Get to Know About Zoho Mail Header In Detail With Its Analysis

Zoho mail is an enterprise email service, which fulfill the requirements of various type of organizations. It is a web-based mail application that comprises of a web word processor, a mail program, a calendar, list of contacts, and other business based applications. There are two editions of Zoho suite, one is free and another is paid. Depending upon needs of an enterprise user, one can go for any one of the two edition available in market.

Consider the following example to understand the need of performing Zoho Mail Header Analysis:

Suppose a forensic investigator wants to collect evidences from emails of a suspect person who is accessing Zoho account. Therefore, here a need occurs in which it is mandatory to have complete knowledge about Zoho mail email header.

In this blog of email header analysis, we are going to discuss about analysis of Zoho mail header.

Guidelines to Open Zoho Mail Header

1. Login into your Zoho account by entering id and password on official site of Zoho.

2. Click on the email which you want to analysis and then again click on the icon of Show Original from that mail.

3. Now a new browser window will get automatically open. This window comprises of the complete header portion of a Zoho Mail.

Description Each And Every Attribute of Zoho Mail Header

An email comprises of variety of technical aspects or attributes within it. These technicalities are proved to be very useful when someone is investigating an email. Therefore, following is the description of each Zoho mail email header attribute, which might contribute a lot while performing analysis of zoho mail header:

Note: Here, we will discuss name of each attribute and their respective values in each mail.

Delivered-To: This header name displays complete email id of the receiver.

Value: xyz123@zoho.com

Recieved-SPF: SPF stands for Sender Policy Framework, which is used prevent forgery of sender address. Received-SPF is a query that gives any one of the two value i.e., true and false. Whenever the value is 'fail', then it means that MTA should get discarded from the established connection. On the other hand, if the value is 'pass' then, MTA should add a header as reference to a message of the form 'Received-SPF: neutral/pass'

Value: pass (zoho.com: domain of info.adobesystems.com designates 192.243.232.145 as permitted sender) client-ip=192.243.232.145; envelope-from=camp@info.adobesystems.com; helo=r145.info.adobesystems.com;

Authentication-Results: This header name illustrates the authentication report to the receiver, after complete delivery of message. The importance of this value is at the time when server is checking and verifying value for Received-SPF

Value: mx.zoho.com; spf=pass (zoho.com: domain of info.adobesystems.com designates 192.243.232.145 as permitted sender) smtp.mailfrom=camp@info.adobesystems.com;

Return-Path: It demonstrates the email address where the notices for the emails need to be sent. However, the value of this attribute is same as that of sender's address

Value: camp@info.adobesystems.com

DKIM-Signature: The full form of DKIM is DomainKeys Identified Mxail, which enable senders to link a domain name with each email message. It will help in guaranteeing the domain authenticity. Well, DKIM-Signature is done by signing the email with a digital signature, which is a field that is added in header part of each message.

Value:v=1; a=rsa-sha256; c=relaxed/relaxed; s=neolane; d=info.adobesystems.com; h=domainkey-signature:from:date:subject:to:reply-to:mime-version:x-mailer:message-id:list-unsubscribe:x-csa-complaints:list-id:precedence:content-type:content-transfer-encoding;

bh=BirlU2cmv2v2K9I0LbMpYq567GPm6bHY6aUl1l1EAVU=;

b=s+CitPBS7oFuKuv2dOfGq11J1bXZ0RAzMGeujkX3Os32Ea2EK9tj0eE/ cp3vV2+fqpnzE2sjFyNfYSM6gd7eopn6wJ+oBEceA2+GY+AAkSkM0rkOnyHM4s39ypFoeocRwMBK8w/6m8aJwFdmb7I2qUV7KQ6K8cDh+p/nrOoxIL8=

DomainKey-Signature: It is a deprecated type of email authentication system for verifying the domain of an email sender as well as for maintaining data integrity.

Value: a=rsa-sha1; c=nofws; q=dns; s=neolane; d=info.adobesystems.com; h=From:Date:Subject:To:Reply-To:MIME-Version:X-mailer:Message-ID:List-Unsubscribe:X-CSA-Complaints:List-Id:Precedence:Content-Type:Content-Transfer-Encoding; b=LlnTzXxJv6lf89AG4FB1+AkAsHgZlEwvvWleOCCcMvU5ohlJQ/KuZs9n/orPQ+gd2GVvo4WKc0VpiS8L/ D3CR246dJHptLNzNI8y3XA4lLmvju6kj1Xcr7F0GAd1m+J+RTL2yOFFw7NPyFqAvFH37JYepDBkGJjn6VFpt1YT14M=

From: The field denotes the name of the sender, who had send the mail in your Zoho account and also displays the email id of the same entity.

Value: "Adobe Systems" mail@info.adobesystems.com

Date: This attribute of Zoho mail header will display date and time of the received email in standard format

Value: Mon, 07 Nov 2016 22:01:52 -0800

Subject: This will displays a line, which acts as means for a reason to open an email message. In Zoho mail email header, you will find value in combination of numeric and alphabetic. These can be understood by a person who is having very well knowledge about binary and hex-decimal values

Value: =?utf-8?B?T3VyIGxhdGVzdCBwaG90b2dyYXBoeSBhcHBzIOKAkyAyNCBobw==?=

To: The 'To' header field displays the mail id of receiver in its content-transfer-encoding

Value: = xyz123@zoho.com

Reply-To: The value of this field will be same as 'From' attribute, used to determine the mail id where you can give reply to sender. The significance of this attribute occurs when you click on Reply button of a mail

Value: "Adobe Systems" = mail@info.adobesystems.com

MIME-Version: This field defines the value of MIME version used in email id

Value: 1.0

X-mailer: It is a line in header of a message, which displays the software used to send a mail from sender's end.

Value: nlserver, Build 6.1.1.8692

Message-ID: This is the unique id of each mail used to identify emails, individually. It acts as a roll number for each message, which might be useful for internet service provider.

Value: NM63ACE113506A05FA8camp@info.adobesystems.com

List-Unsubscribe: It is an optional field of text, which email publishers or marketers uses in the header part of a message, while sending a mail.

Value: List-Unsubscribe: mailto: camp@info.adobesystems.com?subject=unsubscribe%3CNM63ACE113506A05FA8camp@info.adobesystems.com%3E

X-CSA-Complaints: The Certified Senders Alliance operates a list in email, which includes full headers to a whitelist-complaints

List-Id: The id of whitelist-complaints is displayed in this field

Value: 576534754.neolane.client.com

Conclusion

Apart from the discussed attributes, other header fields are required just for the service providers, not important for investigation. With help of the Forensic Email Search Tool, one can now easily perform deep searching on Zoho mail header either to collect some evidences or for any any other tasks.