Advanced Offline Email Forensics for macOS.
Parse raw RFC-5322 headers, trace transit routing paths geographically, and generate court-ready PDF evidence packages — 100% locally.
Watch a header confess.
Load a sample forensic header and watch HeaderLume reconstruct the message's transit path hop-by-hop — exactly as it runs on-device.
A full forensics lab. Zero network required.
Purpose-built for examiners, litigators, and incident responders who can't afford to leak evidence to the cloud.
Offline MIME Parser
Raw RFC-5322 header parsing executed fully on-device. No data ever leaves the examiner's machine.
3D Transit Route Mapping
Path-drawing geographic maps resolving IP hops and measuring relay delay anomalies.
Authentication Traffic Lights
Instant status auditing for SPF, DKIM, DMARC, and ARC security seals.
E-Discovery Load Files
Automatic generation of Concordance .DAT load-files and .OPT image logs for Relativity ingestion.
Memory-Efficient MBOX Streaming
Stream giant mailbox databases (10GB+) line-by-line asynchronously without out-of-memory crashes.
Absolute Zero Telemetry
App Sandbox-enforced offline isolation switch that instantly blocks all network sockets.
Built for the examiner's bench.
Native macOS, dark by default, engineered for long analysis sessions. Click through the workflow.
Manual header reading doesn't scale. Or hold up.
Anyone can squint at a Received chain. Producing defensible, repeatable findings is a different job.
| Task | Reading headers manually | Generic web checkers | HeaderLume |
|---|---|---|---|
| Parse a full Received chain | Minutes, error-prone | Partial | Instant, every hop |
| Relay delay anomaly detection | Manual math per hop | No | Automatic Δ-analysis |
| SPF / DKIM / DMARC / ARC audit | Requires CLI tooling | Basic | Traffic-light instant |
| Evidence confidentiality | Local | Uploads to third party | 100% on-device, sandboxed |
| 10GB+ MBOX archives | Impractical | Upload limits | Async streaming |
| Court-ready output | DIY formatting | Screenshots | PDF certificates + .DAT/.OPT |
Findings your opposing counsel can't wave away.
Every HeaderLume analysis certificate embeds examiner identity, timestamps, and SHA-256 evidence hashes — the metadata foundation for authenticating electronic records.
Because analysis never leaves the machine, your chain of custody stays intact: no third-party processor to subpoena, no cloud terms of service to explain to a judge.
Concordance .DAT and .OPT exports drop straight into Relativity and other review platforms your litigation-support team already runs.
Self-authenticating electronic records
Certified records generated by an electronic process, and data copied with digital identification (hashing), can be admitted without live foundation testimony. HeaderLume's certificates are built around exactly this framework.
Repeatable, documented process
Deterministic parsing of published standards (RFC 5322, RFC 7208, RFC 6376, RFC 7489) means another examiner can reproduce your findings step-for-step.
Examiners who stopped squinting at Received lines.
"The relay delay flags caught a spoofed chain our whole team had missed. The PDF certificate went into the exhibit binder the same afternoon."
"We handle privileged material. 'The evidence never touches a server' is the sentence that got this approved by our general counsel in one email."
"Streamed a 14GB custodian MBOX overnight and had .DAT load files in Relativity by morning. That used to be a vendor invoice."
Evidence-grade tooling, at every scale.
Start free. Upgrade when the caseload grows.
- Single EML parsing
- Raw header visualizer
- Local DNS checks
- Unlimited EML / MBOX parsing
- 3D transit mapping
- E-discovery load-file exports
- Court-ready PDF certificates
- Lifetime license, all future major upgrades
- Priority developer support
- Enterprise multi-seat deployment keys