Don’t trust Gmail’s Show Original

It’s not always easy to know what the actual headers and body of an email as sent look like. For a long time accepted wisdom was that you could send a copy to your gmail account, and use the Show Original menu option to, well, see the original message as raw text.

It turns out that’s not actually something you can trust.

I used swaks to send a test message with an extra header to my gmail account.

swaks --to wttwsteve@gmail.com --from steve@blighty.com 
  --add-header "List-Unsubscribe: =?us-ascii?Q?=3Cmailto=3Asteve=40blighty.com=3e?="Code language: JavaScript (javascript)

We can see swaks sending it:

 -> DATA
<-  354  Go ahead b26-20020aca1b1a000000b003bbcbd8f357si4720609oib.40 - gsmtp
 -> Date: Wed, 17 Jan 2024 08:49:59 -0800
 -> To: wttwsteve@gmail.com
 -> From: steve@blighty.com
 -> Subject: test Wed, 17 Jan 2024 08:49:59 -0800
 -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
 -> List-Unsubscribe: =?us-ascii?Q?=3Cmailto=3Asteve=40blighty.com=3e?=
 ->Code language: CSS (css)

But when we then go to gmail and click on Show Original, we get this:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of steve@blighty.com designates 104.225.223.158 as permitted sender) smtp.mailfrom=steve@blighty.com
Message-ID: <65a80537.ca0a0220.b9271.0118SMTPIN_ADDED_MISSING@mx.google.com>
Date: Wed, 17 Jan 2024 08:49:59 -0800
To: wttwsteve@gmail.com
From: steve@blighty.com
Subject: test Wed, 17 Jan 2024 08:49:59 -0800
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
List-Unsubscribe: <mailto:steve@blighty.com>Code language: HTML, XML (xml)

So Google are fixing up the (invalid) List-Unsubscribe header by removing the RFC 2047 MIME encoding of that header before they display it in Show Original.

But if you click on the download link there to get the .eml, you see the encoded header. So they’re not fixing up the bad header on receipt, they’re only fixing it up when they display it to the user.

So if you want to see exactly what your email looks like, so you can see if you’re sending valid email and complying with, for example, Gmail and Yahoo’s requirements you can’t rely on Show Original for that.

I noticed this when several folks got warnings from AboutMy.email about invalid headers in the mail they were sending, then they used gmail’s Show Original to double check.

Related Posts

New Requirements for Bulk Senders

UPDATE: You need to authenticate with both DKIM and SPF.

Read More

Sending email

I did a class at M3AAWG teaching the basic mechanics of sending an email, both really by hand using dig and netcat, and using SWAKS. No slides, but if you’re interested in the script I’ve posted a very rough copy of my working notes here.

Read More

Is email dead?

These last few years have been something, huh? Something had to give and, in my case, that something was blogging. There were a number of reasons I stopped writing here, many of them personal, some of them more global. I will admit, I was (and still am a little) burned out as it seemed I was saying and writing the same things I’d been saying and writing for more than a decade. Taking time off has helped a little bit, as much to focus on what I really want to talk about.

Read More