Assuming you already have, or have obtained, email in discovery, how do you get it admitted as evidence at a trial or hearing?
Emails are similar to other documents in that they must be authenticated, must be relevant and either non-hearsay or fit within an exception to the hearsay rules. Due to their nature, they are also subject to additional ‘special challenges’ – one of the most common of which is the ‘spoofing defense’ – discussed further below.
One of the best devices for dealing with an email or series of emails sought to be used as evidence (especially those not obtained from the adversary in discovery) is the Notice to Admit. Given the requirements outlined below to forensically authenticate an email is what it purports to be, and was sent by the person it says it was sent by, on the date and time stated in the email, and addressed to the parties referenced on the face of the email – it is best to ensure in the first instance that the email is going to be challenged at all.
The traditional method or foundation for admitting an email into evidence is through a sponsoring witness who sent or received the email in question, which may be sufficient. If counsel has the email in question and a witness who can testify they sent or received it, that may be enough to get it admitted. However, if the authenticity of the email is challenged, this may NOT be sufficient – and forensic testimony regarding the authenticity of the email(s) may be required.
The reason challenges to email authenticity are taken very seriously is that emails are easily ‘spoofed’ – made to appear that they come from a particular party when they really did not.
Email spoofing involves simply setting the display name, or “from” field, of an outgoing email to show a name or address other than the actual one from which the message is sent. It is easy to spoof an email which is why it results in so many challenges with the introduction of email which purport to have come from a particular sender or account, whether in printed form or as PDF copies.
All that is required to spoof an email message is a working SMTP server (a server that can send email) and the right mailing software. Any good web host will provide you with an SMTP server. You can also install an SMTP server on your own computer system. An example is PHPMailer. It is relatively easy to understand, easy to install, and it even has a web interface. The steps are easy: open PHPMailer, compose a message, enter the “from” and “to” addresses, and click send. Presto! The named recipient receives an email that looks like it came from whatever email address the “spoofer” entered.
A person with basic rudimentary computer skills, who has never done so before, can learn the skill and accomplish the act in well under an hour. Someone who already possesses the knowledge and tools can generate and send a spoofed email in a matter of minutes. It is very simple to do. Fortunately, there is a definitive way to determine if an email has been spoofed. It is not difficult, but it requires access to the original email header and expertise in examining email headers. [Emails produced in discovery, in the native format, will contain the required email headers. As with any other form of ESI, however, it is possible to manipulate a header prior to producing it. This is why, as discussed in detail above, it is best to recover the email(s), or any ESI, directly through collection, preservation and examination of a party’s devices and systems.]
Emails consist of more than what you see as the sender or receiver. The email header contains all the information the user does not generally see regarding the transmission of the email and the coding that allows the email servers and mail clients to know where and to whom it should go, and where and from whom it was received. This is critically important when looking into ‘anonymous emails’ or determining whether an email is legitimate or ‘spoofed’ (made to appear that it came from someone it did not). Most attorneys have seen hundreds of thousands of emails, but many have never seen an actual email header that is a part of every email. Below is an excerpt from an email header (a full email header can be several pages long if printed)
X-Atlas-Received: from 10.201.194.23 by atlas123.free.mail.bf1.yahoo.com with http; Tue, 9 Jun 2020 23:08:23 +0000
Return-Path: <nhimonidis@thenghgroup.com>
Received: from 40.107.94.123 (EHLO NAM10-MW2-obe.outbound.protection.outlook.com)
by atlas123.free.mail.bf1.yahoo.com with SMTPs; Tue, 9 Jun 2020 23:08:23 +0000
X-Originating-Ip: [40.107.94.123]
Received-SPF: pass (domain of thenghgroup.com designates 40.107.94.123 as permitted sender)
Authentication-Results: atlas123.free.mail.bf1.yahoo.com;
dkim=pass header.i=@NETORGFT3132369.onmicrosoft.com header.s=@selector2-NETORGFT3132369-onmicrosoft-com;
spf=pass smtp.mailfrom=thenghgroup.com;
dmarc=unknown
Note the highlighted fields which show the name and IP address of the mail server from which the message was sent, and the Return-Path field which in the header cannot be spoofed (without extraordinary effort and resources). Examination of the header of a spoofed email would reveal that the Return-Path (From) field does not match the From/Sender field on the email itself, and/or the mail server that the email actually came from does not match the domain of the spoofed email address. An example of a spoofed email header [Source Proofpoint] used in a phishing attack is below.
Notice in the highlighted sections that the email was actually received from “mail.random-company.nl” and not “microsoft.com” which is identified in the spoofed From and Return-Path fields.
If an email is offered as evidence and is challenged – for example, the purported sender denies sending the email and claims that it must have been ‘spoofed’, and the email header is not available for examination, the email may be ruled inadmissible, or at the very least, its weight as evidence may be severely diminished.
RESULT: You should take steps to collect and preserve ALL important email(s) / email evidence IN THEIR NATIVE FORMAT – WITH FULL HEADER INFORMATION INTACT.
