The subtle art of email forensics

A custom MacBook takes a circuitous journey, from its birth in Shenzhen, hop over the border to Hong Kong, trans-pacific flight to JFK, stop over at DHL’s Cincinnati hub before a final flight closer to its destination, to finally ride the last miles to your home in a yellow DHL van.

What matters is that your MacBook arrives in a timely manner. The hops, themselves, are irrelevant.

Same for a paper letter, with the posted location divulged by the stamp and cancellation, with paper and ink hinting at the writing circumstances. Multiple shades of ink could be clues that their pen went dry—or that they started writing one day, finished on another. An assortment of Par Avion stickers and customs stamps might reveal the route the letter took.

Sherlock Holmes clues, all of them, inconsequential for most packages and posts, yet fascinating in a geeky way, a reminder of the infrastructure that unknowingly undergirds our lives, of the choices and decisions that go into every interaction. And every now and then, they do matter, as when a court case hinged on evidence being purportedly written in 2006, but typed in Calibri, a font that wasn’t widely released until 2007. For want of a time-period-specific font, the forgery unraveled.

Email apps leave similar clues behind, barely hidden, in every email message you receive. Sometimes they’re just-for-fun, when you’re curious which email app a friend uses, or how your favorite newsletter is sent. Other times they’re more serious; when an email seems to have been sent from one site or app but deeper clues reveal otherwise, it could be a fraudulent message.

With a bit of awareness, a bit of digging, you can trace almost any email back to where it first came to life in a Compose dialog.

Basic: Check for visual clues

The app-style icons and the Read in App button are Substack giveaways

Some clues aren’t even hiding. They’re right there in the signature, announcing which app sent an email.

From Hotmail’s classic “Get your free e-mail at Hotmail” and the iPhone’s “Sent from my iPhone” signature in the ’90’s to Mailchimp’s monkey icon in the footer, Ghost’s “Powered by Ghost” tagline, and Buttondown’s “Brought to you by Buttondown” signature, it’s hard to mistake which app sent some emails.

Others are equally obvious, if you know what to look for. Emails sent from Substack often have a “Read in app” button in their header, along with buttons to like, comment, or share a post. Replies from Outlook may included a “You don’t often get emails from...” or “Do not click links or attachments...” bit in quoted reply text. And an emoji-only reply typically will only come from Gmail.

A Gmail reaction emoji, or a Superhuman scheduling link, is a dead giveaway

Links are the next best clue, for emails sent from newsletter services. Not all Substack emails include the app icons, but they do tend to include an unsubscribe link that includes substack.com. You’ll find links throughout the message; images typically include the sending service’s URL, and inline links often get wrapped in similar URLs to track clicks. 

You’ll start recognizing links from other apps over time; list-manage.com links are from MailChimp, createsend.com and cmail.com links come from Campaign Monitor, and so on. 

Typically visiting the URL is enough to find out who’s behind the service. And every now and then, you’ll find links that indicate which app was used to send a personal email. A Gmail or Superhuman scheduling link likely indicates that the email was written inside those apps; an iCloud Mail Drop link to download a larger attachment, similarly, means Apple Mail on Mac or iOS was used to send the message.

A Gmail email in 11pt sans serif (Helvetica, on a Mac), versus an Outlook email in 11pt Calibri

Design clues offer another strong hint. Emails from Microsoft Outlook look a bit like other Office documents, with emails set in 11pt Calibri or Tahoma fonts. Gmail uses your computer’s default sans serif font at the same 11pt, while Apple Mail will use a slightly larger 12pt Helvetica. Default email templates from popular email newsletter services have similar tells.

So if you receive a message set in 11pt Calibri that says “Sent from my iPhone” in the footer, and the links in the message are wrapped in another sending service’s URL, your spidey senses should be tingling that the email may not be exactly what it’s claiming to be.

Advanced: Scan email headers

Email headers reveal that this newsletter was sent with Beehiiv

Which means it’s time to get down to code. For in your email’s raw source code, especially in its headers, you’ll find clues both to which software was used to send the message and the email provider or ESP used to deliver it.

To view an email’s raw source in Gmail, open an email, click the 3-dot menu in the top-right corner, and select View Original. In Outlook, right-click on a message and choose View Source. In Apple Mail, click Message -> Raw Source. Poke around in your favorite email app’s menus, and you’ll likely find a similar option there as well.

There, scan the headers. The simplest to look for is X-Mailer, a non-standard, “informational” email header mentioned as early as 1997 but never officially standardized as part of email. It’s inconsistently used, but there’s a fair chance you’ll see an email app listed there, something like X-Mailer: Apple Mail (2.3826.400.131.1.6) or Airmail Beta (146) for messages sent from that short-lived email app.

You might also see other app-specific headers. Gmail messages may include X-Google headers, Superhuman adds X-Superhuman header, while X-MS-Office365 or X-MS-Exchange headers for emails sent from Outlook and Exchange. Watch for any unusual headers with names related to email software. You’ll discover some email history along the way; emails sent from Adobe Campaign, for instance, include a s=neolane line in their DKIM header for the app that Adobe acquired to build their email sending service. But also watch out for headers your email service may add; if you’re using Gmail, most emails will include a X-Google-Smtp-Source: header, regardless of which software sent the message.

Then, dig into the domain names listed in the DKIM signature, Received path, Return path for bounced emails, and more. An email sent from Proton mail might include a Received: from mail-24421.protonmail.ch line, say. Sometimes you’ll put multiple clues together that way; perhaps the Received line shows they used Proton mail’s sending service, while the X-Mailer shows they used Outlook to type the message. You’ll start uncovering somewhat cryptic domains along the way: messagingengine.com for Fastmail, mtasv.net for Postmark, cmail2.com for Campaign Monitor, list-manage.com for MailChimp, and so on.

You might find out more than you expected. An Unsubscribe domain and X-Mailer, say, show that an email is sent via Customer.io, while DKIM headers with mtasv.net mean that the email itself was sent via Postmark. And so you deduce that the newsletter was sent with Customer.io’s software, using Postmark as the email service provider. Another email, meanwhile, that was sent from Customer.io was delivered with Mailgun, discovered thanks to the email’s header including X-Mailgun-Variables headers. And a Substack message that was redesigned to hide all the app buttons still included a Substack domain in the headers, along with Mailgun headers, hinting at their stack.

Buttondown? You’ll see our domain in the Return path, perhaps a mention or Buttondown link in the footer, and might find that your emails were sent by Postmark or another ESP in our stack.

ChatGPT is great at pattern recognition—the perfect skill to decipher how an email was sent

You can decipher the headers yourself, if you’d like, opening URLs and checking their Whois to see who’s behind the cryptic domains. Or, you could copy your email headers into ChatGPT or an app like LearnDMARC.com, which can decipher email headers and teach you more about who sent the message.

Odds are, you won’t make any groundbreaking discoveries this way. But, if you’re unsuitably curious about email and the stacks that power your favorite newsletters, or if you want a bit more confirmation of the validity or not of a message, it’s a fun rabbit hole to explore. You’ll discover a bit about the infrastructure that got that message into your inbox along the way.

Image Credit: Postage photo by Gustavo Boaron via Unsplash