How to Determine Email Client

Jtylor · January 6, 2020, 7:52pm

Hello,

I am investigating emails from several Gmail accounts and trying to determine if they were sent using an email client such as Outlook, from Gmail.com on the web or by using a cell phone. Would the email headers contain this information? Any suggestions would be greatly appreciated.

agungor · January 6, 2020, 9:17pm

Yes and no

While some email clients insert message headers to identify themselves (e.g.,
X-Mailer: Microsoft Outlook 16.0), some others don’t. That said, there are often other data points you can examine.

I’ve included three sample messages below (click to expand). They are very simple messages, sent from Android (Gmail App), Outlook 16, and Gmail web—edited out a few voluminous header fields for brevity.

Email sent from Gmail Web

Received-SPF: pass (domain of gmail.com designates 209.85.167.175 as permitted sender)
MIME-Version: 1.0
From: LMISF Test <lmisf01@gmail.com>
Date: Mon, 6 Jan 2020 11:54:18 -0800
Message-ID: <CAMvYnDNYcqte+ZcO1Aw0_wDiy7zXYrSnOSssKzUCY3cn9U69_A@mail.gmail.com>
Subject: Test from Gmail Web
To: fecdev@yahoo.com
Content-Type: multipart/alternative; boundary="000000000000c549f3059b7e0688"
Content-Length: 339

--000000000000c549f3059b7e0688
Content-Type: text/plain; charset="UTF-8"

This is the body of an email sent from Gmail on the web to Yahoo.

--000000000000c549f3059b7e0688
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">This is the body of an email sent from Gmail on the web to Yahoo.<br></div>

--000000000000c549f3059b7e0688--

Email sent from via Outlook

X-Apparently-To: fecdev@yahoo.com; Mon, 06 Jan 2020 20:06:01 +0000
Return-Path: <lmisf01@gmail.com>
Authentication-Results: mta4202.mail.ne1.yahoo.com; 
 dkim=pass (ok) header.i=@gmail.com header.s=20161025;
 spf=pass smtp.mailfrom=@gmail.com;
 dmarc=pass(p=none sp=quarantine dis=none) header.from=gmail.com;
Received-SPF: pass (domain of gmail.com designates 209.85.215.180 as permitted sender)
X-Originating-IP: [209.85.215.180]
Received: from 10.217.130.17  (EHLO mail-pg1-f180.google.com) (209.85.215.180)
  by mta4202.mail.ne1.yahoo.com with SMTPS; Mon, 06 Jan 2020 20:06:01 +0000
Received: by mail-pg1-f180.google.com with SMTP id k3so27354527pgc.3
        for <fecdev@yahoo.com>; Mon, 06 Jan 2020 12:06:01 -0800 (PST)
X-Gm-Message-State: APjAAAU1ztyAEuXNkub0paV4W28Tu/cax3NFUE7anPoKsNEO5gg8wPAn
	ySeN6wilsBOhg/try+lS7H/WRIa5MnA=
X-Google-Smtp-Source: APXvYqyRnNbxjdO0Oqt4JGv8PKY9MV79V2tDti/bn3mR6B+QGDdMG3kditksOjUNaEKNmdRSrdELFA==
X-Received: by 2002:a63:28c7:: with SMTP id o190mr109687943pgo.394.1578341160386;
        Mon, 06 Jan 2020 12:06:00 -0800 (PST)
Return-Path: <lmisf01@gmail.com>
Received: from <computername> ([xxx.xxx.xxx.xxx])
        by smtp.gmail.com with ESMTPSA id i8sm63452858pfa.109.2020.01.06.12.05.59
        for <fecdev@yahoo.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 06 Jan 2020 12:06:00 -0800 (PST)
From: "LMISF01" <lmisf01@gmail.com>
To: <fecdev@yahoo.com>
Subject: Test from Outlook
Date: Mon, 6 Jan 2020 12:06:02 -0800
Message-ID: <0a6f01d5c4cc$b9145e70$2b3d1b50$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0A70_01D5C489.AAF193A0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdXEzIY/C5WB1x/BREeMK5BBoT9QGQ==
Content-Language: en-us
Content-Length: 2330

This is a multipart message in MIME format.

------=_NextPart_000_0A70_01D5C489.AAF193A0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

This is the body of an email sent via Outlook 16 on a PC.


------=_NextPart_000_0A70_01D5C489.AAF193A0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META =
HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 15 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Cambria;
	panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Cambria",serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal><span =
style=3D'font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;ba=
ckground:white'>This is the body of an email sent via Outlook 16 on a =
PC.</span><span =
style=3D'font-family:"Cambria",serif'><o:p></o:p></span></p></div></body>=
</html>
------=_NextPart_000_0A70_01D5C489.AAF193A0--

Email sent from via Android

X-Apparently-To: fecdev@yahoo.com; Mon, 06 Jan 2020 20:10:40 +0000
Return-Path: <lmisf01@gmail.com>
Authentication-Results: mta4021.mail.bf1.yahoo.com; 
 dkim=pass (ok) header.i=@gmail.com header.s=20161025;
 spf=pass smtp.mailfrom=@gmail.com;
 dmarc=pass(p=none sp=quarantine dis=none) header.from=gmail.com;
Received-SPF: pass (domain of gmail.com designates 209.85.210.42 as permitted sender)
X-Originating-IP: [209.85.210.42]
Received: from 10.196.243.13  (EHLO mail-ot1-f42.google.com) (209.85.210.42)
  by mta4021.mail.bf1.yahoo.com with SMTPS; Mon, 06 Jan 2020 20:10:40 +0000
Received: by mail-ot1-f42.google.com with SMTP id b18so51346114otp.0
        for <fecdev@yahoo.com>; Mon, 06 Jan 2020 12:10:40 -0800 (PST)
X-Gm-Message-State: APjAAAUSNslVssraUXT0ux6h+CcYEOuoSfH88MtPTjgBd90e3IbGpQSQ
	2zCOtM+Wx1IZeUjK511uDhRQDxO+2NXrGk8rf15AU4Kv
X-Google-Smtp-Source: APXvYqzLtfx7Ssphne4kLNVQoQKpNS9n1do706lNr2M97T470pFINISiHwj4xherQd0iLdBAzq6d+jfZm+dAoW7o8M8=
X-Received: by 2002:a9d:560f:: with SMTP id e15mr6655172oti.301.1578341440085;
 Mon, 06 Jan 2020 12:10:40 -0800 (PST)
MIME-Version: 1.0
From: LMISF Test <lmisf01@gmail.com>
Date: Mon, 6 Jan 2020 12:10:28 -0800
Message-ID: <CAMvYnDN=YdHUR2_vs==eJ28PmLSgJgdopMmMuvUvnha_uxDoEQ@mail.gmail.com>
Subject: Test from Mobile
To: fecdev@yahoo.com
Content-Type: multipart/alternative; boundary="000000000000dee3f1059b7e40a4"
Content-Length: 354

--000000000000dee3f1059b7e40a4
Content-Type: text/plain; charset="UTF-8"

This is the body of an email sent using the official Gmail App on Android.

--000000000000dee3f1059b7e40a4
Content-Type: text/html; charset="UTF-8"

<div dir="auto">This is the body of an email sent using the official Gmail App on Android.</div>

--000000000000dee3f1059b7e40a4--

Outlook

The first thing that catches my attention in the email sent via Outlook is that the trace fields contain the end user’s computer name and public IP address (redacted above).

The message ID when the message is sent via Outlook is in the following format:
<unique_value>@gmail.com

while Gmail’s web interface and Android App produce message IDs in the following format:
<unique_value>@mail.gmail.com

This is likely due to a difference between Gmail API and Gmail over IMAP.

Outlook inserts the X-Mailer: Microsoft Outlook 16.0 message header to identify itself.

Outlook adds a Thread-Index header field to carry the PR_CONVERSATION_INDEX MAPI property:
Thread-Index: AdXEzIY/C5WB1x/BREeMK5BBoT9QGQ==

The AdXEzIY/C5WB1x/BREeMK5BBoT9QGQ== part is the conversation index in Base64 encoded form. You can decode the conversation index to get information about the email thread such as the date of the original message (i.e., header date), the number of child messages, and other timing information.

Outlook uses the ----=_NextPart_000_0A70_01D5C489.AAF193A0 format for the MIME boundary delimiters. It’s important to note that 01D5C489.AAF193A0 is a timestamp in FILETIME format that decodes to 06 January 2020 12:06:03—the time the message was submitted in the sender’s local time zone.

The message body also contains quite a bit of extra HTML markup, which even references Microsoft Word 15!

Gmail Web and Android

Looking at the messages from Gmail Web and Android App reveals that their structure is the same. In both cases, the X-Originating-IP header field lists the IP address of the Google server rather than that of the end user. Message ID values end with @mail.gmail.com and the MIME boundary delimiters are in the following form: --000000000000<unique_value>–

Jtylor · January 7, 2020, 6:25pm

This was very helpful. Thank you!

sfjd · November 11, 2021, 12:34pm

Any tools available for decoding FILETIME format?
I’ve tried CyberChef but it doesn’t work.

agungor · November 11, 2021, 5:51pm

You can do the conversion in CyberChef as follows:

Convert FILETIME to Human-readable Timestamp via CyberChef

sfjd · November 12, 2021, 10:32am

Thanks.
I just tried DCode v5.1 and that did work.

multipart/alternative; boundary=“----=NextPart_000_003801C95BBA.E4A541D0”

01C95BBAE4A541D0 => 2008-12-11 18:04:21.4850000 Z

X-OriginalArrivalTime: 15 Dec 2008 03:16:02.0832 (UTC) FILETIME=[75D33900:01C95E63]

01C95E6375D33900 => 2008-12-15 03:16:02.8320000 Z