Nowadays, email communication has established itself as the trending mode of information sharing. Millions of users rely upon email services to maintain communication channel worldwide. Gmail service being one of the most reliable and exclusive application is used by many users. The email communication takes place with complete efficiency and accuracy, thus satisfying needs of users. However, one of the major parameter associated with Gmail message is the Gmail header information. Every email contains a hidden header, which contains email tracking information for the respective Gmail message. So, Email Header Analyzer can be used to carry out Gmail email forensics and extract the crucial information. The following section aims to discuss how to view and analyze Gmail message header in a detailed manner.
You are reading: Analyze gmail message header – how to view & extract header
How to Extract email header from Gmail
Each email message contains a header information, which is not displayed to the user while viewing email message in normal mode. But, it is not difficult to view Gmail header as the following steps easily lets the user to study email header format:
Open the email message in Gmail application.Click on the drop down arrow, which is located next to Reply button.Choose Show Original option to read Gmail header.
Understand Parameters of Gmail Header
The Gmail headers play a significant role in tracking the sensitive information about the sender and various network related components. Thus, on a careful analysis of Gmail header, one can easily come to know sensitive information. When extracted, the Gmail header portrays the following components:
Delivered To: The delivered-to email field indicates the email address of the intended recipient. Thus, it generally contains the same email id for which Gmail header is being analyzed.
Significance: By reading the email address in Delivered-to field, a user can easily detect phishing activity. If the email address does not correspond to your email Id, then it indicates that some kind of manipulation has been done that needs to be investigated.
Received By: The received email header denotes the information related to the last SMTP server visited by message:
The IP address of the serverThe SMTP id for the visited serverThe date and time at which message was received by SMTP server
X Received: The server or mail agent adds the X-received header field in email addresses to indicate the non-standard header information. It indicates the following information:
The IP address of the server, which received messageThe SMTP id for the serverSpecific date and time at which email was received
Return Path: The return path email field specifies the email address or the path at which message needs to be bounced back in case of transmission failure. Thus, the notification is delivered to the return path in failure issues such as wrong email address etc.
Received From: The subsequent Received From field carries the information about the first SMTP server at which the email firstly browsed. It portrays the server related information:
the server related IP addressemail address of the receiverencryption related informationdate and time for the received message thread
Received-SPF: The server adds a received-SPF field to indicate whether the email message comes from a verified sender or not. It applies techniques to verify the sender”s identity and only forwards the message if the sender is authenticated.
Significance: SPF(Sender Policy Framework) check is applied to check whether the email is from the valid sender or not. It verifies the identity with the domain address and adds the status of check in the header field. The most commonly used result codes include:
CODE INTERPRETATION
| Pass | The email source is valid |
| Softfail | There might be possibility of fake source |
| Fail | The email source is absolutely invalid |
| Neutral | Difficult to distinguish between valid & invalid source |
| None | The SPF record is not found for domain |
| Unknown | The SPF check cannot be performed |
| Error | An error has occurred while performing SPF check |
Authentication Results: The Mail Transfer Agents perform several authentications on the message before processing it. So, the results are added into authentication results email header field. As number of authentication techniques may be implied, so various results are separated by using semicolon.
Significance: One can easily extract the following information from the field:
The first field signifies the Id of server that has performed authenticationThe subsequent fields separated by semicolon indicates the applied authentication techniques and their results
DKIM Signature: The DKIM signature header is basically a field to represent the digital signature embedded in the email. It is basically another authentication key maintained by the mail server to share data in secure form.
Significance: The DKIM signature(DomainKeys Identified Mail) contains the digitally signed signature in non-readable format. However, various attributes located under the header field denote:
d= the domain for which message is signeds= the information related to the selectorv= version of application usedc=list of canonicalization algorithmsd=name of signing domaina= the algorithms used to sign the messaget=the timestamp of signatureh=signed header fieldsbh=body hashx=the expiry time for message signature
X-Google-DKIM-Signature: In addition to various authentications, Google itself adds an X-Google-DKIM Signature field in email header to improve authentication of signatures. The subsequent fields located within the field signifies the information related to digital signatures encoding.
Significance: Various parameters related to digital signatures are specified as:
v=version used for signaturea=the signature algorithms used by Googlec= canonicalization algorithm usedd=signing domainh=list of signed header fieldsbh=body hash
MIME-Version: The MIME version(Multipurpose Internet Mail Extension) indicates that the Gmail message id MIME formatted. Thus, it can support multiple data including plain text files, audio, video, applications etc.
See also: Is Your Gmail Is Slow For My Users, My Chrome Browser Seems Slow
Reply- To: The reply-to email header field simply lists the email address at which the reply to the message is received. Generally, it corresponds to the sender”s address. However, the address for Reply-To field can be changed accordingly using some manual settings.
X-Originating IP: The X-originating IP header field in Gmail is a customized field, which indicates the IP address of the sender. The field is usually missing if the message is sent by using Gmail, Hotmail application. However, if an email is supposed to originate from other client applications, then the IP address is included in the header field.
Message Id: Each email message is assigned a unique message ID, which distinguishes it from other emails. No two emails can have the same message id as it acts as a primary unique value for each message.
Date: The Date field in header indicates the date and time at which message was received at the destination.
Subject: The subject field in email message tends to display the major subject or purpose of communication.
From: It indicates the email address of the sender.
To: This field represents the receiver”s email address.
CC: It contains the list of all receiver, who are intended to receive the message as a carbon copy.
See also: Question: How To Preview And Save Attachments In Gmail On Android Phone?
Conclusion
Since email header analysis plays a crucial role in every email forensics investigation, we have covered the detailed information on how to view and analyze Gmail message header. Its offers Email Search Software by which forensics user can find out any information from the emails. One can easily understand the significance of each parameter and detect the manipulated emails.
Categories: Mail