Home » Blog » Email Forensics » Email Header Forensics – Analysis of Email Artifacts

Email Header Forensics – Analysis of Email Artifacts

Published By Aswin Vijayan
Approved By Anuraag Singh
Published On October 4th, 2023
Reading Time 5 Minutes Reading
Category Email Forensics
email header forensic analysis

Investigators mostly focus on the electronic messages like emails when it comes to electronically stored information sources. These emails are potential evidence as it involves personal communications, critical business communications, business documents, agreements, professional discussions, corporate disclosures, etc. Culprits also try to manipulate the emails and forge the details so as to remove the evidence. Backdating, time-stamp changes, changing the senders or recipients, changing the message contents, etc. can be done by culprits. However, these details can be examined using examiners’ favorite field i.e. email headers. Email header forensic analysis can help investigators to reach to the limits where general investigation couldn’t have reached. 

Email header forensics basically denotes the examination done on the email message body and the source and path followed by it. This also includes the identification of genuine sender, time, or recipient of the emails. The email header forensic analysis can bring out the candid evidence from various components included in the header part.

Components helpful for Email Header Forensics

X-Apparently-To- It will reveal the recipient’s email address while investigating. This can be the validation field for checking email service providers. 

Delivery To: This shows the address of the auto-mailer.

Return-Path: This comes into use for the bounces of email messages. In case the mail server is sending the message and its delivery fails.

Received-SPF: During email header forensics, this field shows the information of the email service used for the sending of mails. It is also having an ID number which is important for log examination for determining the validity of an email. I

Message ID: This comes into use as a global unique identification ID which refers to the genuine time of the emails and version of message. 

MIME Version: It stands for Multipurpose Internet Mail Extensions and is an Internet Standard which extends the format of messages.

Content-type: This shows the type of content or format used for the message like; XML, Text, or HTML.

X-Originating-IP & Received: This is an important field for tracing the IP address used for sending the email. 

DKIM- Signature: This field stores the signature of an email and all key-fetching information in simple “tag=value” syntax. It is a crucial field to validate the domain name and identity allied to the message via cryptographic authentication.

A Professional Solution for Email Forensics Analysis

MailXaminer is an advanced software which is recommended by experts for Email Header Forensics . It is a widely acknowledged software that has all the tools for an investigation.

several benefits of this tool are:

  • Case Management: The tool gives you a functionality to work on multiple cases simultaneously, providing separate working spaces for each case. This enables better organization and collaboration among team members in an Email Forensics environment.
  • Wide Range of File Format Support: Unlike other tools in the market, this tool supports various file formats such as mbox, pst, dd image files, dmg image files, and more. This flexibility allows you to import data files from a variety of mail platforms.
  • OCR Capabilities: The tool includes OCR functionality. This enables the analysis of keywords in image files and attachments.
  • Multiple Search Options: The application offers diverse search options including general search, proximity search, and fuzzy search. These options help you efficiently handle large volumes of evidence data and expedite Email Forensic Analysis.
  • Detailed Filtering Options: With standard filters, custodian filters, and keyword filters, the tool enhances selective search capabilities. This enables you to narrow down your search based on specific criteria, improving the accuracy and relevance of your results.
  • Powerful Analysis Features: The tool provides advanced analysis options such as link analysis, word cloud generation, and timeline analysis. These features enable you to visually represent forensic data in a mind-map-like format, facilitating better interpretation of the information.
  • Various Export/Extraction Formats: Once your investigation is complete, you can export the evidence in various formats such as eml, pst, dat, and more. The tool also supports dual file formats, such as PDF and CSV, for creating comprehensive reports.


Here is a simplified user guide for the tool:

1. Launch the tool and enter your user credentials. You can create a new case at this stage.

2. Add the relevant files required for analysis. Choose the desired email client and proceed with the import process to bring in the data.

3. Access the different options, such as analysis and custodian information, through the tab on the left-hand side of the tool’s interface.

4. After completing the Email Forensic analysis, you can export your findings in the form of a detailed report.
Overall, this tool is very user-friendly and intuitive.


While performing the email header forensics, investigators usually start it from the headers as it is the critical source of evidence for any case or examination. Any type of server handling an email message adds information on top of the header where investigators start the scrutiny. Any changes or manipulation done in information which might be caused because of SMTP servers can verify the forgery of email messages. Amongst all the fields available, message ID plays an important role. Overall it is quite an impossible task whether the message is genuine or not but in some cases where hackers are not that intelligent, their mistakes can leave some trails in headers.