Interesting Email Metadata

on · · 3 comments · 600 words · read ~804 times.

For many years, my email footer said "Sent via my Casio cPhone" - my attempt to poke fun at the users who hadn't updated their iPhone's default email signature.

This leads to an interesting question:

Because 2016 is maximum news, I'm sure there are some interesting stories based on email releases which have been missed. Metadata tells stories.

So, what metadata can we pick up from an email?

In GMail, it's quite easy to see all the raw data sent with an email as it travels through the Internet.

show original in gmail

Let's take a look at some of the more interesting fields.

Here's an email that I've sent from my mobile - I've redacted some bits for my privacy.

Received: from [] ( [82.6.ZZZ.ZZZ])
 by with ESMTPSA id l6sm9069017wmg.11.2016.
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 08 Oct 2016 09:37:58 -0700 (PDT)

Well, first off we can see the sender's internal IP address. That gives us a little insight into their network topology. Of more interest is the sender's external IP address.

This can leak all sorts of interesting information. Location, service provider, connection speed - even ISP contract details in some cases.

Let's suppose someone sends an email which says "Sorry, at home with the flu today." You check the IP address and find that they're connected to the WiFi at Disney World. Isn't that interesting...

A little further down the headers, we find (again, redacted)

Message-ID: <>

Oh ho! What do we have here? The Message-ID is a unique string. Most email clients will choose a unique suffix.

This means, if you received this message from me, you could tell which email program I used and (possibly) which device.

So if I send you an email saying "sorry, my phone is broken" - you'll be able to tell if that's a lie.

There's another leak of client information at the multipart boundary

Content-Type: multipart/alternative; boundary="--_com.syntomo.email_596674815977850"

Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64


Much more

This brief blog post only scratches the surface of what can be found - and what you could do with the information.

Other "interesting" metadata includes:

  • User's Timezone - not as accurate as an IP address, but if their phone says they're at GMT+2 but they claim to be at GMT-7, is that interesting?
  • Reply threading - was this email originally a reply?
  • What language their equipment is set to. Some email headers contain Accept-Language: and Content-Language: information. Why is your "Urgent email from the FBI" sent from computer that's set to Chinese?
  • Software versions - do the sender's servers have known vulnerabilities?
  • Operating System - is the sender's equipment up to date?

I'm sure there are several other pieces of information which could prove interesting.


This is not a cast iron investigative tool. It is possible for programs to mangle the metadata - either deliberately or not. Some people will take care to mask their email footprint, others will not.

Metadata is everywhere. While your emails are unlikely to get leaked to the press (I hope!) you should consider just how easy it is for a little white lie to be uncovered.

Sent from my iPhone.

Share this post on…

3 thoughts on “Interesting Email Metadata”

  1. mike says:

    Just after I clicked post on my previous comment it occurred to me in posting a comment I've probably just told you where I am right now. Still, you seem like a nice guy. I'm sure you won't use the information gleaned from people commenting on your blog for evil. 😉 Or inadvertently expose it all by leaving a copy on a train (probably one running late), or by being hacked…

  2. Alan Griggs says:

    For a while I had a signature on my emails like this:

    "This email was composed on my desktop PC, so please excoriate me for any typos."

    That was a sarcastic response to the sigs that say "This email was composed on my mobile, so please excuse any typos."

    Not many people got the sarcasm, so I took it off.


What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.