Email metadata doesn't always appear to be what it seems. Here are a few things to keep in mind for the emails you send and when looking at fields like "from", "bcc" and "receivedBy":

  1. The "from" field might not be the address an email really comes from - it could be an alias or just some generated value in the header (by a program or the IT dept) attached to the email
    • Emails from Microsoft Outlook by default show "from (person) x on behalf of (person) y" if sent from an alias. Microsoft Exchange is also similar
    • Gmail has 2 formats for sending as an alias, depending on whether the alias is verified or not:
      • If the alias is verified by Gmail's verification process, you will be able to send emails with that verified alias address displayed as "from"
      • If the alias is unverified, it will add an "X-Google-Original-From" header, where the "from" header value will be the address you are actually sending the email from, not the alias. 
  2. The listed "receivedBy" and "receivedRepresenting" fields in Outlook do not necessarily indicate the email was received -  This will just be populated for sent emails downloaded by Outlook through IMAP 
  3. In general, if the "receivedBy" user is not listed as a recipient, it is not possible to tell whether this user received the email as a "Bcc" recipient, or if the user has received the email from an alias that was in the normal "to" or "cc" recipients
  4. Not all copies of an email contain same addresses - the obvious case is an email with "Bcc" recipients - only the sender's copy has "Bcc" recipients, and the "Bcc" addresses are empty for all recipients
  5. Saved "sent copies" in Outlook while using IMAP aren't necessarily how the SMTP server actually sends the mail:
    • For example, from Outlook you can try to send an email through your Google/Gmail account from "president@whitehouse.gov," though its "from" header address will be changed to the account you're actually sending it from (since it's an unverified alias, as mentioned in point 1. of this post) the "saved sent copy" from Outlook will still have "president@whitehouse.gov" as the sender
  6. Exchange uses X.500 for internal routing, so only the user's X.500 addresses can reliably be used for emails sent through it; in some cases the SMTP addresses cannot be resolved. (X.500 addresses look something like this: /o=EX Organization/ou=Exchange Administrative Group (FYDIBOHF46SSDLO)/cn=Recipients/cn=john214)
  7. Miscellaneous Email Properties: The "PidTagReceivedBy" property group contains properties that represent the recipient of the Message object, and includes the attributes:
    • Display name

    • EntryID

    • Address type

    • Email address

    • SMTP address


You can find more information on sending emails from aliases on Outlook here and Gmail here, and more about metadata in general here.