Don’t trust Gmail’s Show Original

It’s not always easy to know what the actual headers and body of an email as sent look like. For a long time accepted wisdom was that you could send a copy to your gmail account, and use the Show Original menu option to, well, see the original message as raw text.

It turns out that’s not actually something you can trust.

I used swaks to send a test message with an extra header to my gmail account.

swaks --to wttwsteve@gmail.com --from steve@blighty.com 
  --add-header "List-Unsubscribe: =?us-ascii?Q?=3Cmailto=3Asteve=40blighty.com=3e?="Code language: JavaScript (javascript)

We can see swaks sending it:

 -> DATA
<-  354  Go ahead b26-20020aca1b1a000000b003bbcbd8f357si4720609oib.40 - gsmtp
 -> Date: Wed, 17 Jan 2024 08:49:59 -0800
 -> To: wttwsteve@gmail.com
 -> From: steve@blighty.com
 -> Subject: test Wed, 17 Jan 2024 08:49:59 -0800
 -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
 -> List-Unsubscribe: =?us-ascii?Q?=3Cmailto=3Asteve=40blighty.com=3e?=
 ->Code language: CSS (css)

But when we then go to gmail and click on Show Original, we get this:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of steve@blighty.com designates 104.225.223.158 as permitted sender) smtp.mailfrom=steve@blighty.com
Message-ID: <65a80537.ca0a0220.b9271.0118SMTPIN_ADDED_MISSING@mx.google.com>
Date: Wed, 17 Jan 2024 08:49:59 -0800
To: wttwsteve@gmail.com
From: steve@blighty.com
Subject: test Wed, 17 Jan 2024 08:49:59 -0800
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
List-Unsubscribe: <mailto:steve@blighty.com>Code language: HTML, XML (xml)

So Google are fixing up the (invalid) List-Unsubscribe header by removing the RFC 2047 MIME encoding of that header before they display it in Show Original.

But if you click on the download link there to get the .eml, you see the encoded header. So they’re not fixing up the bad header on receipt, they’re only fixing it up when they display it to the user.

So if you want to see exactly what your email looks like, so you can see if you’re sending valid email and complying with, for example, Gmail and Yahoo’s requirements you can’t rely on Show Original for that.

I noticed this when several folks got warnings from AboutMy.email about invalid headers in the mail they were sending, then they used gmail’s Show Original to double check.