Hi,
I have an email that is supposedly sent from a Hotmail account to a 365 account, but the sending server reports it was sent from Google. Aside from altering the sender’s email address from a Gmail to a Hotmail account, would there be any other possible explanation for this?
The number of hops (below) is also very unusual and not as detailed as expected.
It is theoretically possible for the end-user to configure their email client to send emails using a different provider’s SMTP server than where their email is hosted. However, last time I checked, when one uses Gmail’s SMTP servers, the server made a couple of changes to the message:
X-Google-Original-From header was added to reflect the original From metadata.Perhaps a good starting point would be to research if this was in effect within the timeframe relevant to your email.
Hard to comment on the headers with such limited information—the ones you shared appear to have been parsed with some software. That said, I would expect there to be plenty of other data points (e.g., Message-ID, MIME boundaries, hidden timestamps, etc.) to corroborate. Also, since your hops reference a Gmail MTA, I would expect there to be DKIM signatures with gmail.com and/or 1e100.net signing domains.
Here is an example message from Gmail to M365 for comparison.
Received: from BN9PR18MB4377.namprd18.prod.outlook.com (2603:10b6:408:102::10)
by BYAPR18MB2774.namprd18.prod.outlook.com with HTTPS; Fri, 17 Feb 2023
17:55:29 +0000
Received: from DM6PR02CA0058.namprd02.prod.outlook.com (2603:10b6:5:177::35)
by BN9PR18MB4377.namprd18.prod.outlook.com (2603:10b6:408:102::10) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6111.15; Fri, 17 Feb
2023 17:55:27 +0000
Received: from DM3NAM02FT051.eop-nam02.prod.protection.outlook.com
(2603:10b6:5:177:cafe::30) by DM6PR02CA0058.outlook.office365.com
(2603:10b6:5:177::35) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6111.15 via Frontend
Transport; Fri, 17 Feb 2023 17:55:27 +0000
Authentication-Results: spf=pass (sender IP is 209.85.128.173)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass
reason=100
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.173 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.173; helo=mail-yw1-f173.google.com; pr=C
Received: from mail-yw1-f173.google.com (209.85.128.173) by
DM3NAM02FT051.mail.protection.outlook.com (10.13.4.91) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.6111.17 via Frontend Transport; Fri, 17 Feb 2023 17:55:27 +0000
Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-535a11239faso36055227b3.13
for <hello@metaspike.com>; Fri, 17 Feb 2023 09:55:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=FZ18fGFyypr8cudmeQwkEnN3pKgKbkiIF7oskhKnSh0=;
b=do3EkAWIP/LWRIX0KYzLeoxbYxPpwVYawpOt4VbUo9ELWPAHI0Gx3X2M9dTcGdr2yI
TjeizXDlyr9V3VXUj4+OIzLZUCssLCbMt4SG1bbbIeVwJz+hDBue3fv4RBBXtT79NGDL
ihedXQi/HAxEWBDRunBabrZ3x131Mm5KKRh2rB3W0luad8RKmLvjhvWB6oeFuBPZYm1J
ScHX4brH2+b0EK+N/cd5Qott4/deB5pCqWnFGKExICmBck9OFkfo4+2xNFcswmi8x6xJ
ue5MHmW2YAU64M8f3st2xm6gbbLvfR2BpZh1Hm6jDPE072pEVfGUrVcSbN32QvdXMFFV
EjNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=FZ18fGFyypr8cudmeQwkEnN3pKgKbkiIF7oskhKnSh0=;
b=OX76GIb6zLLS4CGwduc1wybrsrjEPeCxh4t090V9saJI39+J1eTJMUXcPj8m0aeFmT
+75s8S96sl2s03MBvgYFSJdIlkrPAd1X1PnOsxhcsH5abmF1Sg7+E5TmBa41o10xPdso
m7U6ji/TCDGLIgxxaczeZNcFL/mMWF2K3Q03YxpH5WcWaIPCXAKSdaN2iOsSult8w2J2
eA9zoNshmlDcYKwxEYLX150D/qOhjhxotUxg1g/+AeeKrgmbI3A5GwOXSwozNFidWZe9
r1m/D6unbQ1EaTYAQlEDxHbPOj42sMf1PtBy5+Ht4BNeLTv4pKoGByWANiRT9+1le35F
Dc6g==
X-Gm-Message-State: AO0yUKVzVzJ/Vo2AlqWrtdnxAM/n6ZVQ3EX35wgWvuXyKVJnHugN1gwP
F6bBFiFrittc1BH+U/nT7Xzo1wJswTTAH9RTU1goFnYd
X-Google-Smtp-Source: AK7set+1KK0V0zInlb6OT7qv26I5gRSvRcjafSh1EPPVYamH5wUhVLyk675TA1CsE2b5tyT0PrVBerXNoKIFCttNsdo=
X-Received: by 2002:a81:ac5f:0:b0:535:8cb8:6ae9 with SMTP id
z31-20020a81ac5f000000b005358cb86ae9mr320925ywj.4.1676656526779; Fri, 17 Feb
2023 09:55:26 -0800 (PST)
From: LMISF Test <lmisf01@gmail.com>
Date: Fri, 17 Feb 2023 09:55:02 -0800
Message-ID: <CAMvYnDMhCgmYBWjRP+7LwM8vBa1FMRhrDWYOBohVfQJANaMeuQ@mail.gmail.com>
Subject: Test Message
To: hello@metaspike.com
Content-Type: multipart/alternative; boundary="000000000000b069a405f4e90420"
Return-Path: lmisf01@gmail.com
X-MS-Exchange-Organization-ExpirationStartTime: 17 Feb 2023 17:55:27.5659
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
5da12e0c-1dd0-4cf2-6c8a-08db11102711
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: d103ed7b-e2f5-4931-8510-62614fb4f256:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM3NAM02FT051:EE_|BN9PR18MB4377:EE_
X-MS-Exchange-Organization-AuthSource:
DM3NAM02FT051.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: 5da12e0c-1dd0-4cf2-6c8a-08db11102711
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-Forefront-Antispam-Report:
CIP:209.85.128.173;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-yw1-f173.google.com;PTR:mail-yw1-f173.google.com;CAT:NONE;SFS:(13230025)(451199018)(86362001)(55446002)(3480700007)(7596003)(356005)(7636003)(7116003)(19618925003)(5660300002)(1096003)(8676002)(15650500001)(34206002)(26005)(336012)(73392003)(83380400001)(33964004)(76482006)(42186006)(6666004)(82202003)(564344004)(67856001);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2023 17:55:27.5190
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5da12e0c-1dd0-4cf2-6c8a-08db11102711
X-MS-Exchange-CrossTenant-Id: d103ed7b-e2f5-4931-8510-62614fb4f256
X-MS-Exchange-CrossTenant-AuthSource:
DM3NAM02FT051.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR18MB4377
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.8715068
X-MS-Exchange-Processed-By-BccFoldering: 15.20.6111.013
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097);
X-Microsoft-Antispam-Message-Info:
=?utf-8?B?bGNFazZpSjRsM0dJNEV5NCt5SCtVMWZhdU42eE8xNWlwSit2ejBMOEduckt0?=
=?utf-8?B?NkJaZldiZkNXWjdjRTRjUGNvc1dNYTQ3RzVwL0ZuVG8wSGlGWlZrd1BwcXdF?=
=?utf-8?B?QVhUaFo3aTdTVFB2d2J1cFd4UXFONWt0QXpQZ25oQ2crZEs5LzJsV2NXdk9I?=
=?utf-8?B?dC94d2VoMXFiYVBDRGVVdEhrbndKOEhDZEx3M0d6NTV1UGd6dmlsRk12b2VB?=
=?utf-8?B?UXFoNUQwbG41MHlDcFNJbVpqTVZFekp6blVBVUNlMUdhRnVVd200ZzM3Z0FQ?=
=?utf-8?B?eGVONmRxeVhJSjlPK0lmVjNsYzJHS1hjRjhMRVJselZCQyszMzB5aE5UdkZt?=
=?utf-8?B?cjRlbmpjUEVjM0x6dk1YZFJRYTZqOEhwcktaa0R4U3hvVWVWUnlLcmZTek91?=
=?utf-8?B?RVppYVUzWDZYWmlGYno4UFZXbGpqSFNLT1M4M0JZUGtnSlRmRmdWWkNlSW5O?=
=?utf-8?B?UlR5SHRiY3p4WnR0cG0vbkJ4YytFNWVmbUNDMFl0eFd4YzVDS3JaVXEra2lY?=
=?utf-8?B?TGh6aFlFYWkvWDRnK0RtVlFwL0JLRUEydUpzWjFzMm1OdjhUNmVHUTExaHRr?=
=?utf-8?B?M05RSXFHK1lVRFVyaVR4eHlIUXEzNWxSOXdxVHgrTDg0bC9YRkMzSmtaN1RF?=
=?utf-8?B?TStRTDV0MHM0SE80V296M1pXSG9JbHY3UW95NW96cm82enF2NlJ0a0FHdndi?=
=?utf-8?B?c1hpaUpicWRMZTFiZ1F0WnZXb0VONC9JUnhPcWtVbDE2TlRXZFcwSStlOFc0?=
=?utf-8?B?a1VIM3ZVYmN2TXhQYzU3eDZiMVJPWkFGV3dXUkNuMkNqeS9adVRuK0c0dmp6?=
=?utf-8?B?dzZib1NtRU56QWRjNTFHYS9mazdRazZPVE1iTjhRc0hZaFVRR3ZQblFTU1lR?=
=?utf-8?B?RVQram0ydkwrSzJrM1dKdzhkZHRJSlh6am9YdnM2eGZGa0RKMzNxMjFPVnpt?=
=?utf-8?B?NlhJRXFyeE1zSDBhQXl5WGJwQlQ5NUZYVVMvMFFEektiVkxWSzVwK3ZkSG4z?=
=?utf-8?B?RXdVdjZxako1aUw0cGVoM0xDajE5Y3VaR3g5OElCTFB4cTAzN1U3KzdGbTNM?=
=?utf-8?B?N3lRUW1UL3hQMDNPTVhIM1VNejlMOWtSeVBqa2xQdXFEa1Q3cjNwMjV6SnN3?=
=?utf-8?B?MVM5T09ZUGZyVy9uQW1PS29URzZGZi90cXBBT3c4ZXpzMWtpN2hsbDRjUzhs?=
=?utf-8?B?bURMK2s3VldhZDNtVFM5WVdldHRUTTlSM21Zb1hCSkxWR2Ztamx1Q0x1OGN6?=
=?utf-8?B?Q241T3ZWZmpHbWJnZnNaWm9xV1lWUVAzRFJHaXV1SDJPbzQ2V1RNSkN6M2h1?=
=?utf-8?B?N2ZsL3JoMUNSbXY5NVJta2Mvc0hRNlVPVm1vd2VveGpUVkhvVWtJVDMwem82?=
=?utf-8?B?bFVjanZwc1lNYmptZzJzVHlSRWxab1gyMVlCMlMza3V4QzlyZ21KMnQyK1lv?=
=?utf-8?B?UTZjYjJzd3lCZEdDN0dnT1lqeDFPZ2xqNW5iUXh0OEJDMllabHNwa2JvYWcx?=
=?utf-8?B?MlVFQWV3M3p2MFpuUnhxSnc2V0x1cXdBeW9VamF1NU9BSGVPTkZDZEt1cjVT?=
=?utf-8?B?WnVZRGJvNU1CWlE4Y2h5aGljQTVjckphR2xWU2xOazNTN2JwSVgvblNZcm5C?=
=?utf-8?B?MXhrUjJHTm03WGcxM29BdkNSdWpsZWN2dkw2MDkrckY4LzBqc3pDdUErNXlw?=
=?utf-8?B?OWQvbzhTRitJdkdONFd5NWJwNmxFbVdGVVZFd3BYVWxvSnRETFZzcm9OVS9B?=
=?utf-8?B?N0l6R2RUV0M0Y2YvQ0NrN0o1WXZpY1JMdjdwRFhSenhjSU44SWE4UEFvTnJM?=
=?utf-8?B?Mm51M0FyVXpDdlVzKzl5OWJWcU02S0NhZUJpbG1LY3ZlNFU1TjVZamRhTUEv?=
=?utf-8?B?ckNneFFTQlRmUWhzNUwzN1BEZm1KMG1VclpXb1NPRmY1M3VJdTB3TTVHZmk0?=
=?utf-8?B?dGJCdnJGL0ZuT2RBTnN0bDc4ZktITjFQY3ZsMmNRR0xad3VBenlDME5NZ1A2?=
=?utf-8?B?V0ZSdzB5OXdlTFFJeHk2VmMxM0hZRWgyZjRlY2h2VkdHWmRxOWtwVWhQeE85?=
=?utf-8?B?YkVMaGlPcWM2SW1JOWtnUzI2b29qa256KzU1MzIyZmFHTEl1YmhmdytwU3dM?=
=?utf-8?B?ZjlUbE94QXJDSVhaSWRuNzhFeGl1dTVuV1lxRkRNWkJHQTZhVy8zcE1Wdmkw?=
=?utf-8?Q?a5CEme5rJo1jaqSZGDw1EZg=3D?=
MIME-Version: 1.0
--000000000000b069a405f4e90420
Content-Type: text/plain; charset="UTF-8"
Message body
--000000000000b069a405f4e90420
Content-Type: text/html; charset="UTF-8"
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="auto">Message body</div>
--000000000000b069a405f4e90420--
Your first hop appears to be along the lines of the trace header on lines 25-26 of the above example—although it is referencing a different Gmail server.
If you would like to see an example message where the same Gmail MTA is referenced, take a look at this one (lines 58-59):