Emails are the digital messages which can be sent over a network. There can be a sender and multiple receivers. Email use the store and forward model for sending packets. Certain protocols are followed while sending or receiving emails. SMTP is for sending an email and POP/IMAP is for receiving the emails. The mails can be accessed by mail clients or using web browser.
Emails send from one computer to another is carried by MTA (Message Transfer Agent). Each time when mail is sent or forwarded the MTA attaches a timestamp along with date and time to the message. Mail server can receive, store, deliver and forward the messages.
See Also: Techniques and Tools for Forensic Investigation of Email
An email is composed of three components message envelope, message header and message body. Message Envelope is the wrapping around the Email content and is used for routing the packets. Message body contains the actual content of the mail and the attachments. Message header consists of information like sender, receiver, date, time, etc.
Explore Header Information
An Email header consists of vital information like sender, receiver, return path, subject, CC, date, Message-ID, Content-Type etc. Here is an example of email header with common attributes in it.
Return-Path: email@example.com Received: from abcabc (Unknown [192.168.2.67]) by email1.xyz.in with ESMTPA ; Mon, 13 Jul 2015 18:04:33 +0530 From: “ABC “<firstname.lastname@example.org> To: <email@example.com>, <firstname.lastname@example.org>, Cc: <email@example.com>, <firstname.lastname@example.org>, Subject: Schedule Sheet July 14 2015 Tuesday Date: Mon, 13 Jul 2015 18:06:36 +0530 Message-ID: <email@example.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00B5_01D0BD96.A902C720" X-Mailer: Microsoft Outlook 15.0 Thread-Index: AdC9aHd9Jc+d/OIUTWOX3WVE85ug1w== Content-Language: en-us
- Return path: When final delivery of the message is done by the SMTP server this information is inserted at the top of the header message.
- Received: This is the track record of the message inserted by the SMTP server and it is also in the top of the header part.
- From: The email address and the name of the sender. The name is optional.
- To: The recipients of the email along with their email addresses.
- Cc (Carbon Copy): They are the secondary recipients of the email.
- Subject: It is the brief description about the contents in the message.
- Date: The local date and time at which the email was created by the sender.
- Message-ID: This is an automatic generated code for preventing the multiple delivery of messages and is unique for every message.
- MIME Version: The version of MIME used and here it is Version 1.0.
- X-Mailer: The name along with the version of the mail client used for emailing. Here it is Microsoft Outlook 15.0.
- Thread Index: This is an exclusive entry in email header by Microsoft Outlook to track the messages.
- Content Language: The language used, here it is US English.
These are the common attributes in an email header. Some more fields such as Message-ID, ENVID, List-ID, DKIM Signature, etc. can be found. The DKIM signature contained in the header holds all the header and key fetching data. It includes messages and domain signatures. The ENVID (Envelope Identifier) is the identifier to message content and transfer. Various identity fields are included in the email header which can serve the deep analysis of an email.
Reading Email header information from the bottom to up makes a clear idea about the email. The received field shows the name and IP address of the sender so that the complete details can be traced from IP. The tracking of email header can prevent Spam messages. Email Tracer tools are available to analyze the email header. The vivid information held by the email header makes it valuable for an email investigator.