Product Navigation

Zimbra Email Header Analysis: Complete Study

Zimbra is an open source desktop-based email client that is the most wanted after email program by users worldwide. It is a database where to save or store the multiple files including contacts, emails, calendars etc, therefore, comes in data file category. It has a proprietary file format such as .zdb. It is widely used by home users as well as professionals. Moreover, it is compatible on cross-platforms like Apple's Mac and Linux operating system and Microsoft Windows. It works with multiple types of web based email programs to synchronize the data of emails, contacts, etc. with local data which is stored on the computer hard drive. It is compatible with in both POP and MAPI protocols that help to support email clients as Yahoo, MS Exchange, Gmail, etc.

As the number of Zimbra user's increases then, the number of cyber crimes also rises according to time. Thus, it becomes more necessary to investigate a specific crime including Zimbra Server. For a specific crime, to enable the forensic users to store the data files without any evidence needed. Trace Email Header by simple and easy analysis process.

Importance of Zimbra Email Header Analysis

The email header is necessary for each email client which comprises a lot of useful information for an investigator forensically. Hence, email header can be easily forged, make sure they should never be used like only the source of information. The email header information contains the basic send/ receives information about the email message. It holds entire information about the route of email and including other hidden contact information. Therefore, when an email is accepted in Zimbra mail one can easily view Zimbra Mail email header to extract the relevant information.

How to View Zimbra Email Headers

A users can easily view Zimbra Mail email header which is associated with the emails to get detailed information about the emails messages received at their end. Since the headers are hidden from actual email; one can view Zimbra email header in the following steps:

  • First, Login to Webmail and choose the mail.
  • Right-click on a message and choose Show Original option.
  • Next, this will open a new Window including source headers, select all and then, send a new message to particular email ID.

View Zimbra Message Header

The process instantly opens and views Zimbra Mail email header for the specific email. A user can read entire contents and extract the desired information.

Analysis of Zimbra Email Header

When the header information for an email is opened, Zimbra displays the information as:

Examine Zimbra Message Header

Now, let us consider various parameters contained in the email header and their significance in email message authenticity.

Delivered To: The email message header delivered to indicates the actual identity on which the message was sent to the sender's end.

As per forensic point of view, to analyze and making a comparison with a delivery message, one can easily get to know about the message comes from whom.

Received: The received field denotes the transparent information for the specific email. One can easily extract the unique IP address, host name, and other relevant information related to the delivery path of email.

Main purpose of this field it can be used to find complete track of information including the IP address of sender. It plays a major role for searching the criminals or crooks.

Return-path: The Zimbra return path header field indicates the email address where the notifications for the message should be sent back. In multiple cases, this happens same as that of sender's email address.

This field signifies when an email fails to deliver to the particular recipient, then the sender must be acknowledged about a failure of message. Thus, a sender can set his own address to get notified about message bounced back.

Authentication Result: This field wants to tell the authenticated receipts or output to the receiver at the time of the delivery message.

Received From: The received field deals to trace the information for the specific email from where the message has been sent. One can extract the unique IP address, host name, and other information from the delivery path of email

This field able to find out the entire track of information including the IP address of sender and helps to tell the message received from which ID.

DKIM Signature: In this field, the signature of an email is saved into DKIM signature header. In Zimbra an email, it is a technique to identify the accuracy of email message to detect email spoofing and spamming.

Investigate Zimbra Message Header

Date: This field holds the date and time when the email message is available for delivery.

As per forensic point of view, this header deals to specify a date during the message was composed and sent.

From: The Zimbra Mail email header from field represents the email identity of the sender, who has delivered the email.

Forensically, one can easily come to know the email address of the sender of the future result. However, many criminals attempt to manipulate the field by using email forging technique. Thus, this field is less reliable or efficient to depend on critical email analysis.

Message-ID: While sending the message, the email message ID is a unique key generated by the server. Every email has a different message identity proof so that it can be identified in a unique manner.

As the unique message id, several spammers attack to manipulate the id. So, the messages id rule can be used to detect any kind of changes done with message id.

Subject: A completely free-form field specified through the sender helps to tell the subject or topic of the message which is fully helpful for users.

MIME-Version: The MIME Version indicates the MIME type supported by Zimbra email client.

Zimbra messages always contain MIME 1.0 as MIME Version. So, if any other MIME is found, the message may get corrupted or manipulated.

Content Type: The Zimbra mail content type represents the way in which emails are displayed in the application. Various qualities of content type denote the structure of email messages.

Generally, the Zimbra email client helps to display the respective content. So, it relies on Content Type from email header to find out the way in which message should be displayed or viewed.

Content Transfer Encoding: While sending an email message over the Web, an encryption is enabled to maintain email authentication. Thus, content transfer encoding header field helps to specify the type of encryption performed on the content.


After considering the analysis of all mentioned components the following well-defined criteria and the vast use of Zimbra Desktop for email purpose help to investigate many cyber crimes. However, investigators must be aware of these misleading officials while investigating the several evidences and help to understand the significance of email header. Zimbra email header analysis tool offers Forensic Email Search option to find any evidence within the emails.