3 min read

The “ID Card” of Every Email

Every email carries an invisible technical record — the headers.
They contain detailed information about who sent the message, when, from which server, and how it reached its destination.

Headers are essential to verify the authenticity and path of a message and can help detect spoofing or phishing attempts. In cybersecurity and forensic analysis, reading headers is the first step to understanding what really happened.

What Headers Are and How to View Them

Headers are a block of text that precedes the message body. They include SMTP and MIME metadata describing the email’s journey through the network.

To view them:

  • Gmail: click the three dots → “Show original”
  • Outlook: File → Properties → “Internet headers”
  • Apple Mail: View → “All Headers”

Example of a shortened header:

Received: from mail.example.com (192.168.1.5)
    by smtp.gmail.com with ESMTPS id x7si234234qke.23.2025.10.31
    for <user@gmail.com>;
    Fri, 31 Oct 2025 11:12:45 +0100 (CET)
Message-ID: <A12345@example.com>
From: John Doe <john@example.com>
To: Maria Perez <maria@company.com>
Subject: Order confirmation
Date: Fri, 31 Oct 2025 11:12:43 +0100

The Most Important Fields (and What They Reveal)

From, To, Date, Subject

These are the most visible — and the easiest to forge. They should never be taken as conclusive proof of origin.

Received

Each “Received” line records a hop between mail servers.
The last one in the chain (the oldest) usually indicates the real origin of the message.

Message-ID

A unique identifier assigned by the originating server. It can reveal the system or software that generated the email.

Return-Path / Reply-To

Define where replies or bounces are sent.
If these domains don’t match the “From” address, it may indicate a phishing attempt.

SPF / DKIM / DMARC

Show the results of email authentication checks.

Authentication-Results: spf=pass; dkim=pass; dmarc=pass

If any of these fail, the message may have come from an unauthorized server or been altered in transit.

What Headers Can (and Cannot) Prove

Headers show the technical journey of an email, but they do not provide legal guarantees on their own:

  • They don’t prove that the content hasn’t been modified.
  • They don’t confirm that the recipient actually received or read the message.
  • They can be altered easily if not cryptographically protected.

In short, headers are a valuable technical tool — but not certified evidence by themselves.

Headers vs. Registered Email

A registered email uses the same technical data found in headers — routes, identifiers, SMTP logs — and incorporates it into a digitally signed evidence file to ensure authenticity and traceability.

Each registered email generates an evidence document (the eEvid) containing:

  • The original headers and full message body.
  • Cryptographic hashes of all content.
  • A digital signature to guarantee data integrity.

While headers tell the technical story of an email, a registered email turns that story into admissible, verifiable evidence — suitable for courts and compliance audits.

Conclusion

Headers are the DNA of every email: they reveal its route, origin, and authentication results.
However, their evidentiary value is limited unless they are preserved and certified.

The registered email service by eEvidence transforms that technical information into legally verifiable proof, ensuring authenticity, integrity, and traceability.
It turns the technical history of an email into a solid, court-ready piece of digital evidence.

Ready to get started?

Contact us to share your business project or register now to start trying our services today

Contact us Register now