How can I prove that I didn’t send a particular email?

//
A guy received an email apparently from my email address (a Yahoo account), but I’ve never sent such a mail. Now, I received a letter from the attorney of this guy accusing me of harassing his client. The  email in question was sent in April of last year. What can I do to help clarify this misunderstanding?

As it turns out, making email that looks like it came from you is really easy. Spammers actually use “From” spoofing all the time to do this.

Surprisingly, proving that it was not from you might be a little harder.

Become a Patron of Ask Leo! and go ad-free!

Who is this message “from” really?

Most of our messages are accurate, but  it’s easy for someone to make email look like it came “from” someone it did not. Spammers do this all the time – as a result the From: line is actually a fairly unreliable indicator of who actually sent an email.

It’s more difficult to change the headers in email. These are the additional information (which you don’t normally see) that accompanies every email message. Typically, it includes the server-to-server path that the email took from when the message was sent to when it arrived in your inbox. It might even include more, such as the machine name, the real email address, or the IP address of the sender.

Or it might not. Unfortunately none of that is actually required although the server or delivery path is almost always present.

Email EnvelopeGet that message

The problem is that this information – the full message header – is in the hands of the person that is accusing you. You have to get it somehow. It’s not enough for them to just forward the message; all that would do is give you the “From” line that you know can be faked.

They need to do the equivalent of a “View Source” or “View Headers” on that message, depending on their email program, to show the entire technical details of that specific email message that they claim is coming from you. That’s what you or your attorney will need to see.

Once again, much of that information can also be spoofed, and fake headers are possible. Ultimately, only a technical analysis of what is there will give you chance of proving or disproving anything.

15 comments on “How can I prove that I didn’t send a particular email?”

  1. You might want to remind the “lawyer” that he is required to prove that the email came from you.

    If the person is reasonable, you can pass on Leo’s notes to view the header. The header can be relatively cryptic looking but it will list all the servers that the email went through and lead back to the sender.

    If he is not reasonable, he doesn’t have a case by sending you a text file that could be doctored to claim it was you. He would need to serve your ISP with legal papers to compell them to show who sent the message.

    • And getting the ISP involved is the only reliable proof. Once my email is downloaded to his computer, he can use a text editor to modify the email headers. He can then forward the whole email including the headers to show that it did originate from your ISP’s server.

      Sometimes lawyers work by intimidation. They make it sound like you’re in trouble and there’s nothing you can do because they’ve got the proof. Sometimes you just need to call them on it.

    • > it will list all the servers that the email went through and lead back to the sender.

      And, possibly, a few extras. With that said, the entire email is falsifiable, as James said.

      When I saw the title of this article, I thought a more pertinent question is how anyone could prove you *did* send a particular email — the only answer that came to mind as a proper legal test would be whether the email was cryptographically signed (or even outright encrypted). Which almost nobody ever does.

      • As I understand it, while false headers can be added, there will always be a few added by the sytems once the email leaves the spammer’s control. Those cannot be falsified. It’s interesting sometimes to look at headers and note the transition point, since there’s typically a “missing link” in the server path.

        And yes, I believe you’re quite correct with respect to digital signatures. I do wish they were more ubiquitous.

  2. Been accused of sending an email from a colleagues email address (presumably logged in as him) and have to prove that I didn’t actually send it. Seems to be an issue relating to IP address left in the message details. My wireless network is unlocked with no password (seems a bit stupid now).
    How could this have happened?? any help would be appreciated as I am at my wits end trying to solve this mystery!! Thank you.

  3. Someone set up a email account under my name and is sending herself emails to look like I’m harrassing her. How do I show it didn’t actually come from me? If she has my IP address can she change that in the email to look as though it did come from me or is there a way to actually prove she is falsifying the email. She has the email printed but no one has looked on her computer or her email to see it, if they did wouldn’t it show it actually came from a different ip and not mine? All the help I can get is appreciated!

  4. I’m taking someone to a Small Claims Court for Breach of Contract we have emailed but they have some how edited my emails to say things I didn’t say, how can I prove this?

    • You may not be able to – email is inherently not secure unless you take additional steps to encrypt or digitally sign it, which is not something you can do easily, or after the fact. I would contact a computer forensics specialist to see if they can help with your specifics.

  5. I am in an awful situation. I am subjected to harassment by an unhinged individual. I am pursuing the matter with police as I have made allegations relating to this matter but do not feel it is appropriate to disclose further information relating to the police matter here.

    The following issue is running in parallel and time is of the essence
    He has produced screen shots of emails allegedly sent between his ex girlfriend and myself which clearly indicate an intimate relationship. We did not send these emails to one another. The screen shots look like they are from a gmail app, show our names but not our email addresses. He has forwarded these screen shots to my work. We both work in the same office. I feel I have been able to demonstrate how the screenshots could have been generated. i.e. by setting up two email addresses which are almost the same as the two target email addresses and then generating a conversation between the two. Then the actual target email address can be pasted over the email addresses this criminal has used in the conversations.

    He has also forwarded an email to my work which appears as if it has been sent from my gmail account to his ex girlfriend. It shows my gmail email address. He forwarded this particularly horrendous fake email and the screenshots to work in order to get us sacked for (i) failing to report an intimate relationship and, importantly, (ii) our alleged attempt to collude to deceive work with a plan to defend ourselves by denying we have an inappropriate relationship.
    I can understand that taken at face value there is a number of apparently compelling evidence against me (and also my colleague) but the evidence is total fabrication. Work are investigating this matter which I welcome. However, if the allegations are not dropped then I believe I will be dismissed. This and the lack of a reference would make it very difficult for me to find another job. This is a hugely stressful time.
    Please would someone give me some advice to help me defend this? I have asked my work to provide me with electronic copies of the emails this criminal has sent them so as I believe it may be possible to look at the Message IDs to prove they didn’t originate from me. Please would someone advise whether the message ID info I need is preserved, ie. the info will be present relating to the embedded forwarded emails. If it is can someone please advise how I can find someone to prove I am innocent? Lastly is there a better way of me proving these emails are fabricated ? Thank you

    • Hi Neil, I am in a similar situation with my ex. I know for a fact he fabricated an email sent from me to him. We are in family court and he has been trying to win but keeps losing, he is taking crazy lengoto price I am violent and the cause of his mental issues.

      He is now taking me to magestrate court to try have a VRO put on me. I see your matter was 2 years ago and I’m wondering what happened as I’m struggling as to where to turn for help.. I need to stop him and I need him to leave me alone but he is smart and catching him out is proving very difficult.. I’m changed my email addy just to protect myself for further crap like this from him. I have basically hidden my profile from him.. it’s a nightmare!

  6. I was injuryed on my job twice last year 2014. They let me go cause the boss said they dont have light duty anymore i had been doing it from june 2014 to feb 2015. Any ways now they showed there lawyer and my lawyer a email saying i sent this to a doctor. I dont have a doctors email and i dont know this doctor well enough to talk or send him a letter. So this letter did not have my email and the name they had who sent it was a kim rowland dont know her and that is not me. How can i prove to my lawyer i did not send it and i am not lieing. Thanks kim marshall

  7. Someone sent fraudulent emails using my gmail account to a government agency asking for money. They falsified documents that were sent to the government agency as well and when you review them you can tell they did so in order to raise suspicion as the false items clearly stood out. This resulted in an investigation. Not only did the person send them from my account and it appears they spoofed my IP address as well since the service provider shows the major hub not actually even my city. No money was ever paid but I’ve had to hire an attorney to represent me and it has cost tons of money so far. After these documents were sent in we had a burglary and computers, hard drives, routers, etc. were stolen. I contacted google and asked the to restore my files which is where I found the fraudulent emails and subsequently hired a cyber investigator to retrieve them so we could preserve the metadata and chain of custody, The files were recovered but it seems as if there is no way to prove they did or did not come from my computer. According to the investigator and Google they don’t retain this data for very long (the fraudulent message was sent 8-9 months ago. What they have simply shows an IP address which they both say could have been easily spoofed or someone could have put a key logger on my computer and/or other malware and accessed it remotely. The person who I think did this is pretty savvy in the tech field. The cyber investigator said it is almost impossible to prove attribution (the I was actually at the computer send the the emails) but it could be a lengthy back and forth. Is there anything else I can do to prove I did not send these or do I simply have to wait and pay expensive legal bills until the states attorney decides if they want to move forward? Any help would be appreciated.

Leave a reply: