Discovering Email Header Forensic Analysis!

Alessia Manon | Modified: August 17th, 2018 | Email Forensics

Investigators mostly focus on the electronic messages like emails when it comes to electronically stored information sources. These emails are potential evidences as it involves personal communications, critical business communications, business documents, agreements, professional discussions, corporate disclosures, etc. Culprits also try to manipulate the emails and forge the details so as to remove the evidences. Backdating, time-stamp changes, changing the senders or recipients, changing the message contents, etc. can be done by culprits. However, these details can be examined using examiners’ favorite field i.e. email headers. Email header forensic analysis can help investigators to reach to the limits where general investigation couldn’t have reached. Let us see how the email investigation on header part is done and what are the essential elements for header examination.

Relevance of Headers & Components

Email header forensics basically denotes the examination done on the email message body and the source and path followed by it. This also includes the identification of genuine sender, time, or recipient of the emails. The email header forensic analysis can bring out the candid evidences from various components included in the header part. Let us see which components are helpful for header forensics;


X-Apparently-To- It will reveal recipient’s email address while investigating. This can be the validation field for checking email service provider. Generally this field is referred to as “BCC, CC, or To” and is not restricted to “To”.

Delivery To: This shows the address of the auto-mailer.

Return-Path: This field is used for the bounces of email messages. In case the mail server is sending the message and it cannot be delivered.

Received-SPF: During email header forensics, this field shows the information of email service used for the sending of mails. It is also having an ID number which is important for log examination for determining the validity of an email. In case of unavailability of the ID, the email must have been spoofed.

Message ID: This is a globally used unique identification ID which refers to the genuine time of the emails and version of message. It is highly important to know if investigators want to know whether spoofing is done to the email or not.

MIME Version: It stands for Multipurpose Internet Mail Extensions and is an Internet Standard which extends format of message.

Content-type: This shows the type of content or format used for the message like; XLML, Text, or HTML.

X-Mailer: It displays the email client which is used for sending the message.

X-Originating-IP & Received: This is an important field for tracing the IP address used for sending the email. This is the most important message when it comes to the email header forensic analysis as it has to be examined where the mail arrived from.

DKIM- Signature: This field stores the signature of an email and all key-fetching information in simple “tag=value” syntax. It is a crucial field to validate the domain name and identity allied to the message via cryptographic authentication.

Scrutiny of the Email Headers

While performing the email header forensics, investigators usually start it from the headers as it is the critical source of evidences for any case or examination. Any type of server handling an email message adds information on top of header where investigators start the scrutiny. Any changes or manipulation done in information which might be caused because of SMTP servers can verify that the email message is forged. During email header forensic analysis, the behavior of servers can be analyzed through these fields available in the email headers. Amongst all the fields available, message ID plays and important role. Overall it is quite an impossible task whether the message is genuine or not but in some cases where hackers are not that intelligent, their mistakes can leave some trails in headers. So, right from the source where the email was generated, source IP address, STMP servers involved, time-stamps verification, etc. can present the loopholes of the case.