Find out from where an email has been sent

Question

I'd like to find out from where an email has been sent.

I already know I have to to find the "Received From" that’s farthest down in the complete headers to get the private and the public IP addresses.

But I'm a little bit confused when the private IP is [127.0.0.1]. Could we say it means that the mail has been sent from the same LAN than the mail server (public IP adress) ? Or that the mail is read on the same PC that has sent the email ?...

The goal is to prove that an email has been sent from a precised location (PC on a LAN with an internal mail server) and not from a client using a webmail installed on this server.

Answer 1

I got the solution ! I've compared the email headers of one email sent from the LAN and one email sent from the webmail : - in the first case, the oldest "received from" is 127.0.0.1 and the public IP address - in the 2nd case, the oldest "received from" header is the name of the web mail component which is also indicated in the X-mailer header, and the public IP address is indicated in another "received from" header.

Thanks again Senjai for your precious help that put a little on the way !

Answer 2

127.0.0.1 is the IP for the local computer. The public IP is usually the IP of the gateway that is exposed to the internet, either the router, or the computer if it's a direct connection. The private IP depending on the client can be the internal IP or Lan IP of the device, or in the case of 127.0.0.1 which references the computer itself.

Going to http://127.0.0.1 will always attempt to connect to your own computer.

Webmail doesnt always reveal the ip the user is connecting from when using their clients. Usually the IP provided is that of the webmail server, not the client connected to the server.

Email headers aren't really a reliable way to trace locations.