How can I confirm that an Outlook email chain which was forwarded to me is genuine?

In this scenario, all the email activity was done with Outlook clients and MS Exchange.

I got an mail from B that includes a forwarded chain which suggests that B was authorised by C to take an action. B wants me to trust this chain as proof he was acting on something with approval. However, I am sceptical and C is adamant that he never sent B the mail that has been forwarded.

In C’s email account there is no trace of a request from B, no trace of a reply from C, and no trace of any deletion. While that is not proof, there is no reason whatsoever why C needs to conceal this. I suspect that B has copied a previous approval request email for a similar event, but edited the date and time it was sent to C, hoping to cover this latest event. I fear he has also created a fake reply from C and then forwarded this all to me as “proof”.

Can the email headers show that the alleged “ask-reply” chain did not really happen at the time and date that B has tried to represent? Is there any other technical indicator that will show the real provenance of B’s forwarded email chain?

Tannoy505

Posted 2017-12-09T08:53:09.270

Reputation: 1

4In short: you can not. – Máté Juhász – 2017-12-09T08:58:19.790

If the communication between B and C used DKIM, you could find the unique signatures that B reused or prove that the messages from C are invalid due to wrong signature. Otherwise you can't prove anything like @MátéJuhász says. – Marek Rost – 2017-12-09T09:07:54.607

Answers

Email headers doesn't contain information about preceding mails, so you can't prove anything.

In the future the best way is to change the process: B should always copy C when refers to his approval, or even better: C should send his approval directly to you (keeping B in copy)

Máté Juhász

Posted 2017-12-09T08:53:09.270

Reputation: 16 807

Unfortunately, if the email was simply forwarded, there is now way from the email itself that you can verify the chain. The headers (File -> Properties -> Internet Headers) only apply to that email.

If the email was forwarded as an attachment, then you could inspect the headers of each individual email.

You need a system outside of the email client itself to verify the chain. Best would be an email archiving solution (such as Barracuda) that records all email in a read-only format.

Failing that, you should ask the Exchange administrators. You don't specify the version of Exchange used, so here are two options

MS Exchange 2010: Within the Exchange Management Console there is an option for Toolbox. In the toolbox is a tool called Tracking Log Explorer. You can use this tool to search for messages at a finer granularity, and without selecting specific mailboxes, but based on email addresses, etc. as stated by HostBits.
MS Exchange Online: Use the Get-MessageTrackingLog PowerShell command as documented here & here.

Ian C.

Posted 2017-12-09T08:53:09.270

Reputation: 194