Email Viewer

EML & MSG Viewer

Open email files in your browser

Read .eml, Outlook .msg, .mht and winmail.dat files locally — headers, body and attachments. HTML renders in a strict sandbox with every remote image, tracker and script blocked. Nothing is uploaded.

Safe by design

Read suspicious emails without being seen

Everything is parsed by JavaScript in your tab — the file never leaves your device. HTML bodies are rewritten before display: scripts, frames and every remote reference (including tracking pixels) are stripped and counted, then the result renders in a fully sandboxed frame under a default-src 'none' Content-Security-Policy. Opening a message here cannot notify the sender, load a tracker or run any code.

Which formats can it open?

.eml (standard MIME — Gmail, Thunderbird, Apple Mail exports), Outlook .msg (compound file / MAPI), .mht/.mhtml archives and winmail.dat (TNEF). Nested emails, embedded Outlook messages and winmail.dat attachments open in place — use the breadcrumb to step back.

How is the HTML preview kept safe?

Three layers: the HTML is rewritten first (scripts, frames, meta-refresh and all remote references removed and counted), then rendered in a sandboxed iframe — no script execution, isolated origin — under a default-src 'none' CSP. The page's own CSP forbids external connections as a final backstop. Inline cid: images are resolved locally from the email's own attachments.

Do I need Outlook for .msg files?

No. The MAPI property streams are parsed directly: subject, sender, recipients, date, bodies (plain text, HTML, compressed RTF — including RTF-encapsulated HTML) and attachments, with proper code-page handling for international text.

Which attachments preview inline?

Images render from local data, PDFs open in the browser's own viewer from a local blob, text shows as plain text, and HTML attachments pass through the same sandbox as the body. Anything else is download-only. Nothing is ever executed.

Can the sender tell I opened the email?

No. Read receipts and tracking pixels work by loading a remote image when you open a message — here every remote reference is stripped before rendering and the blocked count is shown. No request reaches the sender's server.

What is winmail.dat and how do I open it?

A winmail.dat is a TNEF container — a proprietary wrapper Outlook and Exchange sometimes put around a Rich Text message and its attachments. Clients other than Outlook can't open it, so you get one opaque file instead of the real documents. Drop the winmail.dat here — directly or nested inside an email — and this viewer unpacks it, giving the attachments back with their real names. To stop it at the source, the sender should compose in HTML or Plain Text instead of Rich Text.