TechLila

Bleeding Edge, Always

Share
Tweet
Share
Pin
Secure Wi Fi Network
Up Next

How to Secure Your WiFi Network

TechLila Security

How to Understand Email Header Information?

Avatar for Alexa Jackson
Last updated on:



Emails are the digital messages which can be sent over a network. There can be a sender and multiple receivers. Email use the store and forward model for sending packets. Certain protocols are followed while sending or receiving emails. SMTP is for sending an email and POP/IMAP is for receiving the emails. The mails can be accessed by mail clients or using web browser.

Email Header Information
Image Credit: e-mail symbol via Shutterstock.

Emails send from one computer to another is carried by MTA (Message Transfer Agent). Each time when mail is sent or forwarded the MTA attaches a timestamp along with date and time to the message. Mail server can receive, store, deliver and forward the messages.

See Also: Techniques and Tools for Forensic Investigation of Email

An email is composed of three components message envelope, message header and message body. Message Envelope is the wrapping around the Email content and is used for routing the packets. Message body contains the actual content of the mail and the attachments. Message header consists of information like sender, receiver, date, time, etc.


Explore Header Information

An Email header consists of vital information like sender, receiver, return path, subject, CC, date, Message-ID, Content-Type etc. Here is an example of email header with common attributes in it.

Return-Path: abc@xyz.in
Received: from abcabc (Unknown [192.168.2.67])
by email1.xyz.in with ESMTPA
; Mon, 13 Jul 2015 18:04:33 +0530
From: “ABC “<abc@xyz.in>
To: <eid1@xyz.in>,
<eid2@xyz.in>,
Cc: <ceid1@xyz.in>,
<ceid2@xyz.in>,
Subject: Schedule Sheet July 14 2015 Tuesday
Date: Mon, 13 Jul 2015 18:06:36 +0530
Message-ID: <00b401d0bd68$8f40ee30$adc2ca90$@xyz.in>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00B5_01D0BD96.A902C720"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdC9aHd9Jc+d/OIUTWOX3WVE85ug1w==
Content-Language: en-us

  • Return path: When final delivery of the message is done by the SMTP server this information is inserted at the top of the header message.
  • Received: This is the track record of the message inserted by the SMTP server and it is also in the top of the header part.
  • From: The email address and the name of the sender. The name is optional.
  • To: The recipients of the email along with their email addresses.
  • Cc (Carbon Copy): They are the secondary recipients of the email.
  • Subject: It is the brief description about the contents in the message.
  • Date: The local date and time at which the email was created by the sender.
  • Message-ID: This is an automatic generated code for preventing the multiple delivery of messages and is unique for every message.
  • MIME Version: The version of MIME used and here it is Version 1.0.
  • X-Mailer: The name along with the version of the mail client used for emailing. Here it is Microsoft Outlook 15.0.
  • Thread Index: This is an exclusive entry in email header by Microsoft Outlook to track the messages.
  • Content Language: The language used, here it is US English.

SEE ALSO: Outlook vs Gmail

These are the common attributes in an email header. Some more fields such as Message-ID, ENVID, List-ID, DKIM Signature, etc. can be found. The DKIM signature contained in the header holds all the header and key fetching data. It includes messages and domain signatures. The ENVID (Envelope Identifier) is the identifier to message content and transfer. Various identity fields are included in the email header which can serve the deep analysis of an email.

Reading Email header information from the bottom to up makes a clear idea about the email. The received field shows the name and IP address of the sender so that the complete details can be traced from IP. The tracking of email header can prevent Spam messages. Email Tracer tools are available to analyze the email header. The vivid information held by the email header makes it valuable for an email investigator.

Avatar for Alexa Jackson

Alexa Jackson

Alexa is a Digital Forensic Investigator who does forensics investigation in the global scale. She has extensive experience in Email analysis. She has been a trainer and researcher in the field of email forensics for many years. She is an expertise to analyze the forged email headers from the chunks of emails.

Category

Tags

Reader Interactions

What people are saying

  1. Hi,

    I have one question. If we send the mail, IP address and timestamp are sent via MTA (Message Transfer Agent), but there are some fake mail sender where IP is not sent how we can track them?

    Reply

    • The original sender IP is not required in mail headers. It is added by messaging softwares or MTAs. Making your own SMTP request will not include your IP.
      In my country, the main ISP (Orange) MTA add an X-Originating-IP in every mail sent. But this their MTA behavior, to avoid spammers.
      For this reason I never use their SMTP and prefer install my own dedicated postfix environment. Then my own IP is never shown, only my VPS outgoing IP, event if the mail was relayed 2-3-4-… times before by MX backups

      In addition, if you want to drop some headers on the fly by using a postfix relay on a VPS, you can use the postfix header checks directive to remove crap like :
      /^Received: from 127.0.0.1/ IGNORE
      /^Received: from localhost.localdomain/ IGNORE
      /^Received: from localhost/ IGNORE
      /^X-Originating-IP: / IGNORE
      /^X-Mailer: / IGNORE

      Reply

    • Hi,

      To track the emails sent by fake mailers, you need to dig in the message – id; an attribute that is available inside the email headers.

      Regards

      Reply

  2. Thanks for sharing. very informative.

    Reply

Add Your Comment

Your email address will not be published. Required fields are marked *