Gmail Header Format

From ForensicsWiki
Revision as of 05:14, 6 March 2007 by Jessek (Talk | contribs)

Jump to: navigation, search

Because Gmail is a web based application and can be changed at any time, the information in this article may not reflect the current state of Gmail headers. In general Gmail headers have a DomainKey Identified Mail (DKIM) signature line that contains a signature for the message in question. These lines appear above the standard Message-ID fields. These signatures are of the format:

DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;; s=beta;        h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type;        b=OITvzFGKQQUjywUQB7U8dQypDAeOGqBIhfcb8VKioP2UU5P2aJL3l2adoyRqSp9h/Fo9A6wY5EIRsfaCWM9ge+EzCob/4p85jcEn3uW8dpRyBFQXMuK2q0RMIk3FznrXAM4W5FvoJIPP04qgXErar+/hZq03vEUIErV1v6p2Fy4=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=beta;
        h=received:message-id:date:from:to:subject:mime-version:content-type;        b=oC+hlWhBboQ+RlsKCL4r2pQxpgKRM9iUgCBmw9wZqlEcxj+A3q+fJkDXgLKmI1twfvTHj7GQ3HDzSLzw982UD+CPh1bPQxkhNbylUBRtwpoFeixIk7OmR2YE1iYrYpQXf3dEcXNfKs7ffoeY18plJNJG0S8RRmXLaR6XqXFVUoo=

Note that some of the Received lines will contain hosts with IP addresses like 10.x.x.x. These addresses are non-routable but part of the Gmail system. The remaining headers look like:

Message-ID: <>
Date: Mon, 5 Mar 2007 09:10:41 -0800
From: UserName <>
To: OtherUserName <>
Subject: Subject Line
MIME-Version: 1.0

The format of the Message-ID field is not known.

External Links