Have you ever received an email and questioned where it came from or who sent it? Surprisingly, most of the information may be acquired from the email header metadata.
The header is a section of every email that most recipients never view. It includes a plethora of data that seems to the typical user to be gibberish. Furthermore, most email programs conceal the information, making it harder to obtain.
Because there are so many email clients available, both desktop and web-based, demonstrating how to extract email headers might become a short book. As a result, we’ll concentrate on how to read the email header in Gmail and what you might glean from it.
An email header is a collection of information that describes how the email arrived to you. The header may include a wealth of information or just the essentials.
There is a standard for what information should be included in a header, but there is no restriction on what information an email server may add in the header.
If you’re wondering about what an email protocol standard looks like, look at RFC 5321 – Simple Mail Transfer Protocol. It’s a little taxing on the mind, particularly if you don’t need to know this information.
When you have an email message open in Gmail, expand the More menu by clicking on the three-dot symbol in the top-right corner of the message. Click Show original to see the raw email message’s entire contents and header.
A new window or tab will appear, displaying a plain text version of your email, complete with the header. The header’s content will look something like this:
That’s nice, but what does it mean?
Knowing how the header is formed along the journey an email takes can give you a better understanding of what the data in a header signifies. Let’s have a look at the components as they are introduced and what the most significant components signify.
On the Sender’s Computer
When the sender produces the email to send to the recipient, a portion of the header is produced. This includes information such as when the email was sent, who wrote it, the subject line, and the email’s recipient.
This is the section of the header that you are most used to seeing as the Date:, From:, To:, and Subject: lines at the top of your email.
On the Sender’s Email Service
Once the email is sent, further information is added to the header. This is given by the email provider used by the sender. Because the sender is utilizing a hosted email service in this scenario, the IP address shown is one that is inside to the service provider’s network.
A WHOIS search on it will provide no meaningful results. We may run a Google search for the server name, which in this instance is tilos.inmoo.net. We can get the server name and IP address on bgp.tools with a little research.
A closer look at the IP address indicates that the sender was using LeaseWeb, a Dutch cloud computing and online services provider.
The email header includes the sender’s IP address, the time the email was sent by the sender’s email service (Thu, 10 Feb 2022 14:58:13 -0800 (PST)), and the Message-ID for that specific message as added by the email service.
Along the Way to the Recipient’s Email Service
From there, the email might follow any number of paths before arriving to the recipient’s email service. This may be added to the header to display how many “hops” the email took to reach you.
In reverse chronological sequence, these hops begin at the server that most recently handled the email and end at the server that first handled it. In our example, the first hop transports the email from the sender to Google, where it travels two more hops before reaching its ultimate destination.
Tilos.inmoo.net received: (tilos.inmoo.net. [188.8.131.52])
ESMTPS id nc18si9066695ejc.964.2022.02.10.14.58.13 by mx.google.com
(TLS1 3 cipher=TLS AES 256 GCM SHA384 bits=256/256);
Thu, 10 Feb 2022 14:58:13 -0800 (PST)
Client-ip=184.108.40.206; Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 220.127.116.11 as authorized sender)
email@example.com header.s=ms header.b=frJ635H2; dkim=pass
spf=pass (google.com: domain of firstname.lastname@example.org authorizes 18.104.22.168) email@example.com
This is the hop between LeaseWeb’s server and the recipient’s email server. We can determine since it was received by mx.google.com that the receiver uses Google for email.
It is important to observe the line Received-SPF: SPF, or Sender Policy Framework, is a standard that allows a sender’s email server to designate itself as the email’s authentic sender.
The qualifier in this example is pass, indicating that the IP address was approved to transmit from the domain. If it had been marked as a failure, it would have been discarded by Gmail’s servers. If it had been softfail, Gmail would have accepted it but labeled it as potentially not coming from the sender.
One or more hops may come before the final hop. Each server’s time stamp reveals how long it took to send the message. Unless you’re a network engineer, this won’t tell you much.
In principle, you could determine the approximate distance between the two servers.
At the Recipient’s Email Server
More information is added to the header after it reaches the recipient’s email service. This may contain the date and time the recipient’s email services servers received it, the email server from which the message was received, the intended recipient’s email address, and the sender’s stated “respond to” email address.
Related: How to Set Up Your Own Secure Email Server
Back in the Final Hop, we noticed that the receiver used Google for email. Most crucially, the Return-Path indicates if the email to respond to and the email of the sender are the same. If it is, it indicates that there is a strong likelihood that this email is genuine.
Because a hosted email provider is being utilized, the information in this email header is restricted. We may be able to learn more about the sender if they used their own email server.
We may be able to figure out which mail client they’re using. Alternatively, we might run WHOIS on the sender’s IP address to determine the sender’s approximate location.
We might also run a basic online search on the sender’s domain to determine whether they have a website. We may be able to learn more about the sender by visiting that website.
You could run a google search on the email address, identify the individual, and start doxing them. However, we do not advise you to do so.
Decoding email headers based only on raw data might be intimidating. You can, thankfully, rely on internet tools to handle the hard job for you. Gmail also makes it simple to copy the whole header with the press of a button. Once you’ve seen the original message with all of its information (see above), click the Copy to Clipboard button and go to one of the sites listed below.
- Google Administrator Toolkit Messageheader: This website will go over the fundamentals as well as the journey the email went from sender to recipient.
- MX Toolbox: This examines the header in further depth, revealing delays, authentication concerns, and each hop the email took.
- WhatIsMyIP: If you’re wondering where the email originated from, head right here. This service searches the WHOIS database.
- Mail Header: With Mail Header, you’ll receive a full Message Transfer Agent (MTA) analysis, as well as a graphic depiction of the path your email went across the world, complete with hop and spam score information.
Related: Trace Emails Back to Their Source IP Address
Every electronic communication leaves a trace. Some are bigger and simpler to follow than others. Some are hidden by web filters and proxy servers. In any case, what is left behind reveals something about the person who made them.
We may perform further investigations based on the metadata to learn more about the persons involved. Is it possible that they are concealing anything by utilizing a VPN? Are they really from a respectable company with a legitimate website? Is this truly the person I want to go on a date with? What can regular individuals, let alone the NSA, discover about me?
Examine your email headers to discover what they say about you. If you come across any strange header lines, ask Google to assist you interpret them.
You are looking for information, articles, knowledge about the topic What Can You Learn From an Email Header (Metadata)? on internet, you do not find the information you need! Here are the best content compiled and compiled by the achindutemple.org team, along with other related topics such as: Email.