Product Navigation

Detailed Study On Thunderbird Header Analysis

Since Thunderbird is one of the leading email client application used to share emails and sensitive information. It attempts to deliver email messages with reliability and efficiency. The email messages not only contain the embedded content and attachment but also carry basic information in email header. The Email Header Analysis Tool plays a very significant role in tracking detailed information for specific emails. In the following section, a complete guide is discussed to make the concept of Thunderbird header analysis clear.

Importance of Thunderbird Email Header

Whenever a message is sent through any email client, the server automatically adds a special field known as email header along with it. The email message header information contains the basic sending and receiving information about the email message. It carries complete information about the routing of email as well as other contact information in the hidden form. Thus, when an email is received in Thunderbird one can easily read Thunderbird email header to extract routing information for the message.

Thunderbird email header analysis can play a major role in understanding the route of email message and identify the email spoofing and spamming. This can be traced by checking the sender and receiver information and detecting the manipulations made in the header. Thus, any kind of manipulation or discrepancy in email message header is a clear indication of discrepancy email. Therefore, many forensics investigation teams also consider email header forensics to be the foremost artifact for investigating cyber crimes.

View Thunderbird Email Header Information

Thunderbird users can easily read email message header associated with the emails to get detailed information about the emails received at their end. Since the headers are hidden from actual email, one can open Thunderbird email header information in the following steps:

  • Open the message in Thunderbird, whose header needs to be viewed.
  • Once the email is opened, click on View from the menu bar.
  • Under the View tab, choose Message Source to open header information.

View Thunderbird Message Header

The procedure instantly opens the email message header for the particular email. You can read entire contents and extract the related information.

Thunderbird Email Header Analysis

When the header information for an email is opened, Thunderbird displays the information as:

View Thunderbird Email Header

Now, let us understand various parameters contained in the email header and their significance in email message authenticity.

From: The email message header from field represents the email id of a sender, who has delivered the email.

Significance: One can easily come to know the email address of the sender for future reference. However, many criminals attempt to manipulate the field using email forging technique. Thus, this field is less reliable to depend on critical email analysis.

Date: Studying Thunderbird email header date field helps to know the date and time at which message was composed of the sender's end.

Significance: This field helps you to evaluate the time and date according to local time zone. Generally, a message is received within a fraction of seconds. However, if you have received a message which does not correspond to time field or have many gap, then there is suspect of other disturbances through the network.

X-UIDL: This is the unique code entered by POP3 server to retrieve a message from the server. This id is generally incorporated into header between receiver's mail server and receiver's mail software.

Significance: Since, this is added at the receiver's server end. So, if you find UIDL field at the server location then it must be considered as a junk mail, which may be added by spammers.

X-Mozilla status: Thunderbird X-Mozilla status indicates the status of an incoming message. Each email is associated with a hexadecimal value depending on its status. Most commonly used X-Mozilla status codes include:

0001 The email has been read
0002 The reply has been sent to an email
0004 The email has been flagged by user
00010 The message has RE: field

Significance: While going through the status codes, the current status of an email message can be relatively determined.

Return Path: The Thunderbird return path header field indicates the email address where the bounce notifications for the message should be sent. In most of the cases, this is same as that of sender's email address.

Significance: When an email fails to deliver to the specified recipient, then the sender must be acknowledged about message failure. Thus, the sender can set his own address or other address to get notified about message bounce back.

Envelope-to: The SMTP server itself adds a field, Envelope-to, which represents the email address of the intended receiver's envelope.

Significance: Being more reliable field, it plays a crucial role to determine the actual address of the receiver group.

Delivery Date: The email message delivery date indicates the actual date on which message was sent from the sender's end. The exact time is also associated at the end of this field.

Significance: By analyzing and making a comparison with the delivery date and actual date of email, one can easily get to know about the time difference between message delivery.

Received: The received field denotes the trace information for the specific email. One can extract the unique IP address, host name, and other information related to the delivery path of email.

Significance: This field can be used to find the complete track of information including the IP address of the sender. It plays a major role for searching and locating the criminals or suspects.

Message ID: The email message ID is the universally unique key generated by the server while sending the message. Every email has a different message id so that it can be identified in a unique manner.

Significance: As the message id is the unique key, several spammers attempt to manipulate the id. So, the messages id algorithms can be sued to detect any kind of changes done with message id.

User Agent: The user agent field associated with emails can be used to identify the medium or email application that has been used to send the email message.

Significance: One can be notified about the email application or server by which the email has been sent by the sender.

MIME Version: The MIME Version indicates the MIME type supported by Thunderbird.

Significance: Thunderbird messages always contain MIME 1.0 as MIME Version. So, if any other MIME is found, the message may be corrupted or manipulated.

Content Type: The Thunderbird email content type represents the way or style in which emails are displayed in the application. Various varieties of content type denote the structure of messages.

Significance: Generally, the Thunderbird email client ignores the meta tags for displaying content. So, it relies on Content Type from email header to find out the way in which message should be displayed.

Content Transfer Encoding: While sending an email message over the network, an encryption is enabled to maintain email authentication. So, content transfer encoding field specifies the type of encryption performed on the content. Generally, Thunderbird messages come with 8 bit encryption applied on them.

X-Antivirus: The email header also represents the anti-virus application that has been used to scan the email message throughout its delivery.

Significance: If the receiver does not have any anti-virus installed on a system and the sender has anti-virus installed, then X-antivirus field represents the scan application used at sender end as Inbound Message. However, if anti-virus application is installed at receiver's end, then the application details are displayed as Outbound Message. If anti-virus application is absent at both sender and receiver end, then X-Antivirus field is missing from the header.

X-Antivirus status: Once an email is scanned by the anti-virus, this field represents the scan status of the email ie., whether it is clean or corrupted.

Significance: If the email is found to be corrupted during the scan, then a user can pay attention to use it after repair.


Email analysis being a crucial parameter during investigate should be carefully studied. It can prove to be a major turning point providing evidence and also provides advanced Email Search option of Thunderbird emails. In the above section, we have covered Thunderbird Header analysis to make the users understand header significance.