As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, e-discovery, and cybersecurity service provider.
The Vestige team that you know and trust will continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow us to serve you and your clients even better.

Learn More

How can I track an email I received?

Digital Forensics

How can I track an email I received?

Author photo
by Alyssa Rhodes
Senior Forensic Analyst
AS, BS, DFCA, GIME

In order to track an email that has been received you first need to understand that what you see when you open an email in your common email clients: Outlook, Gmail, Yahoo, etc. is typically the body of the email and any attachments. There is another, typically hidden, part of the email called the header. The header contains metadata about the email including, sender and recipient information, authentication results, a unique identifier for the email called a Message-ID, and more. This email header can be viewed in these email clients it is just hidden by default. Below are instructions on how to track an email by finding the Message ID in a few popular email clients.

Outlook:

  • Open the email of interest
  • Click on File and then select Properties
  • The header is display in the “Internet Headers” box

Gmail:

  • Open the email of interest
  • Click the three vertical dots in the top right corner
  • Select “Show Original”

Yahoo:

  • Open the email of interest
  • Click on More and select View Raw Message

Once you have access to the header the important pieces of information to review for tracking an email are “Received” and “Message-ID”. The “Received” fields of the header, there can be multiple, will layout the path the email took before it was received. This includes the different mail servers, timestamps, and IP addresses. The “Message-ID” field is a unique identifier for an email message that is generated by the mail server when an email is sent.

The Message-ID can be used to trace all emails in a conversation thread. In the header there will be a field called “In-Reply-To” and “References”. The “In-Reply-To” field will contain the Message-ID of the email that this email is a direct response to. The “References” field will contain the Message-ID of all the emails in the thread. This is how email clients group threads together, but a user can also check the headers and manually track the thread as well.

The example below shows the Message-ID, references and In-Reply To fields in an email header:

This shows that this email is a direct reply to the email with Message-ID “DM4PR20MB5630F6CA5AF1736587008D66D5FA2@DM4PR20MB5630.namprd20.prod.outlook.com” and shows that there are three prior emails in this thread, not including the email with the header that is currently being viewed.

Below is an example of the Received fields of an email header:

This shows you the email servers that the email passed through on its path to being delivered. Outlook.com in the name of the server indicates that it passed through a Microsoft server. Additionally, you can lookup the IPv6 address in the header “2603:10b6:208:3e5::10”. A lookup of this IP will indicate that IP address is related to Microsoft. Typically, a review of these servers will also tell you the service provider of who sent the email and who received the email. In the example above the email was sent from one Microsoft account to another Microsoft account so they’re both Microsoft servers.


In the example below an email was sent from a Gmail account to a Microsoft account:

In these headers the oldest information is at the bottom and the newest information is at the top. The first server this email passed through was mail-ill-f181.google.com which is consistent with the email being sent from a Gmail account. It is then received by Microsoft servers because the receiving account is a Microsoft account.

These Received fields will vary in length and number of servers passed through based on multiple factors. The fact that the Received field of the email sent from the Gmail account to the Microsoft account is longer than the Microsoft to Microsoft is not out of the ordinary.

The email header can contain the IP Address of the computer used to send the email, however that is now rare. Most email providers, especially the large, well known providers such as Gmail, Microsoft, and Yahoo, won’t include the IP Address of the original computer for privacy and security reasons. This means that while you can trace the route of an email and the thread, you might not be able to trace it all the way back to the original sender.

If you want to learn more about email message ID tracking or need digital forensic experts to assist, CONTACT US today.

This site uses cookies, for more information, review our privacy policy.