[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Possible to use Gmail DKIM Signature to find when email was really sent?

Posted on 2011-09-20
6
Medium Priority
?
520 Views
Last Modified: 2013-11-05
I have recently been forwarded an email which I believe may be a fake.

Due to this I requested full headers to also be sent, which all look legitimate. It's from one Gmail account to another.

However, I noticed in the headers is the encrypted DKIM Signature. Is there a way to decrypt this, as I believe it may contain information about when the email was sent, which may not corroborate with the time stated in the rest of the headers. I believe the email was actually sent one month earlier than the rest of the headers suggest.

Can the DKIM Signature be used for this purpose, and if so, how can I decrypt it? Or if this is simply not possible and I am misunderstanding the purposes of a DKIM Signature, that is an answer too.
0
Comment
Question by:mentalmark
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36571169
No need to decrypt it for what you are asking.  The t= tag in the signature is a UNIX timestamp, you can convert it here.
0
 

Author Comment

by:mentalmark
ID: 36571233
There's no t= tag anywhere in the DKIM sig or anywhere else in the message. This was send from a Gmail account to a Google Apps account.

Any idea why not? Looking at various emails, not all that many have the T= tag.

Can I still decrypt it?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36571255
No it's a one-way hash.  All you can do is verify that the hash in the signature was created with a private key whose matching public key is in DNS. I should have been more clear on that in my first answer.

Unfortunately, unless the mail was sent to you so that you can see the "real" headers, any headers you get forwarded to you from another user can be easily forged.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mentalmark
ID: 36571279
Ah, thank you.

Just to confirm before accepting and closing this one...

I am fairly sure the hash in the signature will have been legit for when the message was sent, as I imagine it actually was sent. Everything else in the headers checks out, and the headers indicate the DKIM check was passed (when the message was initially received).

Just the date the message was sent has probably been changed throughout the headers.

I presume there is no way to "re-validate" the message by replicating the method a mail server would initially use to validate DKIM when receiving it? Or is it a case that once a message has been received, DKIM for that message is of no use (as appears to be the case).

Apologies for being slow!
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 2000 total points
ID: 36571296
You are correct in that there is no use to do it now.  It's really just for the receiving server to help validate authenticity of mail sources.

I don't know if you meant slow as in slow to reply, or slow in the head, because I don't believe either of those apply here :)
0
 

Author Comment

by:mentalmark
ID: 36571301
Haha, well thank you very much for both your expertise and generosity :)
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question