How To Check If Your Email Is Being Forwarded

Email forwarding is a legitimate feature that millions of users rely on daily. However, it can also be exploited maliciously to silently redirect your correspondence to an unauthorized third party. Whether you’re a developer managing corporate email or a privacy-conscious user, knowing how to detect unauthorized forwarding is essential for maintaining email security.

This guide provides practical methods to identify if your emails are being forwarded without your knowledge, with code examples and tools suitable for technical users.

Understanding Email Forwarding Mechanics

When an email is forwarded, the original message traverses multiple servers before reaching its destination. Each server adds diagnostic headers to the message, creating a trail that reveals the forwarding path. These headers become your primary investigative tool.

Email forwarding occurs in several forms:

Manual forwarding: You or an authorized user explicitly sets up a forward rule
Automatic forwarding: Server-side rules that redirect incoming mail based on conditions
Bcc forwarding: Silent carbon copies that may go unnoticed
Alias redirection: Emails sent to one address delivered to another

Malicious forwarding typically happens through compromised accounts, unauthorized inbox rules, or compromised credentials. Attackers configure forwarding rules to exfiltrate sensitive communications without alerting the account owner.

Examining Email Headers

The most reliable method to detect forwarding involves analyzing raw email headers. Every email contains metadata that documents its journey through the mail system.

Finding Email Headers

Most email clients hide headers by default. Here’s how to access them:

Gmail: Open an email, click the three dots, select “Show original”

Apple Mail: View → Message → All Headers

Thunderbird: View → Headers → All

Programmatic access (Python):

import email
from email import policy
from email.parser import BytesParser

def extract_headers(raw_email):
    msg = BytesParser(policy=policy.default).parsebytes(raw_email)

    # Extract all received headers (these trace the email's path)
    received = msg.get_all('Received')

    # Check for forwarding indicators
    for header in ['X-Forwarded-For', 'X-Originating-IP', 'Received-SPF']:
        if header in msg:
            print(f"{header}: {msg[header]}")

    return received

Key Headers That Reveal Forwarding

Several headers indicate forwarding activity:

Received: Each mail server adds a “Received” header showing timestamp, server name, and sometimes the source IP
X-Forwarded-For: Explicitly lists intermediate destinations
X-Originating-IP: Shows the original sender’s IP address
Delivered-To: The final destination address
Return-Path: Where bounce messages are sent (often differs from “From”)

Compare the “From” address against “Delivered-To” and “Return-Path” to identify discrepancies that suggest forwarding.

Detecting Unauthorized Forwarding Rules

Email providers offer various ways to view active forwarding rules. Checking these regularly helps catch unauthorized configurations.

Gmail

Access forwarding settings at Settings → Forwarding and POP/IMAP. You’ll see all configured forwarding addresses here. For programmatic access, use the Gmail API:

from google.oauth2.credentials import Credentials
from googleapiclient.discovery import build

def check_gmail_forwarding(credentials):
    service = build('gmail', 'v1', credentials=credentials)

    # Get forwarding settings
    settings = service.users().settings().getForwardingAddress(
        userId='me'
    ).execute()

    for forward in settings.get('forwardingEmailAddresses', []):
        print(f"Forwarding to: {forward['forwardingEmail']}")

Microsoft 365 / Outlook

Use the Exchange Online PowerShell module:

# Check forwarding rules
Get-InboxRule -Mailbox "user@domain.com" |
  Where-Object { $_.ForwardTo -or $_.RedirectTo } |
  Select-Object Name, ForwardTo, RedirectTo, Enabled

# Check mailbox forwarding settings
Get-Mailbox user@domain.com |
  Select-Object ForwardingSmtpAddress, DeliverToMailboxAndForward

Apple iCloud

iCloud doesn’t provide a web interface for viewing rules. Use AppleScript to check:

tell application "Mail"
    set forwardRules to forwarding rules of account "iCloud"
    repeat with r in forwardRules
        log (name of r & ": " & (forwarding address of r as string))
    end repeat
end tell

Server-Side Detection for Administrators

If you administer your own mail server, several methods help detect forwarding anomalies.

Postfix Logging

Check /var/log/mail.log for forwarding patterns:

# Find emails forwarded to external domains
grep -E "to=<.*@gmail\.com|to=<.*@yahoo\.com" /var/log/mail.log | \
  grep -E "from=<.*@yourdomain\.com"

# Monitor for new forwarding aliases
grep "forward" /var/log/mail.log | tail -100

Checking DMARC and SPF Failures

Forwarded emails often trigger authentication failures. Monitor these:

# Check for SPF/DKIM failures indicating forwarding
grep -E "spf=fail|dkim=fail" /var/log/mail.log | \
  awk '{print $NF}' | sort | uniq -c | sort -rn

Practical Detection Workflow

Implement a systematic detection process:

Baseline your headers: Save headers from emails you know weren’t forwarded
Compare new emails: Look for new “Received” chain entries or unexpected “X-Forwarded-For” values
Verify forwarding rules: Check your provider’s forwarding settings weekly
Monitor sent folder: Attackers forwarding your emails may use your account
Set up alerts: Configure notifications for new forwarding rules

Automated Monitoring Script

Here’s a Python script that checks Gmail for suspicious forwarding:

import os
from datetime import datetime, timedelta
from google.oauth2.credentials import Credentials
from googleapiclient.discovery import build

def monitor_forwarding(credentials_path='token.json'):
    credentials = Credentials.from_authorized_user_file(credentials_path)
    service = build('gmail', 'v1', credentials=credentials)

    # Check for recent forwarding rule changes
    history = service.users().history().list(
        userId='me',
        startHistoryId=os.environ.get('LAST_HISTORY_ID', '1'),
        historyTypes=['label']
    ).execute()

    # Get current forwarding addresses
    forwarding = service.users().settings().getForwardingAddresses(
        userId='me'
    ).execute()

    known_forwarders = ['your-personal@email.com']

    for addr in forwarding.get('forwardingEmailAddresses', []):
        if addr['forwardingEmail'] not in known_forwarders:
            print(f"ALERT: Unknown forwarding address: {addr['forwardingEmail']}")

    return history.get('historyId')

if __name__ == '__main__':
    alert_history_id = monitor_forwarding()
    print(f"Monitoring from history: {alert_history_id}")

What To Do If You Detect Unauthorized Forwarding

If you discover unauthorized forwarding:

Immediately remove the rule: Access your email settings and delete suspicious forwarding addresses
Change your password: Assume your account may be compromised
Enable two-factor authentication: Add an extra layer of security
Check for other rules: Look for additional malicious rules like email deletion or marking as read
Review recent account activity: Check login history for unfamiliar locations
Notify contacts: Inform people who emailed you recently that your account may have been compromised

Prevention Best Practices

Use dedicated email aliases for different services
Enable login alerts for new devices
Regularly audit forwarding rules (monthly)
Use password managers to prevent credential reuse
Consider using a privacy-focused email provider with security features

Detecting unauthorized email forwarding requires vigilance and understanding of email metadata. By regularly examining headers, monitoring forwarding rules, and implementing automated checks, you can protect your communications from silent exfiltration.

Built by theluckystrike — More at zovo.one