Module 3: R + A — Reveal & Authenticate

What You’ll Learn

Module 3 is the technical heart of TRACE. Now that you’ve preserved the evidence (Module 2), it’s time to read what the evidence actually says:

• Find the “View Original” button — every major email client hides the real message behind a menu you’ve probably never opened, and we’ll show you where it lives in each one
• The three lines that matter — out of dozens of header lines, exactly three tell you who really sent the message and whether they’re allowed to claim that identity
• SPF, DKIM, and DMARC in one question — three acronyms that boil down to “did this actually come from who it claims?” — you’ll read the answer without touching DNS
• When authentication lies — the uncomfortable case where every check passes and the email is still phishing, and why forensics still matters anyway

Modern AI makes fakes look perfect on the surface. The headers don’t lie the way the body does — but they have their own blind spots, and this module is honest about both.

R and A, Combined

We bundle Reveal and Authenticate into one module because authentication only makes sense once you can reveal. You can’t judge the verdict if you don’t know where the receipt is printed. Lesson 3.1 shows you the button. Lesson 3.2 finds the three lines. Lessons 3.3 and 3.4 teach you what those lines mean — and where they stop meaning anything.