John sends an email to himself, using the same account (Yahoo, if it matters) for both sending and receiving.
A few weeks later, John forwards that email to Sally.
Is there any way for Sally to confirm, from information in the email she receives, what date John originally sent the email to himself?
My guess is no, but i’m no expert with email headers, and stuff like that, so i though i’d ask just in case.
The problem is any header can be spoofed.
So *if *Sally is convinced that John can/will never tell a lie, then John’s assertion in his body text of the original date is good enough. The headers would corroborate that, but since John is 100% trustworthy there is no point in verifying the date in them.
And conversely, if Sally thinks it’s possible John could lie, then both the body text and the headers are equally unreliable.
There is a small window where the headers might provide useful corroboration. … If John *might *be inclined to lie but is too technically unsophisticated to spoof the headers. And he’s too clueless to even think of the idea of doing so, much less Google for and download some app to do the detail work for him.
Since most users don’t know how to spoof a header, it would work in most cases.
If this were true, what would one look for in the header?
This is, as you might have guessed, not simply a hypothetical. I’m Sally in this situation, and my belief is that John has, in fact, changed the information in the body of the email, but is also not sophisticated enough to have messed with the headers.
When i look at the full headers, there’s a whole series of information, and it’s clear to me what some of it means, but not all. Is it as simple as looking for a date? Because i see a few dates in various places in the header, and none of them are anywhere near the date that John claims to have originally sent the email to himself.
I just sent myself an email, and then forwarded that email to myself, twice. One time I forwarded the email with the original body unmodified, and the second time, I changed the text of the body of the original email. I then right clicked on those two emails and selected View Source. There was no way to tell from that source that I had changed the body of the original message.
I’m not a pro, so it’s possible there’s more information in the email than you see when selecting View Source.
This was in Outlook Version 14, from Office Professional Plus 2010.
After allowing for some variation in clock settings and in time zones, all the headers on one transmission of an email ought to be date/timed within an hour or so of each other from start to finish.
So for a forward you ought to see two sets of headers; the original group at around the time the mail was originally sent, and a second group at around the time it was forwarded.
Depending on which email services are used, the forward may not contain any headers at all from the original transmission.
…
So if you are seeing two sets of headers, AND the dates/times are scattered, AND you think John might have the chops to think of spoofing headers, but not the chops to pull it off correctly, THEN it seems pretty likely you’re looking at spoofed headers.
If the rest of the facts of the situation also lean in the direction of deception, all the more so.
The full header in the email you received will not have any information about the original email. Just the most recent transaction.
The body of this email might contain the full header of the original email but lots of email apps don’t do that anymore because it can be more messy than useful. If the body does contain the full header of the original email, it can be edited by the sender, just like anything else in the body.