惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
Google Developers Blog
Cisco Talos Blog
Cisco Talos Blog
Y
Y Combinator Blog
罗磊的独立博客
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
GbyAI
GbyAI
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
J
Java Code Geeks
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 聂微东
B
Blog RSS Feed
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
P
Privacy & Cybersecurity Law Blog
L
LangChain Blog
L
LINUX DO - 热门话题
Hugging Face - Blog
Hugging Face - Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Privacy International News Feed
F
Full Disclosure
S
Schneier on Security
T
Tenable Blog
量子位
NISL@THU
NISL@THU
Latest news
Latest news
V
Visual Studio Blog
C
Check Point Blog
aimingoo的专栏
aimingoo的专栏
博客园_首页
K
Kaspersky official blog
L
Lohrmann on Cybersecurity
美团技术团队
P
Proofpoint News Feed
P
Palo Alto Networks Blog
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Vercel News
Vercel News
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
AWS News Blog
AWS News Blog
S
Securelist
The Register - Security
The Register - Security
G
GRAHAM CLULEY
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
Engineering at Meta
Engineering at Meta
C
Cisco Blogs

Buttondown's blog

Email could have been X.400 times better The physicists who convinced Fermilab to send Brazil's emails Better in-app previews Analytics 3.0 Subscriber ID variables Comments! Send latest premium action Automation filtering Free API subscribers Surveys in automations Reply to replies Labels for RSS feeds How Jeremy Singer-Vine curates curious datasets for readers 2023 (and what's next) Email vs web content Sort by engagement Better gift subscriptions How Andy Dehnart built a career reviewing television New email template Email-based automations Opt-in reply tracking Automatic alt text More social network integrations Sort by metadata Overlarge image warnings Automation tag actions Pause emails mid-flight Search tags and automations Gift via automations Subscriber-driving emails Programmatic webhooks Email page views Tag statistics Discord webhook formatting Automatic subscriber cleanup RSS subscriber count Weekly subscriber reports More list columns Customizable list views How Max Voltar turned a side gig into a trusted keyboard resource How Nick Disabato runs two newsletters from one design consultancy Made-for-you share images Automation improvements End-of-email surveys Filter by date Survey-triggered automations More automation functionality New webhooks How France Insider built a news service with paid subscribers Email as primary key How John Willshire unites two businesses in one newsletter Confirmation reminders Email churned subscribers Email-to-draft Subscriber metadata columns ChatGPT integration Faster web archives Referral program Better search results TikTok embeds Subscriber timeline Spotify embeds Improved RSS-to-email Subscribe page OG image New analytics page Google Tag Manager Even more subscriber types Integrating Duda with Buttondown Linktree integration guide Advanced and enterprise plans Framer integration guide API requests page Team collaboration In-email surveys Better CSS settings Better RSS automation fetching! Editor toolbar improvements Smart filters Faster emails page RSS automations Faster email analytics Zapier error codes Image accessibility checks Tags vs newsletters OG image picker Image editor improvements API bulk actions Improved OpenAPI spec Mastodon support Better subscriber filtering Better subscriber validation Hotkey support! Programmatic access to analytics Stronger bulk actions Faster archive page Custom canonical URLs Email slug and metadata Improved writing interface Generating a Typescript router in Django Filter emails by source
The subtle art of email forensics
Matthew Guay · 2025-07-25 · via Buttondown's blog

A custom MacBook takes a circuitous journey, from its birth in Shenzhen, hop over the border to Hong Kong, trans-pacific flight to JFK, stop over at DHL’s Cincinnati hub before a final flight closer to its destination, to finally ride the last miles to your home in a yellow DHL van.

What matters is that your MacBook arrives in a timely manner. The hops, themselves, are irrelevant.

Same for a paper letter, with the posted location divulged by the stamp and cancellation, with paper and ink hinting at the writing circumstances. Multiple shades of ink could be clues that their pen went dry—or that they started writing one day, finished on another. An assortment of Par Avion stickers and customs stamps might reveal the route the letter took.

Sherlock Holmes clues, all of them, inconsequential for most packages and posts, yet fascinating in a geeky way, a reminder of the infrastructure that unknowingly undergirds our lives, of the choices and decisions that go into every interaction. And every now and then, they do matter, as when a court case hinged on evidence being purportedly written in 2006, but typed in Calibri, a font that wasn’t widely released until 2007. For want of a time-period-specific font, the forgery unraveled.

Email apps leave similar clues behind, barely hidden, in every email message you receive. Sometimes they’re just-for-fun, when you’re curious which email app a friend uses, or how your favorite newsletter is sent. Other times they’re more serious; when an email seems to have been sent from one site or app but deeper clues reveal otherwise, it could be a fraudulent message.

With a bit of awareness, a bit of digging, you can trace almost any email back to where it first came to life in a Compose dialog.

Basic: Check for visual clues

The app-style icons and the Read in App button are Substack giveaways

Some clues aren’t even hiding. They’re right there in the signature, announcing which app sent an email.

From Hotmail’s classic “Get your free e-mail at Hotmail” and the iPhone’s “Sent from my iPhone” signature in the ’90’s to Mailchimp’s monkey icon in the footer, Ghost’s “Powered by Ghost” tagline, and Buttondown’s “Brought to you by Buttondown” signature, it’s hard to mistake which app sent some emails.

Others are equally obvious, if you know what to look for. Emails sent from Substack often have a “Read in app” button in their header, along with buttons to like, comment, or share a post. Replies from Outlook may included a “You don’t often get emails from...” or “Do not click links or attachments...” bit in quoted reply text. And an emoji-only reply typically will only come from Gmail.

A Gmail reaction emoji, or a Superhuman scheduling link, is a dead giveaway

Links are the next best clue, for emails sent from newsletter services. Not all Substack emails include the app icons, but they do tend to include an unsubscribe link that includes substack.com. You’ll find links throughout the message; images typically include the sending service’s URL, and inline links often get wrapped in similar URLs to track clicks. 

You’ll start recognizing links from other apps over time; list-manage.com links are from MailChimp, createsend.com and cmail.com links come from Campaign Monitor, and so on. 

Typically visiting the URL is enough to find out who’s behind the service. And every now and then, you’ll find links that indicate which app was used to send a personal email. A Gmail or Superhuman scheduling link likely indicates that the email was written inside those apps; an iCloud Mail Drop link to download a larger attachment, similarly, means Apple Mail on Mac or iOS was used to send the message.

A Gmail email in 11pt sans serif (Helvetica, on a Mac), versus an Outlook email in 11pt Calibri

Design clues offer another strong hint. Emails from Microsoft Outlook look a bit like other Office documents, with emails set in 11pt Calibri or Tahoma fonts. Gmail uses your computer’s default sans serif font at the same 11pt, while Apple Mail will use a slightly larger 12pt Helvetica. Default email templates from popular email newsletter services have similar tells.

So if you receive a message set in 11pt Calibri that says “Sent from my iPhone” in the footer, and the links in the message are wrapped in another sending service’s URL, your spidey senses should be tingling that the email may not be exactly what it’s claiming to be.

Advanced: Scan email headers

Email headers reveal that this newsletter was sent with Beehiiv

Which means it’s time to get down to code. For in your email’s raw source code, especially in its headers, you’ll find clues both to which software was used to send the message and the email provider or ESP used to deliver it.

To view an email’s raw source in Gmail, open an email, click the 3-dot menu in the top-right corner, and select View Original. In Outlook, right-click on a message and choose View Source. In Apple Mail, click Message -> Raw Source. Poke around in your favorite email app’s menus, and you’ll likely find a similar option there as well.

There, scan the headers. The simplest to look for is X-Mailer, a non-standard, “informational” email header mentioned as early as 1997 but never officially standardized as part of email. It’s inconsistently used, but there’s a fair chance you’ll see an email app listed there, something like X-Mailer: Apple Mail (2.3826.400.131.1.6) or Airmail Beta (146) for messages sent from that short-lived email app.

You might also see other app-specific headers. Gmail messages may include X-Google headers, Superhuman adds X-Superhuman header, while X-MS-Office365 or X-MS-Exchange headers for emails sent from Outlook and Exchange. Watch for any unusual headers with names related to email software. You’ll discover some email history along the way; emails sent from Adobe Campaign, for instance, include a s=neolane line in their DKIM header for the app that Adobe acquired to build their email sending service. But also watch out for headers your email service may add; if you’re using Gmail, most emails will include a X-Google-Smtp-Source: header, regardless of which software sent the message.

Then, dig into the domain names listed in the DKIM signature, Received path, Return path for bounced emails, and more. An email sent from Proton mail might include a Received: from mail-24421.protonmail.ch line, say. Sometimes you’ll put multiple clues together that way; perhaps the Received line shows they used Proton mail’s sending service, while the X-Mailer shows they used Outlook to type the message. You’ll start uncovering somewhat cryptic domains along the way: messagingengine.com for Fastmail, mtasv.net for Postmark, cmail2.com for Campaign Monitor, list-manage.com for MailChimp, and so on.

You might find out more than you expected. An Unsubscribe domain and X-Mailer, say, show that an email is sent via Customer.io, while DKIM headers with mtasv.net mean that the email itself was sent via Postmark. And so you deduce that the newsletter was sent with Customer.io’s software, using Postmark as the email service provider. Another email, meanwhile, that was sent from Customer.io was delivered with Mailgun, discovered thanks to the email’s header including X-Mailgun-Variables headers. And a Substack message that was redesigned to hide all the app buttons still included a Substack domain in the headers, along with Mailgun headers, hinting at their stack.

Buttondown? You’ll see our domain in the Return path, perhaps a mention or Buttondown link in the footer, and might find that your emails were sent by Postmark or another ESP in our stack.

ChatGPT is great at pattern recognition—the perfect skill to decipher how an email was sent

You can decipher the headers yourself, if you’d like, opening URLs and checking their Whois to see who’s behind the cryptic domains. Or, you could copy your email headers into ChatGPT or an app like LearnDMARC.com, which can decipher email headers and teach you more about who sent the message.

Odds are, you won’t make any groundbreaking discoveries this way. But, if you’re unsuitably curious about email and the stacks that power your favorite newsletters, or if you want a bit more confirmation of the validity or not of a message, it’s a fun rabbit hole to explore. You’ll discover a bit about the infrastructure that got that message into your inbox along the way.