Given one can IMAP upload emails to Gmail, how can one prove gmail content is original?

0

Given that one can upload emails to gmail via IMAP, via methods such as:

http://email.about.com/od/gmailtips/qt/How_to_Import_Mail_from_Mozilla_Thunderbird_in_Gmail.htm

Is there a method to prove that emails in gmail are legitimate? If one took an email to court, and the other party claimed the email was manipulated via IMAP, how would one marshal a defence?

Obviously in cases where federal agents freeze gmail accounts, the data in it holds value should one not have expected a super-user to be aware of a coming freeze before hand... but that's not what I'm interested in.

I'm interested in means of PROVING that emails are original and legitimate against claims of IMAP upload manipulation.

Thanx.

Daniel

Posted 2013-09-27T11:32:20.697

Reputation: 141

Open the mail headers? – Rob – 2013-09-27T11:47:14.893

Why would the mail headers be any different? They should simply contain all the header information submitted to gmail via the manipulated IMAP calls. – Daniel – 2013-09-27T11:50:18.653

@Ramhound, I acknowledge that this problem exists when running one's own servers... but gmail is ubiquitous, and the assumption is because it is managed by a 3rd party, it is certified by a 3rd party. There is also secret-sauce in gmail storage (labels) that aren't in the email standard. So either there IS a way of validating that gmail provides or there isn't. The question is well defined. If you're still unhappy, please explain why. – Daniel – 2013-09-27T11:53:50.407

@Ramhound, the email standard doesn't provide means of validating the source of an email per se, only capturing various processing sources in the header. My citation about labels demonstrates that I'm interested in what features GMAIL specifically provides, and this is an example of how they have broken with standards (implemented additional features) in the past. It turns out that the answer I'm looking for might lie in the processing of the DKIM header tag PROVIDED that this is/isn't altered on imap upload. You seem to be interested in a different question. – Daniel – 2013-09-27T12:10:31.730

@Ramhound Again! That isn't what I was asking. DKIM can be used to verify the sender, but in many cases where DKIM isn't set... there seems to be NO mechanism. So the answer is NO there doesn't appear to be a public mechanism for gmail specifically, but they may keep logs internally, but there is no data to back this up. – Daniel – 2013-09-27T12:23:52.823

Answers

2

I do believe DKIM signing standard would detect spoofing of emails if setup correctly, while also using the strongest signing methods.

That is, DKIM signing would prove that an email was sent from a certain source, and has arrived unmodified since being signed by the sending server (as only the sending server can sign mail for that domain). If the DKIM signing is missing, one could assert that the message was spoofed, thus would require more verification to prove originality.

However, since most domains do not use DKIM signing (to much of a hassle?) this could prove difficult to implement. http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

The only true way is to use some other form of signing - such as GPG/PGP/OpenGPG. http://en.wikipedia.org/wiki/GNU_Privacy_Guard

Mark Lopez

Posted 2013-09-27T11:32:20.697

Reputation: 925

A little late it seems... – Mark Lopez – 2013-09-27T12:16:25.997

Nope, not too late. Your answer is the best. – Daniel – 2013-09-27T12:21:37.387

@MarkLopez Doesn't DKIM only verify the source of the sender. If I copy an email with a proper DKIM to my IMAP inbox, wouldn't DKIM still check out (same goes for signing keys)? – SlightlyCuban – 2013-09-27T12:30:18.023

@SlightlyCuban You could set DKIM to sign everything (date, body, from, to, etc.), although this is almost never done because of the possible incompatibilities with MIME types, the load on the mail server, and the possibility of the high, false negative, verification rate. However, signing the content is still possible. This is what I ment by using the strongest signing methods (although impractical). – Mark Lopez – 2013-09-27T12:36:20.410

@MarkLopez, it's important to note that a copy of the DKIM seems not to be available in the original copy under your "sent" messages. So you can't publicly validate that you actually did send a message! You should add that to the answer. If gmail validates to fields, then you could set up BCC account to keep DKIMs. Yet to be determined. – Daniel – 2013-09-27T12:40:04.293

@Daniel When sending mail (unsure if Gmail does/or can - Google Apps does) the mail server signs the mail with its private key. The public key is publicly published as a DNS record (txt) which is cached around the world. Through the use of asymmetrical signing the receiving server looks up the public key from public DNS servers and verifies that the mail was signed with the the sending server's private key. This verification process requires that the content specified in the email is correct and unmodified. Having the original copy means nothing in this security model (which adds security). – Mark Lopez – 2013-09-27T12:51:00.293

But you need the DKIM hash signed with Google's private key, which isn't available in the sent messages folder (re-read my message). It would exist in the receivers inbox (which doesn't help). I'm aware of how public key encryption works, thanx. :-) – Daniel – 2013-09-27T13:36:34.930

I provide an explanation of asymmetrical encryption for posterity. From my own testing Gmail does sign messages (but does not show up in the sent mail). This makes sense, Gmail must save the message before sending the mail to the MTA (which signs the message) - which most servers will do. Just having sent mail will not hold up in court without confirmation that the email was received. DKIM can verify incoming mail. However, outgoing mail would require confirmation by the receiving server or the route the mail took (which a court could get). – Mark Lopez – 2013-09-27T14:04:36.580

It's a pity that gmail doesn't include the DKIM on messages in the sent mail inbox. :-( – Daniel – 2013-09-28T12:49:01.803

2

Get the corresponding mail from the recipient/sender and cross-check.

IMAP (and especially POP) are protocols designed to receive email, not make sure you are who you say you are (there are mechanisms such as signing keys which can verify the identity of a sender of an email, but nothing built into IMAP itself).

There is always the option of checking the security/access logs of the IMAP server to make sure the account was accessed in an "appropriate" way, but:

  1. This varies server-to-server, if it is tracked at all
  2. For Gmail specifically, you'd have to go ask Google to hand over their logs
  3. What you've described is an "appropriate" IMAP transaction. Should that be logged?

So, at the end of the day, if you want to be 100% sure an email was sent from/received by an account at a specific date & time, check the other end.

SlightlyCuban

Posted 2013-09-27T11:32:20.697

Reputation: 605

If the corresponding sender is your opposing party in a law-suit then that would not be possible. What I am asking about is a feature that either gmail implements internally or it does not. It need not stick to the email standards to implement this (like it doesn't stick to standards to implement labels). So basically either they internally sign emails they have processed in order to discriminate them from emails users have uploaded... or they do not. – Daniel – 2013-09-27T12:00:27.130

@Daniel, this is like asking "how would I know if some company shredded their documents?" Gmail probably keeps access logs, but you'd have to request it from Google. There isn't really a public service they provide to do this. – SlightlyCuban – 2013-09-27T12:13:29.990

This is exactly what I'm asking! Are proof of these logs in the original email header? Accessible via gmail-labs? Demonstrated via court cases that gmail DOES have means of validating them, or simply doesn't care? This is what makes for a complete answer, and why I can't mark yours as correct. – Daniel – 2013-09-27T12:17:50.227

@Daniel, according to IMAP, no. Maybe Gmail could do something strange to the timestamps without telling you, but this is not documented. AFAIK, if it is IMAP it really doesn't care. – SlightlyCuban – 2013-09-27T12:28:14.510

Asked: 2013-09-27T11:32:20.697

Viewed: 160 times

Active: 2013-09-27T12:14:57.007