How Email Scanning Tools Work Without Reading Your Emails

The phrase “email scanner” sounds uncomfortable. It makes you think of someone — or something — reading through your private messages line by line.

But that’s not how modern, privacy-first tools have to work. You can learn a lot just from email headers — without ever touching the actual content of your emails.

                Key idea: A tool can map your online accounts by looking only at
                who emailed you, when and with what subject line — without reading the body.
            

What Are Email Headers?

Every email has two main parts:

Headers: technical and routing information (who sent it, when, subject, etc.).
Body: the actual content (message text, attachments, formatting).

Typical header fields include:

From: sender address and sometimes name
To: recipient address
Subject: the subject line
Date: when the email was sent

Even without the message body, headers already tell you:

Which services email you
How often they contact you
Roughly what type of email it is (welcome, login, receipt, etc.)

How Account Discovery Works Using Headers

Tools like WhoHasMyEmail use a simple but powerful workflow:

Scan your inbox for emails related to registrations, logins and account notifications.
Read the From address and extract the domain (e.g. no-reply@spotify.com → spotify.com).
Look at the Subject and sender pattern to identify signup / verification / security emails.
Group all matches by domain to build a list of services tied to your email.

At no point does the tool need to read the actual message text — it doesn’t need to know what was written, only which service sent the email.

Why a Headers-Only Approach Is Better for Privacy

Focusing strictly on headers has clear privacy advantages:

Less sensitive: the body often contains personal conversations and details; headers are mostly technical.
Limited scope: the tool sees that Spotify emailed you, not what the email said.
Purpose-bound: headers are enough to build an account list, so there’s no reason to go deeper.

What WhoHasMyEmail Does (and Doesn’t) Do

We designed our scanner around strict boundaries:

We connect to Gmail via Google OAuth – you never share your password with us.
We request read-only access to your mailbox.
We fetch only metadata headers: From, Subject, Date.
We use those to detect which services have accounts tied to your email and how active they are.
We generate a PDF + Excel report for you to review and clean up your accounts.

We do not:

Read the body content of your emails.
Download or analyze attachments.
Send emails on your behalf.
Sell your data or use it for targeted advertising.

Can You Revoke Access After the Scan?

Yes — and you should know how to do it.

Go to Google Account > Security > Third-party access.
Find WhoHasMyEmail in the list.
Click it and choose Remove access.

This instantly blocks further access. Your generated report is yours to keep; we don’t need ongoing permissions.

Is a Header-Only Scanner Right for You?

If you want to understand where your email is used but care deeply about privacy, a header-only scan is a good balance:

You get a comprehensive list of accounts and services.
Your private conversations remain unread.
You stay in control and can revoke access at any time.

Run a Privacy-Friendly Gmail Scan

Map 200–800 accounts linked to your email using metadata headers only — no email body content, no attachments, no advertising use.

Start Your Scan

Headers only • Read-only access • One-time scan

Want to see the bigger picture first? Start with How to Find All Accounts Linked to Your Gmail.