EMAIL VERIFICATION GUIDE

How to Tell if an Email is Really From PayPal, Apple, Disney+, Netflix, or Amazon (2026 Guide)

One page, every major brand. The verified 2026 sender domains for PayPal, Apple, Disney+, Hulu, Netflix, HBO Max, Spotify, Paramount+, Amazon, Microsoft, and DocuSign, plus a 30-second universal check that works on any brand.

SB

SafeBrowz Team Security ResearchJune 2, 202610 min read

Why this matters in 2026

Phishing remains the largest entry point for financial fraud. The FBI Internet Crime Complaint Center 2024 Annual Report logged more than $16 billion in reported losses tied to internet-enabled crime, with business email compromise and impersonation phishing dominating the categories. Verizon's 2025 Data Breach Investigations Report again names phishing as the top initial access vector. Proofpoint's State of the Phish 2025 reports DocuSign as the second most-clicked brand lure, behind Microsoft.

The reason brands like PayPal, Apple, Disney+, Netflix, and Amazon dominate the lures is simple. You have an account there with a payment method on file. A convincing "suspended subscription" or "unrecognized purchase" message is exactly what you would expect if something were wrong, which is why attackers send it. Cisco Talos' brand-impersonation research consistently shows that fewer than 25 brands account for the majority of phishing volume worldwide.

The 30-second universal check

Use this on any branded email, even ones you have never received before. It catches roughly 90 percent of phishing without you knowing a single sender domain.

1. Inspect the full sender address. Tap or click the display name to expand the full address. The display name lies; the address after the @ does not. If "Apple Support" sits in front of noreply@security-apple-id.com, the email is fake.
2. Hover every link and check the destination. On desktop, hover over the button or link without clicking. The destination appears in the bottom corner of your browser. On mobile, tap and hold for a preview. A real link ends in the brand's own domain, never a hyphenated or stacked-subdomain variant.
3. Note urgency markers. "Verify within 24 hours." "Account will be permanently closed." "Final notice." Real brands do not put countdowns in emails. They send a calm notification and let you sign in to act.
4. Sign in to the brand directly from a fresh tab. Open a new tab, type the brand's address yourself, and sign in. If a real alert exists, it will be on your account page. If nothing is there, the email was fake. Delete it.

That is the entire foundation. The brand-by-brand lists below are the cheat sheet.

PayPal: real vs fake email

Real PayPal sender domains

Every legitimate PayPal email arrives from one of these:

• @paypal.com
• @e.paypal.com
• @e2.paypal.com
• @notify.paypal.com
• @email.paypal.com
• @invoice.paypal.com

Notice the pattern. The final part before .com is always paypal. A real subdomain sits to the left (notify, invoice, email), never to the right.

Lookalike senders attackers use

• paypaI.com (capital I replacing lowercase l)
• paypal-security.com (hyphenated lookalike)
• paypal.com-verify.xyz (stacked subdomain trick)
• service-paypal.net (real PayPal does not use .net)
• paypal-invoice.top (cheap TLD impersonating the real @invoice.paypal.com)

The most common 2026 PayPal lure is the fake invoice. The attacker creates a real PayPal invoice inside their own Business account and sends it through PayPal's legitimate system. The sender is real (@paypal.com), but the invoice memo contains a fake "support" phone number that reaches a scammer. Treat any unexpected invoice as suspicious, even when the header is genuine.

Apple and iCloud: real vs fake email

Real Apple sender domains

• @apple.com
• @email.apple.com
• @itunes.com (legacy receipts)
• @me.com (iCloud system messages)
• @noreply.apple.com
• @privaterelay.appleid.com (Hide My Email forwarding)

Apple receipts for App Store, iTunes, or Apple Music purchases typically arrive from no_reply@email.apple.com or do_not_reply@itunes.com.

Lookalike senders attackers use

• appleid-support.com
• apple-account-locked.net
• icloud-verify.app
• apple-receipt-billing.xyz

Two rules catch almost every fake Apple email. First, Apple never asks you to reset your password through a link inside an email; they direct you to your device or appleid.apple.com. Second, every real Apple receipt has a "Report a Problem" link that opens reportaproblem.apple.com. Fakes point that link to a credential-harvesting page. Hover before you click.

Disney+ and streaming services: real vs fake

Real streaming sender domains

Disney+:

• @disneyplus.com
• @account.disneyplus.com
• @mail2.disneyplus.com

Hulu:

• @hulu.com
• @messaging.hulu.com
• accounts-noreply@messaging.hulu.com

Netflix:

• @netflix.com
• @account.netflix.com
• info@account.netflix.com

HBO Max (now Max):

• @max.com
• noreply@max.com

Spotify:

• @spotify.com
• @e.spotify.com

Paramount+:

• @paramountplus.com
• noreply@paramountplus.com

Lookalike senders attackers use

• disneyplus-billing.com
• netflix-account-update.xyz
• hulu-subscription.top
• spotify-premium-renew.app

The streaming lure is nearly always the same: "Your payment failed, your subscription will be canceled today, update your card now." Real services do retry billing, but their dunning emails never include a countdown and the embedded link goes to the brand's own domain. When in doubt, open the app on your phone or TV. A real billing problem appears as a banner on the home screen.

Amazon: real vs fake email

Real Amazon sender domains

• @amazon.com
• @marketplace.amazon.com
• @payments.amazon.com
• @order-update.amazon.com
• @shipment-tracking.amazon.com
• auto-confirm@amazon.com
• account-update@amazon.com

Regional Amazon storefronts use the same subdomain pattern on their country TLD. Legitimate examples include @amazon.co.uk, @amazon.de, @amazon.co.jp, @amazon.in, and @amazon.com.au. The format is always something@amazon.{country-tld}, never amazon-uk.com or amazon-de.net.

Lookalike senders attackers use

• amazon-orders.com
• amazon-security-alert.net
• amzn-refund.xyz
• amazon.com.confirm-order.top

The biggest Amazon scam right now is the "unauthorized purchase" email: a product you did not buy at a four-figure price, with a phone number to "cancel." That number reaches a scammer who walks you through "refunding" yourself, which actually pulls money out of your bank account. Real Amazon never includes a support phone number in an email. All support flows start at amazon.com/contact-us after sign-in. For deeper coverage see our Amazon order confirmation scam breakdown.

Microsoft and DocuSign: real vs fake email

Real Microsoft sender domains

• @microsoft.com
• @email.microsoft.com
• @accountprotection.microsoft.com
• @microsoftonline.com

Real DocuSign sender domains

• @docusign.com
• @docusign.net
• @dse.docusign.net

Legitimate DocuSign envelopes commonly show a sender like "Sender Name via DocuSign" <dse@docusign.net>. The "via signing.docusign.com" header you sometimes see in Gmail is also legitimate; it is how DocuSign relays envelopes for paying customers. The signing link inside a real DocuSign email always begins with https://na3.docusign.net, https://eu1.docusign.net, or another regional docusign.net subdomain. Anything else is a phish.

Lookalike senders attackers use

• docusign-secure-sign.com
• docusgin.net (typosquat: i and g swapped)
• microsoft365-support.xyz
• outlook-secure-login.top

Proofpoint's 2025 telemetry puts DocuSign at #2 most-clicked for a reason: signing requests feel urgent and routine. If you receive an unexpected envelope, do not click "Review Document." Open docusign.com directly and check your dashboard; real pending envelopes appear there. For Microsoft specifically see our Microsoft phishing email guide.

If you already clicked the link

Clicking alone rarely causes damage. The harm starts when you type credentials or download a file. Work through these five steps in order.

1. Stop entering anything. Close the tab. Do not type a password, do not type a card number, do not approve a 2FA prompt. If the page is asking for any of those, you are on a phishing site.
2. Sign in to the real account from a fresh browser tab. Type the brand's domain yourself: paypal.com, apple.com, amazon.com, disneyplus.com, netflix.com, microsoft.com, docusign.com. Check the account page for any actual alert. If none exists, the email was fake.
3. Change your password if you entered it anywhere. Start with the brand whose login you typed into the phishing page. Then change the same password on every other site where you reused it. Use a unique password per account going forward.
4. Enable two-factor authentication. Prefer authenticator apps or hardware security keys over SMS codes. Most brands offer this for free under "Security" in account settings.
5. Report the phishing email to the brand. Each company runs an abuse inbox: PayPal at phishing@paypal.com, Apple at reportphishing@apple.com, Amazon at reportascam@amazon.com, Microsoft via the Outlook "Report Phishing" button, DocuSign at spam@docusign.com, Netflix at phishing@netflix.com. Forward the email with full headers when possible.

For a wider playbook on judging suspect pages, see how to tell if a website is a scam.

How SafeBrowz catches fake brand emails

SafeBrowz runs a 3-layer detection engine: Local + APIs + AI. The extension cannot read your inbox; it activates the moment you click a link in an email and a phishing page tries to load.

• Layer 1 - Local detection: 60+ URL patterns + a 550+ brand-specific signature database (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches paypal-security.{tld}, apple-id-login.{tld}, netflix-billing-update.{tld}, and the docusgin.net typosquat family instantly.
• Layer 2 - API checks: aggregates threat-intelligence APIs (Google Safe Browsing, PhishTank, URLhaus) plus 30+ scam-TLD heuristics for known malicious domains.
• Layer 3 - AI deep scan (Premium): content analysis in 100+ languages catches novel variants in seconds, including freshly registered domains that have not yet appeared on any blocklist.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

Can a real brand email come from any domain other than the ones listed here?

Occasionally yes, for transactional services routed through a vendor (for example a logistics partner sending Amazon delivery updates from a courier domain). The reliable rule is that a real brand email never asks for a password or payment via a link that points outside the brand's own domain. If the sender is unfamiliar but the link goes back to amazon.com, paypal.com, apple.com, etc., it is usually safe. If the sender looks right but the link goes somewhere else, it is hostile.

Why does the phishing email's display name look correct?

Because display names are free text. Anyone can set "PayPal Service" or "Apple Support" as their From name; mail clients show it large and hide the real address. That is the entire reason this guide tells you to expand and read the full sender address, not just the display name. The address after the @ is the part the protocol actually delivers from.

Does SPF, DKIM, or DMARC passing mean the email is safe?

No. SPF/DKIM/DMARC confirm that the email was authorized by whichever domain it claims to come from. A phisher who registered paypal-security.net can pass authentication checks for paypal-security.net because they own it. Mail clients sometimes show this as a green check, which feels reassuring but only proves the attacker controls the lookalike domain. The sender address itself still has to be the brand's real domain for the email to be legitimate.

What if I am not sure after checking, should I forward to support?

Yes, but forward as an attachment when you can so the original headers survive. Most brands prefer reports at the addresses listed above (phishing@paypal.com, reportphishing@apple.com, reportascam@amazon.com, and so on). Do not reply to the original email; replies often bounce to the attacker. Forwarding helps the brand's security team take down the phishing infrastructure faster.

How does SafeBrowz catch fake brand emails?

SafeBrowz does not scan your inbox; it activates when you click a link. A 3-layer engine (Local URL patterns + threat-intel APIs + AI content analysis) checks the destination before the page can load credentials. The brand database covers 550+ companies including every name in this guide, plus their common homograph and typosquat variants. Free for any user on Chrome, Firefox, or Edge.

Are .com domains always safe and .xyz or .top always fake?

No. TLD is a weak signal on its own. Plenty of legitimate businesses use .xyz, .app, or .io, and plenty of phishing sites use .com. The reliable signal is whether the domain belongs to the brand: paypal.com is safe because PayPal owns it, paypal-secure.com is hostile because PayPal does not. That said, the cheapest TLDs (.top, .xyz, .icu, .cyou, .cfd) are over-represented in 2026 phishing campaigns simply because they cost a dollar to register, so treat them with extra suspicion.