惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
人人都是产品经理
人人都是产品经理
Cisco Talos Blog
Cisco Talos Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
V2EX
博客园 - 三生石上(FineUI控件)
Martin Fowler
Martin Fowler
WordPress大学
WordPress大学
D
Docker
S
SegmentFault 最新的问题
博客园 - 聂微东
美团技术团队
Apple Machine Learning Research
Apple Machine Learning Research
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Last Week in AI
Last Week in AI
M
MIT News - Artificial intelligence
F
Fortinet All Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The GitHub Blog
The GitHub Blog
GbyAI
GbyAI
L
LangChain Blog
Vercel News
Vercel News
博客园 - 叶小钗
MongoDB | Blog
MongoDB | Blog
Stack Overflow Blog
Stack Overflow Blog
H
Help Net Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
Engineering at Meta
Engineering at Meta
T
Threat Research - Cisco Blogs
T
Threatpost
Scott Helme
Scott Helme
T
Tailwind CSS Blog
Latest news
Latest news
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
The Register - Security
The Register - Security
罗磊的独立博客
P
Proofpoint News Feed
腾讯CDC
S
Schneier on Security
雷峰网
雷峰网
A
About on SuperTechFans
T
Tenable Blog
F
Full Disclosure
Cyberwarzone
Cyberwarzone
博客园_首页
有赞技术团队
有赞技术团队
K
Kaspersky official blog

文章列表

Compulsive curiosity, or, how I built an infinite idea machine Gift details on the subscriber portal Portal link in the archive nav The physicists who convinced Fermilab to send Brazil's emails First, add no friction: How micropayments lost and subscriptions won Filter subscribers and automations by source Automations, rebuilt What email will look like in the future Filter subscribers by bounce date and reason Email could have been X.400 times better Three features are moving behind the paywall Firewall changes and improvements Put your name and voice into your company newsletter Simplified email address settings Subscription wall Inboxes were overwhelming before we'd even named them The US government tried really hard to screw up email Public postmortem: database connection exhaustion Ask a nerd: what is the best way to unsubscribe from newsletters? Bookshop.org embeds Email was into agents before they were cool Passwordless login Rename metadata keys in bulk A spring cleaning for our legal docs Ask a nerd: what happens when you click the spam button? Passkey support for two-factor authentication How Buttondown's API versioning works Safer defaults for the email creation API How to send email to space How we enabled Content Security Policy for everyone Recovery codes for two-factor authentication Filter sent emails by engagement rate How we migrated to TypeIDs without breaking clients How we check every link in your email Use newsletter metadata in your emails Should we bring back email exploders? Sort and filter by open and click rates Custom click tracking domains More newsletter settings in the API Revamped replies Custom email templates for everyone Simplified cancellation Ask a Nerd: Does email length affect deliverability? The changelog, reborn Swedish localization Forwarding an email is not always straightforward Public descriptions for tags OpenAPI spec for archives How Rodrigo brings a humanistic view to consumer technology Subscribers can come from anywhere. Even another newsletter platform's form. Survey responses on the web How Brandon Lucas Green shares his music and supports artists Your newsletter's archives are more valuable than your list Better tag self-management Smarter automation filters Granular API keys Snippets New design settings pages Ask A Nerd: How does newsletter cadence affect deliverability? Starred views More ways to customize your archives Inbox filtering Mastodon follower analytics Ask a Nerd: What are good open, click, and response rates for an email newsletter? How we migrated our database to PlanetScale Two new archive themes Custom buttons now work in Markdown mode Ask a Nerd: Does attaching files to your newsletter hurt deliverability? Seline and Tinylytics support Unban subscribers Announcement bars for your archives Bang paths, source routing, and how email trips were planned Public postmortem: archive downtime 2025 disposables.app Russian localization Ask a Nerd: Can you improve email deliverability with a personal domain? More locale options How we interview customers at Buttondown Bluesky analytics Reply to conversations Minimum viable complexity How Jeffery Hicks goes behind-the-scenes in his newsletter Changes to our stack in 2025 2026: Emails TK reminders in the editor What the hell is a UTM? Randomize survey answer order Why we insourced analytics Scroll sync in the editor 2026: Archives How Jamie Thingelstad uses Buttondown to explore tech topics How Kelly Jensen uses Buttondown to discuss key library issues Keeping feature creep at bay Improved filters Content Security Policy in archives Open source Sniperl.ink Auto-activating RSS reader subscriptions What the hell is ActivityPub? How Igor Ranc built Berlin's largest expat tech newsletter
The subtle art of email forensics
Matthew Guay · 2025-07-25 · via

A custom MacBook takes a circuitous journey, from its birth in Shenzhen, hop over the border to Hong Kong, trans-pacific flight to JFK, stop over at DHL’s Cincinnati hub before a final flight closer to its destination, to finally ride the last miles to your home in a yellow DHL van.

What matters is that your MacBook arrives in a timely manner. The hops, themselves, are irrelevant.

Same for a paper letter, with the posted location divulged by the stamp and cancellation, with paper and ink hinting at the writing circumstances. Multiple shades of ink could be clues that their pen went dry—or that they started writing one day, finished on another. An assortment of Par Avion stickers and customs stamps might reveal the route the letter took.

Sherlock Holmes clues, all of them, inconsequential for most packages and posts, yet fascinating in a geeky way, a reminder of the infrastructure that unknowingly undergirds our lives, of the choices and decisions that go into every interaction. And every now and then, they do matter, as when a court case hinged on evidence being purportedly written in 2006, but typed in Calibri, a font that wasn’t widely released until 2007. For want of a time-period-specific font, the forgery unraveled.

Email apps leave similar clues behind, barely hidden, in every email message you receive. Sometimes they’re just-for-fun, when you’re curious which email app a friend uses, or how your favorite newsletter is sent. Other times they’re more serious; when an email seems to have been sent from one site or app but deeper clues reveal otherwise, it could be a fraudulent message.

With a bit of awareness, a bit of digging, you can trace almost any email back to where it first came to life in a Compose dialog.

Basic: Check for visual clues

The app-style icons and the Read in App button are Substack giveaways

Some clues aren’t even hiding. They’re right there in the signature, announcing which app sent an email.

From Hotmail’s classic “Get your free e-mail at Hotmail” and the iPhone’s “Sent from my iPhone” signature in the ’90’s to Mailchimp’s monkey icon in the footer, Ghost’s “Powered by Ghost” tagline, and Buttondown’s “Brought to you by Buttondown” signature, it’s hard to mistake which app sent some emails.

Others are equally obvious, if you know what to look for. Emails sent from Substack often have a “Read in app” button in their header, along with buttons to like, comment, or share a post. Replies from Outlook may included a “You don’t often get emails from...” or “Do not click links or attachments...” bit in quoted reply text. And an emoji-only reply typically will only come from Gmail.

A Gmail reaction emoji, or a Superhuman scheduling link, is a dead giveaway

Links are the next best clue, for emails sent from newsletter services. Not all Substack emails include the app icons, but they do tend to include an unsubscribe link that includes substack.com. You’ll find links throughout the message; images typically include the sending service’s URL, and inline links often get wrapped in similar URLs to track clicks. 

You’ll start recognizing links from other apps over time; list-manage.com links are from MailChimp, createsend.com and cmail.com links come from Campaign Monitor, and so on. 

Typically visiting the URL is enough to find out who’s behind the service. And every now and then, you’ll find links that indicate which app was used to send a personal email. A Gmail or Superhuman scheduling link likely indicates that the email was written inside those apps; an iCloud Mail Drop link to download a larger attachment, similarly, means Apple Mail on Mac or iOS was used to send the message.

A Gmail email in 11pt sans serif (Helvetica, on a Mac), versus an Outlook email in 11pt Calibri

Design clues offer another strong hint. Emails from Microsoft Outlook look a bit like other Office documents, with emails set in 11pt Calibri or Tahoma fonts. Gmail uses your computer’s default sans serif font at the same 11pt, while Apple Mail will use a slightly larger 12pt Helvetica. Default email templates from popular email newsletter services have similar tells.

So if you receive a message set in 11pt Calibri that says “Sent from my iPhone” in the footer, and the links in the message are wrapped in another sending service’s URL, your spidey senses should be tingling that the email may not be exactly what it’s claiming to be.

Advanced: Scan email headers

Email headers reveal that this newsletter was sent with Beehiiv

Which means it’s time to get down to code. For in your email’s raw source code, especially in its headers, you’ll find clues both to which software was used to send the message and the email provider or ESP used to deliver it.

To view an email’s raw source in Gmail, open an email, click the 3-dot menu in the top-right corner, and select View Original. In Outlook, right-click on a message and choose View Source. In Apple Mail, click Message -> Raw Source. Poke around in your favorite email app’s menus, and you’ll likely find a similar option there as well.

There, scan the headers. The simplest to look for is X-Mailer, a non-standard, “informational” email header mentioned as early as 1997 but never officially standardized as part of email. It’s inconsistently used, but there’s a fair chance you’ll see an email app listed there, something like X-Mailer: Apple Mail (2.3826.400.131.1.6) or Airmail Beta (146) for messages sent from that short-lived email app.

You might also see other app-specific headers. Gmail messages may include X-Google headers, Superhuman adds X-Superhuman header, while X-MS-Office365 or X-MS-Exchange headers for emails sent from Outlook and Exchange. Watch for any unusual headers with names related to email software. You’ll discover some email history along the way; emails sent from Adobe Campaign, for instance, include a s=neolane line in their DKIM header for the app that Adobe acquired to build their email sending service. But also watch out for headers your email service may add; if you’re using Gmail, most emails will include a X-Google-Smtp-Source: header, regardless of which software sent the message.

Then, dig into the domain names listed in the DKIM signature, Received path, Return path for bounced emails, and more. An email sent from Proton mail might include a Received: from mail-24421.protonmail.ch line, say. Sometimes you’ll put multiple clues together that way; perhaps the Received line shows they used Proton mail’s sending service, while the X-Mailer shows they used Outlook to type the message. You’ll start uncovering somewhat cryptic domains along the way: messagingengine.com for Fastmail, mtasv.net for Postmark, cmail2.com for Campaign Monitor, list-manage.com for MailChimp, and so on.

You might find out more than you expected. An Unsubscribe domain and X-Mailer, say, show that an email is sent via Customer.io, while DKIM headers with mtasv.net mean that the email itself was sent via Postmark. And so you deduce that the newsletter was sent with Customer.io’s software, using Postmark as the email service provider. Another email, meanwhile, that was sent from Customer.io was delivered with Mailgun, discovered thanks to the email’s header including X-Mailgun-Variables headers. And a Substack message that was redesigned to hide all the app buttons still included a Substack domain in the headers, along with Mailgun headers, hinting at their stack.

Buttondown? You’ll see our domain in the Return path, perhaps a mention or Buttondown link in the footer, and might find that your emails were sent by Postmark or another ESP in our stack.

ChatGPT is great at pattern recognition—the perfect skill to decipher how an email was sent

You can decipher the headers yourself, if you’d like, opening URLs and checking their Whois to see who’s behind the cryptic domains. Or, you could copy your email headers into ChatGPT or an app like LearnDMARC.com, which can decipher email headers and teach you more about who sent the message.

Odds are, you won’t make any groundbreaking discoveries this way. But, if you’re unsuitably curious about email and the stacks that power your favorite newsletters, or if you want a bit more confirmation of the validity or not of a message, it’s a fun rabbit hole to explore. You’ll discover a bit about the infrastructure that got that message into your inbox along the way.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。