mentalmark
asked on
Possible to use Gmail DKIM Signature to find when email was really sent?
I have recently been forwarded an email which I believe may be a fake.
Due to this I requested full headers to also be sent, which all look legitimate. It's from one Gmail account to another.
However, I noticed in the headers is the encrypted DKIM Signature. Is there a way to decrypt this, as I believe it may contain information about when the email was sent, which may not corroborate with the time stated in the rest of the headers. I believe the email was actually sent one month earlier than the rest of the headers suggest.
Can the DKIM Signature be used for this purpose, and if so, how can I decrypt it? Or if this is simply not possible and I am misunderstanding the purposes of a DKIM Signature, that is an answer too.
Due to this I requested full headers to also be sent, which all look legitimate. It's from one Gmail account to another.
However, I noticed in the headers is the encrypted DKIM Signature. Is there a way to decrypt this, as I believe it may contain information about when the email was sent, which may not corroborate with the time stated in the rest of the headers. I believe the email was actually sent one month earlier than the rest of the headers suggest.
Can the DKIM Signature be used for this purpose, and if so, how can I decrypt it? Or if this is simply not possible and I am misunderstanding the purposes of a DKIM Signature, that is an answer too.
Papertrip
No need to decrypt it for what you are asking. The t= tag in the signature is a UNIX timestamp, you can convert it here.
ASKER
There's no t= tag anywhere in the DKIM sig or anywhere else in the message. This was send from a Gmail account to a Google Apps account.
Any idea why not? Looking at various emails, not all that many have the T= tag.
Can I still decrypt it?
Any idea why not? Looking at various emails, not all that many have the T= tag.
Can I still decrypt it?
No it's a one-way hash. All you can do is verify that the hash in the signature was created with a private key whose matching public key is in DNS. I should have been more clear on that in my first answer.
Unfortunately, unless the mail was sent to you so that you can see the "real" headers, any headers you get forwarded to you from another user can be easily forged.
Unfortunately, unless the mail was sent to you so that you can see the "real" headers, any headers you get forwarded to you from another user can be easily forged.
ASKER
Ah, thank you.
Just to confirm before accepting and closing this one...
I am fairly sure the hash in the signature will have been legit for when the message was sent, as I imagine it actually was sent. Everything else in the headers checks out, and the headers indicate the DKIM check was passed (when the message was initially received).
Just the date the message was sent has probably been changed throughout the headers.
I presume there is no way to "re-validate" the message by replicating the method a mail server would initially use to validate DKIM when receiving it? Or is it a case that once a message has been received, DKIM for that message is of no use (as appears to be the case).
Apologies for being slow!
Just to confirm before accepting and closing this one...
I am fairly sure the hash in the signature will have been legit for when the message was sent, as I imagine it actually was sent. Everything else in the headers checks out, and the headers indicate the DKIM check was passed (when the message was initially received).
Just the date the message was sent has probably been changed throughout the headers.
I presume there is no way to "re-validate" the message by replicating the method a mail server would initially use to validate DKIM when receiving it? Or is it a case that once a message has been received, DKIM for that message is of no use (as appears to be the case).
Apologies for being slow!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Haha, well thank you very much for both your expertise and generosity :)