Knogin
[Developers]

Email Domain

An analyst investigating a business email compromise receives a forwarded phishing message. The sender address looks plausible, but a quick lookup reveals the domain was registered three days ago, the address appeared in

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsgeospatial

Overview#

An analyst investigating a business email compromise receives a forwarded phishing message. The sender address looks plausible, but a quick lookup reveals the domain was registered three days ago, the address appeared in two breach datasets last year, and the sending IP has a reputation score of 12 out of 100. That chain of findings, assembled in seconds, is what the Email domain provides: structured intelligence around email addresses to support fraud, phishing, and financial crime investigations.

Email addresses are a fundamental identifier in modern investigations. They appear in breached credential dumps, fraud reports, company registrations, and social media profiles. Building a coherent picture of an address across those sources, and linking it to known persons and organisations, is a repeating investigative task the Email domain handles directly.

Key Features#

  • Email address profiling and intelligence gathering
  • Breach exposure tracking across known credential databases
  • Sender reputation analysis and scoring
  • Email-to-person and email-to-organisation relationship mapping
  • Email domain association and analysis
  • Historical email activity tracking
  • Organisation-scoped email profile management
  • Integration with threat intelligence for email-based threats

Use Cases#

  1. Profiling email addresses during phishing and fraud investigations, surfacing breach history and reputation signals
  2. Checking addresses against breach databases to assess credential exposure for financial crime cases
  3. Mapping email relationships to persons and organisations already recorded in an investigation
  4. Analysing email domains for threat intelligence correlation, such as linking multiple addresses back to a shared malicious hosting provider

Industry Context#

Financial intelligence units track email addresses used in authorised push payment fraud and romance scam networks. Cybercrime teams at national police agencies correlate email identifiers across botnet operator profiles. Insurance fraud investigators map email addresses across multiple fraudulent claims to detect rings. Corporate security teams use email reputation data to assess vendor and counterparty risk before sensitive transactions.

Integration#

Integrates with domain profiling, person management, and threat intelligence domains for comprehensive email analysis.

Open Standards#

  • RFC 5322 (Internet Message Format): Email address syntax is parsed and validated against the RFC 5322 addr-spec grammar; the ingestion pipeline entity extractor explicitly applies this standard when extracting email identifiers from unstructured text.
  • STIX 2.1 / OASIS (Cyber Observable email-addr): Email addresses are expressed as STIX 2.1 email-addr Cyber Observable Objects and matched using STIX Patterning Language (e.g. [email-addr:value = '...']) when correlating profiles against threat intelligence indicators.
  • TAXII 2.1 / OASIS: The platform polls TAXII 2.1 collection endpoints to ingest STIX bundles; email-based threat indicators arriving via TAXII are correlated directly against stored email profiles.
  • TLP (Traffic Light Protocol) / FIRST: Sharing sensitivity of each email profile is controlled using TLP markings (TLP:WHITE, TLP:GREEN, TLP:AMBER, TLP:RED), embedded as STIX marking-definition identifiers and surfaced through the secrecy-level field.
  • SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489): Sender domain authentication posture is checked during reputation analysis; SPF strictness and DMARC enforcement status are recorded alongside the email profile to support phishing and business email compromise investigations.
  • DNS MX record validation: Mailbox deliverability is assessed by querying DNS MX records for the email's domain, producing an is_valid flag that indicates whether the address is routable to a live mail server.
  • GraphQL (June 2018 specification): All create and query operations on email profiles are exposed through a typed GraphQL API, enabling composable cross-domain queries that join email data with person, organisation, and threat intelligence entities.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.