So I’m guessing, like me, you’ve been working from home and answering more emails in the last year than you have your entire life. You probably answer emails on both your computer and your phone. Maybe you use Gmail, maybe you use Outlook. Maybe you use the Gmail mobile app, maybe you use the Windows Mail desktop app. Maybe – just maybe – you use the Gmail mobile app to send emails from your Outlook account, or you use the Windows Mail desktop app to send emails from your Gmail account. Or maybe you just use a third-party email app like Mozilla Thunderbird.
ʕ·ᴥ·ʔ: What’re you trying to get at?
You might be giving out your IP address to everyone you email, telling them your approximate location, where you might work, and where you might live.
Email has envelopes too
See, just like real mail, email is sent in an envelope that holds metadata about the email. Unlike real mail, however, the envelopes that contain emails hold a lot more information that just a sender’s address, a recipient’s address, a return address, and a postage stamp. It often has a lot of metadata completely unrelated to the content of the email and completely unnecessary to the recipient. This metadata is used for all sorts of things, from troubleshooting email delivery issues to blocking spam emails. We call this mail envelope of metadata the “email headers”. And one of the pieces of metadata that is sometimes included in the email headers is the sender’s IP address – your IP address.
The sender’s IP address isn’t always included in the email headers. In fact, if you use a web browser like Google Chrome or Mozilla Firefox to send your emails, you’re almost never sending your IP address along with it because the web authentication required to log in to your email account through a web browser makes recording your IP address in the email headers unnecessary to fight spam. Many email service providers, like Yahoo! and AOL, have also become privacy-conscious enough that they never include your IP address in the email headers, even when you are using a third-party email app like Thunderbird. The problem comes when you use a third-party email app to send emails from less-than-privacy-conscious email service providers, like Gmail and Outlook.
Say you have a Gmail account and a Windows PC. It would be pretty convenient to just use the built-in Windows Mail desktop app to sign in to your Gmail account and answer emails there, and I reckon that’s what many people are doing while they’re working from home right now. The problem is that one of the things Gmail does in order to fight spam is to include the sender’s IP address in the email headers when the email is sent through a third-party email app. Microsoft, in this case, is the third party providing the Windows Mail desktop app. They have nothing to do with Google’s Gmail, and they have nothing to do with you or the email’s recipient. So, what Gmail does is, they record the IP address that sent the email in the email headers. If the email turns out to be spam, the receiving email server and maybe other email servers can block that IP address from sending more spam.
As you can see, storing the IP address in the email headers is great for combatting spam, but not so great when the email is yours and you happen to send it to someone who might want to harass you, kidnap you, or worse…
So, going back to my opening paragraph, if you use the Windows Mail desktop app to send emails from your Gmail account, you’re handing out your IP address with every email you send. If you use the Gmail mobile app to send emails from your Outlook account, same thing. And if you use Thunderbird or some other third-party email app to send emails from either your Gmail account or your Outlook account, same thing: you’ll be including your IP address in the email headers of every email you send.
Opening the envelope
Email apps usually allow you to see the email headers of an email. On the Gmail website on desktop, you do that by opening the email you want to see the headers of, clicking on “More” which is right next to “Reply”, then clicking on “Show original” (some email apps call them “original message” or “email source” instead of “email headers”). That will open a new tab in your browser showing you the email’s headers. Doing so on the Outlook website on desktop is similar: open the email you want to see the headers of, click on “More actions” next to “Forward”, then click “View > View message source”. That will open a small window for the email headers.
Now how do you read this, and how do you find out if your IP address is being included in this stuff? The header we’re looking for is the bottom-most Received header. This header shows information about the devices that have sent and received the email, kind of like showing which post offices passed your mail around until it reached its intended recipient. The top-most Received header shows the last server that received the email, while the bottom-most Received header shows the first server that received the email.
Here’s a real example to make it easier to visualize:
Received: from VE1EUR02HT201.eop-EUR02.prod.protection.outlook.com (2603:1096:400:a9::19) by TYAP286MB0347.JPNP286.PROD.OUTLOOK.COM with HTTPS via TYWPR01CA0014.JPNPRD01.PROD.OUTLOOK.COM; Wed, 16 Jun 2021 07:05:00 +0000 ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=HctljmiRqFpNw3F+NuW1UVgsZohIX8N3jQKbvKi2XRy6XWd4soC/Nu8Ts5ViEYCnIcX14TPp/Qt36DU+CC5A7QVv0F4GwTAiS+6DAvqMaIUvrmijMvh3dBes5x1T98gxOyocWBd+0CwMdXtWQLAen6OOoPP3G0y56/v0jug0ZlmoxF6PG3gg2aJYRsVbMkL2AMx7V6QaehSHLWzLfhYGEkhOF5OFWHm6avkpxbMmbhWq/4b8EVbYQWB6lZjiSjbJBg3+GcmLN/Nai2G1QTlO0LH1YzreWIL/1AN2Ee7o+ylLn7cByAdw+IqUx5UrmdJLu0ydG5o5yoUv2esuzCeg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TvNwUqpIG0PqqoE191ty48CPSlKVaHN7hUblJ+EDLk4=; b=QTBxJXLxLA4N8i5U8/hdmhQUnytby8BtgH5Z8ij7jsr77vz8n5igZ5no3erzHE6r9N1wfduINa+VYkUxxwutGnmLyNKd/kAxI8ddzrpzFz1kKNnAEONmkLMRzYaatcreVwR5OBCboXvPvWMCAXZMwCDV/9lgoLOMUBRdsYNpRinV89lHstdUMfqovG1+WAi3ngDaLUzaz+sJjTx61qJZc7GeRcJL5VWJ/cqjCgSl1U03AoYt+7Pc6P9pikSC5zWpyUNgy0aYAkJKvnbOS86WHpJgsNAU4vyefr190njWHGuYwfupI6U+BWWxfWrz9ms4vYE/1HUkv+JPuxEMGemuw== ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 40.107.92.59) smtp.rcpttodomain=outlook.com smtp.mailfrom=accountprotection.microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=accountprotection.microsoft.com; dkim=pass (signature was verified) header.d=accountprotection.microsoft.com; arc=pass (0 oda=0 ltdi=1) Received: from VE1EUR02FT025.eop-EUR02.prod.protection.outlook.com (2a01:111:e400:7e1e::49) by VE1EUR02HT201.eop-EUR02.prod.protection.outlook.com (2a01:111:e400:7e1e::201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.21; Wed, 16 Jun 2021 07:04:59 +0000 Authentication-Results: spf=pass (sender IP is 40.107.92.59) smtp.mailfrom=accountprotection.microsoft.com; outlook.com; dkim=pass (signature was verified) header.d=accountprotection.microsoft.com;outlook.com; dmarc=pass action=none header.from=accountprotection.microsoft.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of accountprotection.microsoft.com designates 40.107.92.59 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.92.59; helo=NAM10-BN7-obe.outbound.protection.outlook.com; Received: from NAM10-BN7-obe.outbound.protection.outlook.com (40.107.92.59) by VE1EUR02FT025.mail.protection.outlook.com (10.152.12.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.21 via Frontend Transport; Wed, 16 Jun 2021 07:04:59 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:ABC14104268EDF1061E452B0F81A7DC5FC1514BEA7983CCAD4118BC010239A9A;UpperCasedChecksum:D592ACBA3029C801F858FE8873D6C8B4223B89BC1BDFEAFFECB05CE66AE79588;SizeAsReceived:5971;Count:39 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FlEK41Qk1OYXBsoGoh+UuoKAZ717z7tnFDKZzTKtDwXyn6oCVLWDiJ54DqLAem7f2vvetPigdq6chgq1hijzdDt167lVHn2sDPxph6dJvhRCsDnKUvyG9VUy7WTFz4nldjBckxv1/efZ1Q2p4vAqq7p3swsrHkDrtS9yQQT0ELwBUjbO+lf3gVIWdhbGxc+uquM75m+O9mBMz0tNU/OI94NkAgEJnuC2hNF2DAJgTkoHK6bcVSe+40WJafgJ8GcztCScASYywz3W+59aKl/JOA9+dY7a6gY1m/DmxgCMvGN2MqRpNCtJj3dm1njCQKccG+F+SNIhAGKB5heLNNyJFMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TvNwUqpIG0Pqqo1J91ty48HCPSlKVaHN7hUblJ+EDWk4=; b=HunIne6xJlAnPlxoPBURXXAvQ7HM01EMcoEZdr4rYSoz3cuSiKz1Kkkz+wqqsY7tnQ5PE7+1psMjBUAhHUIMLGnUJv/3EZ7AVwI001YheBd/exaMGS/aS28B2yZL3nUmOZIsFBkmkZ17aM1WP3RhFr8GMjSkwZ+Eugmahkci+/tmtEuUmTyHhozFYPv1QPdpm9Gbg8qv6fZf8IKELTwPWmi/FyBP+wBR1bJZYtkQ2Y5YB7GJJoJcIxM8vdrMIMYytbmA6fVuc6iy3/cXP0PaIqd3zz+5YJBg3R3Jm38OdqHPu6dTo5MMhuJUjwKgmuTM7ZFBG17N1SBQxNMFQ4GQZfiQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none action=none header.from=accountprotection.microsoft.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=accountprotection.microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TvNwUqpIG80Pqqo1J91ty48CPSlKVaHN7hUblJ+EIDWk4=; b=p9eKNmciWrIKPN5r26hIod6BkM+lN/QBPHMtkSPogNMlHq3dIvV2Gh81d5b4118BdicWz3/U1fPD0gBsbGq/Hey8R1BBexClPxmKt2npV0lENE9zbIl3IuISHp8d6vTl4tIEfhcQN3UkO5AmcVmNy8oWYd60vEJOn76m/eabYS/wp= Received: from BN9PR03CA0139.namprd03.prod.outlook.com (2603:10b6:408:fe::24) by BL0PR16MB2259.namprd16.prod.outlook.com (2603:10b6:207:3f::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16; Wed, 16 Jun 2021 07:04:57 +0000 Received: from BN8NAM11FT054.eop-nam11.prod.protection.outlook.com (2603:10b6:408:fe:cafe::5c) by BN9PR03CA0139.outlook.office365.com (2603:10b6:408:fe::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16 via Frontend Transport; Wed, 16 Jun 2021 07:04:57 +0000 X-MS-Exchange-Authentication-Results: spf=none (sender IP is 52.234.111.146) smtp.mailfrom=accountprotection.microsoft.com; outlook.com; dkim=none (message not signed) header.d=none;outlook.com; dmarc=none action=none header.from=accountprotection.microsoft.com; Received: from accountprotection.microsoft.com (52.234.111.146) by BN8NAM11FT054.mail.protection.outlook.com (10.13.177.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16 via Frontend Transport; Wed, 16 Jun 2021 07:04:56 +0000
ʕ ´• ᴥ •`,ʔ: That is a lot of info I don’t understand.
Don’t worry, you just ignore most of it, like I said. I’ve highlighted all the Received headers and you only need to look at the bottom-most one. This is where, if you’re sending your emails out of your Gmail or Outlook accounts via a third-party email app, your IP address will be included.
Here’s the bottom-most Received header of a different email that was sent from my Gmail account to my Outlook account via the Windows Mail desktop app:
Received: from [my computer’s hostname] ([my real IP address])
by smtp.gmail.com with ESMTPSA id f8sm1113957pfv.73.2021.06.16.00.12.26
for [my real email address]@outlook.com
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Wed, 16 Jun 2021 00:12:27 -0700 (PDT)
It even has my computer’s hostname, which is like the name I gave my computer.
And here’s another bottom-most Received header, this time from an email that was sent from my Outlook account to my Gmail account via the Gmail mobile app:
Received: from [my LAN IP address] ([my real IP address]) by HKAPR03CA0027.apcprd03.prod.outlook.com (2603:1096:203:c9::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.9 via Frontend Transport; Wed, 16 Jun 2021 07:06:42 +0000
This one also has my LAN IP address, which is the IP address assigned to my phone by the Wi-Fi router to differentiate it from other devices on the Wi-Fi network.
Meanwhile, here is how the bottom-most Received header looks like when sending an email from my Gmail account to my Yahoo! account via a web browser, in this case Mozilla Firefox:
Received: by mail-ej1-f42.google.com with SMTP id e23so2089810eja.3
for [my real email address]@yahoo.com; Thu, 17 Sep 2020 01:25:58 -0700 (PDT)
No information on me whatsoever other than my email address, which is exactly what my recipient is supposed to get.
And here’s the bottom-most Received header of an email sent from my Yahoo! account to my AOL account via a third-party email app, in this case Mozilla Thunderbird:
Received: by kubenode504.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID b99f8a1ea375d487afaef9f61beafd79;
Wed, 16 Jun 2021 06:50:59 +0000 (UTC)
No information on me whatsoever, not even my email address. (But the recipient still gets that elsewhere, don’t worry!)
There are a couple more email headers to briefly mention, though they’re not relevant to most people. These are the X-Originating-Ip and the Received-SPF headers. These should be relevant to you only when you run your own email server, which of course most people don’t. For the ones who do, your email server’s IP address may be included in these headers.
In case you don’t know what your IP address is, you can go to whatismyipaddress.com to find out both your IPv4 and IPv6 addresses. If you have both, be sure to look for both in the headers of your emails.
No point complaining
ʕ·ᴥ·ʔ: Got it. Now I can figure out when I’m accidentally sending my IP address in my emails and when I’m not. So what next?
Nothing. We’re done here.
ʕ ಠ ᴥಠ ʔ: Huh? That’s it? I thought you were going to give me some solution to the problem like you usually do.
Well, that’s totally up to you. If your IP address isn’t getting included in your email headers, then keep on doing what you’re doing. If it is getting included and you’re cool with that, then that’s fine too, though I wouldn’t recommend it. If, however, your IP address is getting included in your emails’ headers and you’re not okay with that, then you can either stop using third-party email apps for your Gmail and Outlook accounts, or you can switch email service providers like using Yahoo! or AOL instead.
ʕ·ᴥ·ʔ: But what if I’ve got a Gmail or Outlook account and I like using a third-party email app, and I don’t want to switch email service providers?
Well, unfortunately, you can’t do anything about that. I tried contacting Gmail and Outlook about this issue already, way back in September last year. Outlook passed me around from one department to another before I finally landed in the Microsoft Security Response Center, which essentially told me: “This ain’t a problem.” Yep, our privacy ain’t a problem as far as Microsoft’s concerned. (Who could’ve seen that one coming?) Gmail/Google on the other hand just gave me no word back whatsoever. Nine months later, this issue remains unchanged for both of them.
It’s also kind of funny how they include sender IP addresses in email headers when the email comes from a third-party app, because both Gmail and Outlook already ask you to manually authorize third-party app access to any of your account data, not just email data. There are already better ways to fight spam than jeopardizing people’s privacy by including their IP addresses in their emails. And now, that’s even more important with so many people working from home, in a place where they’re far more vulnerable than if they were working from company offices. Yet, the practice continues for these two; two of the biggest tech companies in the world.
Ultimately, if you care about your privacy (and maybe even your security), you’ll have to handle this yourself.
ʕ·ᴥ·ʔ: [sigh] Just like so many things in life.
If you’re working from home and care about your privacy, consider subscribing. If you’re not working from home but care about your privacy, also consider subscribing. And if you don’t care about your privacy but you’re reading all this stuff anyway, for some reason, well, consider subscribing! You’ll be notified of new articles – and only new articles – once a month. Just drop your email address down below or add my RSS feed in the site menu to your RSS reader.