ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Gmail Header Format"

From ForensicsWiki
Jump to: navigation, search
m
m
Line 2: Line 2:
  
 
<pre>DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
 
<pre>DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
         d=gmail.com; s=beta;       h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type;       b=OITvzFGKQQUjywUQB7U8dQypDAeOGqBIhfcb8VKioP2UU5P2aJL3l2adoyRqSp9h/Fo9A6wY5EIRsfaCWM9ge+EzCob/4p85jcEn3uW8dpRyBFQXMuK2q0RMIk3FznrXAM4W5FvoJIPP04qgXErar+/hZq03vEUIErV1v6p2Fy4=
+
         d=gmail.com; s=beta;
 +
        h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type;
 +
        b=OITvzFGKQQUjywUQB7U8dQypDAeOGqBIhfcb8VKioP2UU5P2aJL3l2adoyRqSp9h/Fo9A6wY5EIRsfaCWM9ge+EzCob/
 +
4p85jcEn3uW8dpRyBFQXMuK2q0RMIk3FznrXAM4W5FvoJIPP04qgXErar+/hZq03vEUIErV1v6p2Fy4=
 
DomainKey-Signature: a=rsa-sha1; c=nofws;
 
DomainKey-Signature: a=rsa-sha1; c=nofws;
 
         d=gmail.com; s=beta;
 
         d=gmail.com; s=beta;
         h=received:message-id:date:from:to:subject:mime-version:content-type;       b=oC+hlWhBboQ+RlsKCL4r2pQxpgKRM9iUgCBmw9wZqlEcxj+A3q+fJkDXgLKmI1twfvTHj7GQ3HDzSLzw982UD+CPh1bPQxkhNbylUBRtwpoFeixIk7OmR2YE1iYrYpQXf3dEcXNfKs7ffoeY18plJNJG0S8RRmXLaR6XqXFVUoo=
+
         h=received:message-id:date:from:to:subject:mime-version:content-type;
 +
        b=oC+hlWhBboQ+RlsKCL4r2pQxpgKRM9iUgCBmw9wZqlEcxj+A3q+fJkDXgLKmI1twfvTHj7GQ3HDzSLzw982UD
 +
+CPh1bPQxkhNbylUBRtwpoFeixIk7OmR2YE1iYrYpQXf3dEcXNfKs7ffoeY18plJNJG0S8RRmXLaR6XqXFVUoo=
 
</pre>
 
</pre>
  

Revision as of 05:16, 6 March 2007

Because Gmail is a web based application and can be changed at any time, the information in this article may not reflect the current state of Gmail headers. In general Gmail headers have a DomainKey Identified Mail (DKIM) signature line that contains a signature for the message in question. These lines appear above the standard Message-ID fields. These signatures are of the format:

DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type;
        b=OITvzFGKQQUjywUQB7U8dQypDAeOGqBIhfcb8VKioP2UU5P2aJL3l2adoyRqSp9h/Fo9A6wY5EIRsfaCWM9ge+EzCob/
4p85jcEn3uW8dpRyBFQXMuK2q0RMIk3FznrXAM4W5FvoJIPP04qgXErar+/hZq03vEUIErV1v6p2Fy4=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:mime-version:content-type;
        b=oC+hlWhBboQ+RlsKCL4r2pQxpgKRM9iUgCBmw9wZqlEcxj+A3q+fJkDXgLKmI1twfvTHj7GQ3HDzSLzw982UD
+CPh1bPQxkhNbylUBRtwpoFeixIk7OmR2YE1iYrYpQXf3dEcXNfKs7ffoeY18plJNJG0S8RRmXLaR6XqXFVUoo=

Note that some of the Received lines will contain hosts with IP addresses like 10.x.x.x. These addresses are non-routable but part of the Gmail system. The remaining headers look like:

Message-ID: <f6a363400703050910y7d591d42raf015fcef16f95ea@mail.gmail.com>
Date: Mon, 5 Mar 2007 09:10:41 -0800
From: UserName <address@gmail.com>
To: OtherUserName <address@system.com>
Subject: Subject Line
MIME-Version: 1.0

The format of the Message-ID field is not known.

External Links