Emails are the digital messages which can be sent over a network. There can be a sender and multiple receivers. Email use the store and forward model for sending packets. Certain protocols are followed while sending or receiving emails. SMTP is for sending an email and POP/IMAP is for receiving the emails. The mails can be accessed by mail clients or using web browser.
Emails send from one computer to another is carried by MTA (Message Transfer Agent). Each time when mail is sent or forwarded the MTA attaches a timestamp along with date and time to the message. Mail server can receive, store, deliver and forward the messages.
See Also: Techniques and Tools for Forensic Investigation of Email
An email is composed of three components message envelope, message header and message body. Message Envelope is the wrapping around the Email content and is used for routing the packets. Message body contains the actual content of the mail and the attachments. Message header consists of information like sender, receiver, date, time, etc.
Explore Header Information
An Email header consists of vital information like sender, receiver, return path, subject, CC, date, Message-ID, Content-Type etc. Here is an example of email header with common attributes in it.
Return-Path: [email protected] Received: from abcabc (Unknown [192.168.2.67]) by email1.xyz.in with ESMTPA ; Mon, 13 Jul 2015 18:04:33 +0530 From: “ABC “<[email protected]> To: <[email protected]>, <[email protected]>, Cc: <[email protected]>, <[email protected]>, Subject: Schedule Sheet July 14 2015 Tuesday Date: Mon, 13 Jul 2015 18:06:36 +0530 Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00B5_01D0BD96.A902C720" X-Mailer: Microsoft Outlook 15.0 Thread-Index: AdC9aHd9Jc+d/OIUTWOX3WVE85ug1w== Content-Language: en-us
- Return path: When final delivery of the message is done by the SMTP server this information is inserted at the top of the header message.
- Received: This is the track record of the message inserted by the SMTP server and it is also in the top of the header part.
- From: The email address and the name of the sender. The name is optional.
- To: The recipients of the email along with their email addresses.
- Cc (Carbon Copy): They are the secondary recipients of the email.
- Subject: It is the brief description about the contents in the message.
- Date: The local date and time at which the email was created by the sender.
- Message-ID: This is an automatic generated code for preventing the multiple delivery of messages and is unique for every message.
- MIME Version: The version of MIME used and here it is Version 1.0.
- X-Mailer: The name along with the version of the mail client used for emailing. Here it is Microsoft Outlook 15.0.
- Thread Index: This is an exclusive entry in email header by Microsoft Outlook to track the messages.
- Content Language: The language used, here it is US English.
SEE ALSO: Outlook vs Gmail
These are the common attributes in an email header. Some more fields such as Message-ID, ENVID, List-ID, DKIM Signature, etc. can be found. The DKIM signature contained in the header holds all the header and key fetching data. It includes messages and domain signatures. The ENVID (Envelope Identifier) is the identifier to message content and transfer. Various identity fields are included in the email header which can serve the deep analysis of an email.
Reading Email header information from the bottom to up makes a clear idea about the email. The received field shows the name and IP address of the sender so that the complete details can be traced from IP. The tracking of email header can prevent Spam messages. Email Tracer tools are available to analyze the email header. The vivid information held by the email header makes it valuable for an email investigator.
Hi,
I have one question. If we send the mail, IP address and timestamp are sent via MTA (Message Transfer Agent), but there are some fake mail sender where IP is not sent how we can track them?
The original sender IP is not required in mail headers. It is added by messaging softwares or MTAs. Making your own SMTP request will not include your IP.
In my country, the main ISP (Orange) MTA add an X-Originating-IP in every mail sent. But this their MTA behavior, to avoid spammers.
For this reason I never use their SMTP and prefer install my own dedicated postfix environment. Then my own IP is never shown, only my VPS outgoing IP, event if the mail was relayed 2-3-4-… times before by MX backups
In addition, if you want to drop some headers on the fly by using a postfix relay on a VPS, you can use the postfix header checks directive to remove crap like :
/^Received: from 127.0.0.1/ IGNORE
/^Received: from localhost.localdomain/ IGNORE
/^Received: from localhost/ IGNORE
/^X-Originating-IP: / IGNORE
/^X-Mailer: / IGNORE
…
Hi,
To track the emails sent by fake mailers, you need to dig in the message – id; an attribute that is available inside the email headers.
Regards
Thanks for sharing. very informative.
My husband and I share an email address, I noticed that I was not getting some of the emails on my laptop that he gets on his phone, like local dating sites and other social media email.how and why would that be?
Might be he is deleting those emails immediately.