emails are the most popular means of communications for businesses, it is essential to understand how they work and to learn how to investigate metadata related to emails.
Objectives
Learn what an email header is
Learn what type of data is stored in the email header and how to utilise it
Learn how to use Email Header Analyzer to parse email headers
Reading Email Headers
When reading email headers, it is always advised to start from the bottom. This is because the email passes through different servers during the transmission, and each one adds a header. This means the oldest data is at the bottom, and thus the original details.
Now we are at the bottom of the email, lets dissect the data.
Typically when we view emails metadata normally, it will contain recipients and senders email addresses, the subject, and the date sent.
However when analysing the headers of the emails will reveal more important details. Such as Message-ID, this can be used to determine the original sender. A communication provider can use this information to identify and learn the IP address of the sender. This can also be used to determine if the email was forwarded, or a reply
Furthermore continuing up the email source, we can see even more important information such as the Received header. The Received header provides the details about the first server that received the email.
The next headers are Received-SPF and DKIM-Signature, these are headers used to detect spoofing and tampered emails.
Scrolling up the email source to the top, we can also see the ARC headers, these are similar to SPF and DKIM. It can tell whether the email passed authenticity tests. The header X-Received displays the server that received the email, and Delivered-To shows the final server that delivered the message to the recipients inbox and the time of delivery
Email Analysis
Introduction
emails are the most popular means of communications for businesses, it is essential to understand how they work and to learn how to investigate metadata related to emails.
Objectives
Reading Email Headers
When reading email headers, it is always advised to start from the bottom. This is because the email passes through different servers during the transmission, and each one adds a header. This means the oldest data is at the bottom, and thus the original details.
Now we are at the bottom of the email, lets dissect the data.
Typically when we view emails metadata normally, it will contain recipients and senders email addresses, the subject, and the date sent.
However when analysing the headers of the emails will reveal more important details. Such as
Message-ID, this can be used to determine the original sender. A communication provider can use this information to identify and learn the IP address of the sender. This can also be used to determine if the email was forwarded, or a replyFurthermore continuing up the email source, we can see even more important information such as the
Receivedheader. TheReceivedheader provides the details about the first server that received the email.The next headers are
Received-SPFandDKIM-Signature, these are headers used to detect spoofing and tampered emails.Scrolling up the email source to the top, we can also see the
ARCheaders, these are similar toSPFandDKIM. It can tell whether the email passed authenticity tests. The headerX-Receiveddisplays the server that received the email, andDelivered-Toshows the final server that delivered the message to the recipients inbox and the time of delivery