Product Navigation

How to View and Analyze Gmail Message Header


Nowadays, email communication has established itself as the trending mode of information sharing. Millions of users rely upon email services to maintain communication channel worldwide. Gmail service being one of the most reliable and exclusive application is used by many users. The email communication takes place with complete efficiency and accuracy, thus satisfying needs of users. However, one of the major parameter associated with Gmail message is the Gmail header information. Every email contains a hidden header, which contains email tracking information for the respective Gmail message. So, Email Header Analyzer can be used to carry out Gmail email forensics and extract the crucial information. The following section aims to discuss how to view and analyze Gmail message header in a detailed manner.

How to Extract email header from Gmail


Each email message contains a header information, which is not displayed to the user while viewing email message in normal mode. But, it is not difficult to view Gmail header as the following steps easily lets the user to study email header format:

  • Open the email message in Gmail application.
  • Click on the drop down arrow, which is located next to Reply button.
  • Choose Show Original option to read Gmail header.

View Gmail Message Header

Understand Parameters of Gmail Header


The Gmail headers play a significant role in tracking the sensitive information about the sender and various network related components. Thus, on a careful analysis of Gmail header, one can easily come to know sensitive information. When extracted, the Gmail header portrays the following components:

View Gmail Email Header

Delivered To: The delivered-to email field indicates the email address of the intended recipient. Thus, it generally contains the same email id for which Gmail header is being analyzed.

Significance: By reading the email address in Delivered-to field, a user can easily detect phishing activity. If the email address does not correspond to your email Id, then it indicates that some kind of manipulation has been done that needs to be investigated.

Received By: The received email header denotes the information related to the last SMTP server visited by message:

  • The IP address of the server
  • The SMTP id for the visited server
  • The date and time at which message was received by SMTP server

X Received: The server or mail agent adds the X-received header field in email addresses to indicate the non-standard header information. It indicates the following information:

  • The IP address of the server, which received message
  • The SMTP id for the server
  • Specific date and time at which email was received

Return Path: The return path email field specifies the email address or the path at which message needs to be bounced back in case of transmission failure. Thus, the notification is delivered to the return path in failure issues such as wrong email address etc.

Received From: The subsequent Received From field carries the information about the first SMTP server at which the email firstly browsed. It portrays the server related information:

  • the server related IP address
  • email address of the receiver
  • encryption related information
  • date and time for the received message thread

Received-SPF: The server adds a received-SPF field to indicate whether the email message comes from a verified sender or not. It applies techniques to verify the sender's identity and only forwards the message if the sender is authenticated.

Significance: SPF(Sender Policy Framework) check is applied to check whether the email is from the valid sender or not. It verifies the identity with the domain address and adds the status of check in the header field. The most commonly used result codes include:

CODE INTERPRETATION
Pass The email source is valid
Softfail There might be possibility of fake source
Fail The email source is absolutely invalid
Neutral Difficult to distinguish between valid & invalid source
None The SPF record is not found for domain
Unknown The SPF check cannot be performed
Error An error has occurred while performing SPF check

Authentication Results: The Mail Transfer Agents perform several authentications on the message before processing it. So, the results are added into authentication results email header field. As number of authentication techniques may be implied, so various results are separated by using semicolon.

Significance: One can easily extract the following information from the field:

  • The first field signifies the Id of server that has performed authentication
  • The subsequent fields separated by semicolon indicates the applied authentication techniques and their results

DKIM Signature: The DKIM signature header is basically a field to represent the digital signature embedded in the email. It is basically another authentication key maintained by the mail server to share data in secure form.

Significance: The DKIM signature(DomainKeys Identified Mail) contains the digitally signed signature in non-readable format. However, various attributes located under the header field denote:

  • d= the domain for which message is signed
  • s= the information related to the selector
  • v= version of application used
  • c=list of canonicalization algorithms
  • d=name of signing domain
  • a= the algorithms used to sign the message
  • t=the timestamp of signature
  • h=signed header fields
  • bh=body hash
  • x=the expiry time for message signature

X-Google-DKIM-Signature: In addition to various authentications, Google itself adds an X-Google-DKIM Signature field in email header to improve authentication of signatures. The subsequent fields located within the field signifies the information related to digital signatures encoding.

Significance: Various parameters related to digital signatures are specified as:

  • v=version used for signature
  • a=the signature algorithms used by Google
  • c= canonicalization algorithm used
  • d=signing domain
  • h=list of signed header fields
  • bh=body hash

Analyze Gmail Email Header

MIME-Version: The MIME version(Multipurpose Internet Mail Extension) indicates that the Gmail message id MIME formatted. Thus, it can support multiple data including plain text files, audio, video, applications etc.

Reply- To: The reply-to email header field simply lists the email address at which the reply to the message is received. Generally, it corresponds to the sender's address. However, the address for Reply-To field can be changed accordingly using some manual settings.

X-Originating IP: The X-originating IP header field in Gmail is a customized field, which indicates the IP address of the sender. The field is usually missing if the message is sent by using Gmail, Hotmail application. However, if an email is supposed to originate from other client applications, then the IP address is included in the header field.

Message Id: Each email message is assigned a unique message ID, which distinguishes it from other emails. No two emails can have the same message id as it acts as a primary unique value for each message.

Date: The Date field in header indicates the date and time at which message was received at the destination.

Subject: The subject field in email message tends to display the major subject or purpose of communication.

From: It indicates the email address of the sender.

To: This field represents the receiver's email address.

CC: It contains the list of all receiver, who are intended to receive the message as a carbon copy.

Conclusion


Since email header analysis plays a crucial role in every email forensics investigation, we have covered the detailed information on how to view and analyze Gmail message header. Its offers Email Search Software by which forensics user can find out any information from the emails. One can easily understand the significance of each parameter and detect the manipulated emails.