When dealing with problematic emails, it is vitally important to get a proper view of the message headers. Mail clients (such as the Google Mail client on the web) typically hide this view, and only show the interesting headers such as “From”, “Subject”, “To”, etc.
However the Google Mail client does allow the proper raw headers to be shown and that is done by opting for the “Show original” command.
Firstly when you are reading the mail in question, look at the menu under the “Reply” button :-
The underlined button has a drop-down arrow next to it. If you select that you get the menu :-
And the option “Show original” will show a very plain looking page with just the raw text view of the email within it, which may contain something like :-
Delivered-To: firstname.lastname@example.org Received: by 10.64.133.101 with SMTP id pb5csp2715007ieb; Thu, 17 Sep 2015 03:23:19 -0700 (PDT) X-Received: by 10.66.253.170 with SMTP id ab10mr70840708pad.135.1442485399205; Thu, 17 Sep 2015 03:23:19 -0700 (PDT) Return-Path: <email@example.com> Received: from quicvt.com ([220.127.116.11]) by mx.google.com with ESMTP id yo3si4299121pbb.127.2015.09.17.03.23.09 for <firstname.lastname@example.org>; Thu, 17 Sep 2015 03:23:19 -0700 (PDT) Received-SPF: neutral (google.com: 18.104.22.168 is neither permitted nor denied by best guess record for domain of email@example.com) client-ip=22.214.171.124; Authentication-Results: mx.google.com; spf=neutral (google.com: 126.96.36.199 is neither permitted nor denied by best guess record for domain of firstname.lastname@example.org) email@example.com Message-ID: <2ED9BF882B94D9ACDC5E3863B7CEB321@quicvt.com> From: =?utf-8?B?5r2Y5YWI55Sf?= <firstname.lastname@example.org> To: <email@example.com> Subject: =?utf-8?B?77yI6YKA6K+35Ye977yJ6IGM5Zy65r2c6KeE5YiZLS3kuK3lnZrlipvph4825aCC6K++?= Date: Thu, 17 Sep 2015 18:23:03 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0B32_01510E77.1F352EB0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 This is a multi-part message in MIME format.
(It usually carried on into the message at this point).
This “original view” allows us to look more closely at where emails originate from.
The Authentication Check
When looking at the “original view”, there is one header whose presence is a good indicator that the email was probably sent by someone using the sender’s account. This header is :-
Authentication-Results: mx.google.com; spf=pass (google.com: domain of firstname.lastname@example.org designates 2607:f8b0:400d:c04::229 as permitted sender) email@example.com; dkim=pass firstname.lastname@example.org
The name of the header (“Authentication-Results”) and the significant parts of that header have been made bold. There is a reasonable degree of confidence that the mail associated with this header was in fact sent using Craig Robson’s account.
In the event that the mail was a spam, there is a good chance that the account has been compromised.
But It Says “From …”
The “From” header in an email is just a label and anyone who can control the mail software they use can put anything they like in that header.