the public surface a person has chosen to leave. It does not — and should not — show you private messages, browsing history, real-time location, or anything they have actively kept off the open web. If your question requires that level of access, you are no longer doing a quick check; you are looking at a licensed investigator, a lawyer, or law enforcement, depending on the situation. The discipline is to know which question you are actually asking and to use the right tool for it.

An email investigation is not about collecting everything. It is about asking one specific question and finding three facts that agree on the answer — by hand if you have the time, by checkmate.bio's free count if you only need the shape, by the paid detailed report when you need the exact services and what they say.

What the results actually mean

CheckMate.bio groups findings into categories (social, gaming, dating, adult, finance, professional, and more) and attaches a confidence score to every match. A score of 80% or higher means the email is almost certainly linked to that service. A score between 50% and 80% is a likely match. Anything below 50% lands in the 'Possible matches' section and should be treated as a weak signal, not a verdict.

• Categories show the kind of accounts that exist — the shape of someone's online footprint.
• Per-service fields (usernames, display names, bio text, last active dates) help you confirm whether the match is really the person you care about.
• Confidence scores help you separate solid matches from noise. Treat low-confidence hits as leads to investigate, not as proof.

A note on ethics

CheckMate.bio indexes public and breach-derived data. It does not grant access to private messages, passwords, or anything you wouldn't be able to find with enough patience and the right search queries. Use it for the same reasons you'd Google someone — safety, due diligence, re-connecting with people, or simply knowing what a public profile says about you. Be honest about your reasons, and respect the answer you get.