What is email envelope and email header

2023-04-12

Networking Security

Email Envelope vs Email Header

To understand what the SPF and DKIM is, it is necessary to know the difference between email envelope and email header.

An email message is very similar to a physical letter that you would send in the mail. There is an envelope, with To/From information, and there is the actual letter on the inside, with it's own To/From information. The envelope to/from information is the real information that is used for message delivery, for both email servers and post offices.

When an envelope comes into a post office, they inspect the To address on the envelope, and send it to the correct destination. The post office workers have no knowledge of the letter inside the envelope. The letting inside could have completely different To/From information than the envelope says. The Envelope could say the message is to Bob, but the letter inside may say it's for Alice. Or in real world: The envelope could say the message is to SomeCompanyName, and when secretary open envelope, letter inside say, it's is for Mr. Brown which work in SomeCompanyName.

email envelope with email header and body

The same is true for emails. The envelope To/From is the most important information when delivering a message. If the envelope says the message is to joe@domain.com and mary@domain.com, then the message is sent to both, regardless of what the letter inside (the message header) says the message is To:.

The envelope headers are the MAIL FROM and RCPT TO parts of the SMTP conversation . The envelope sender is the MAIL FROM address, and the envelope recipients are the RCPT TO addresses.

smtp content with envelope header

SMTP routing between mail transfer agents (MTA's) is based exclusively on the envelope header

After recipient mailserver delivers the email to the recipient's mailbox (recipient is always email address in envelope header) is email envelope discarded with one important exception. Mostly, recipient mailserver writes sender email address from email envelope to the email header as Return-Path.

Important points for email envelope and email header

It is very esay to write fake/forged address in the MAIL FROM command in the smtp communication ( in the email envelope)
It is very easy to write fake/forged address in the From: email header
Both envelope sender together with email header sender can be faked
The sender's email address in email header From: can be differrent from the envelope's MAIL FROM

Example of Sender Address Forgery

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mailserver.secar.cz ESMTP
ehlo fakemailserver.com                                 # Here start email envelope	
250-mailserver.secar.cz
mail from: <FakeEnvelopeSender@fakedomain.com>          # Fake envelope sender
250 2.1.0 Ok
rcpt to: <manak@secar.cz>                               # Real recipient in mail routing
250 2.1.5 Ok
data                                                    # Here end email envelope and start email header
354 End data with <CR><LF>.<CR><LF>			
From: "Fake Sender" <FakeHeaderSender@fakedomain.com>   # Fake email header sender                 
To: "Real Recipient Name" <manak@secar.cz>              # email header recipient (what you see in your email client)                
Subject: test fake sender message                       # email header subject

This is test meassage                                   # After one empty line email header end and start email body

.
250 2.0.0 Ok: queued as 44DxhQ58Jgz6tvJ
quit                                                    # We end the smtp communication with recipient mailserver
221 2.0.0 Bye
Connection closed by foreign host.                      # tcp connection is closed

Look at lines 6,8,10 and 14-20
Lines from 5 to 12 are email envelope
Lines from 14 to 16 are email header

And what you see in your email client:

email header From: you see in your email client

And here is raw email message:

Return-Path: <FakeEnvelopeSender@fakedomain.com>
Delivered-To: <manak@secar.cz>
Received: from fakemailserver.com (localhost [127.0.0.1])
	by mailserver.secar.cz (mail_locahost) with ESMTP id 44DxhQ58Jgz6tvJ
	for <manak@secar.cz>; Wed,  6 Mar 2019 15:57:51 +0100 (CET)
From: "Fake Sender" <FakeHeaderSender@fakedomain.com>                 
To: "Real Recipient Name" <manak@secar.cz>                
Subject: test fake sender message 
Message-Id: <44DxhQ58Jgz6tvJ@mailserver.secar.cz>
Date: Wed,  6 Mar 2019 15:57:51 +0100 (CET)

This is test meassage

How protect email from sender address forgery

To protect email from sender address forgery you can use:

SPF is mechanism to control and check sender's envelope. SPF work on email envelope level.
DKIM is mechanism to control and check email header From: address.
DMARC - standard that combine both SPF and DKIM and is best solution to protect email from sender address forgery.