Remove Private IP Address of Client From Email Header

Offroad · February 3, 2024, 2:12am

While it’s common practice to include information about the servers that handled the email in the “Received” header, there is a growing concern about privacy and security. Revealing private IP addresses in the header might expose internal network information and potentially compromise user privacy.

Received: from [192.168.1.2] (example.com [1.2.3.4])
	by mail.example.com (Postfix) with ESMTPSA id 92CD297DEA;

I propose that eM Client considers removing the private IP address from the header while ensuring continued compliance with relevant RFCs. The resulting Received: header stamp would be:

Received: from (example.com [1.2.3.4])
	by mail.example.com (Postfix) with ESMTPSA id 92CD297DEA;

The decision to make this change is supported by the following considerations:

Privacy and Security: Revealing private IP addresses in email headers may pose a risk to user privacy and security by exposing internal network details.
Compliance with RFCs: The current RFCs governing email standards do not mandate the inclusion of private IP addresses in the header. Specifically, RFC 5321 and RFC 5322, which define the SMTP protocol and the message format, respectively, do not require the disclosure of private network details.
Alignment with Industry Best Practices: Many email clients have adopted a practice of not including private IP addresses in email headers to enhance user privacy and security.
Consistency with User Expectations: Users generally expect their private information, such as internal IP addresses, to remain confidential. Removing private IP addresses from email headers aligns with these user expectations.

cyberzork · February 3, 2024, 3:52am

See this thread on that topic.

Offroad · February 3, 2024, 4:22am

Familiar with the thread and Wolf1 made many of the same points I have proposed in my Feature Request.

Is there a particular section of that thread that you would like to discuss?

cyberzork · February 3, 2024, 4:47am

While it’s common practice to include information about the servers that handled the email in the “Received” header, there is a growing concern about privacy and security. Revealing private IP addresses in the header might expose internal network information and potentially compromise user privacy.

Received: from [192.168.1.2] (example.com [1.2.3.4]) by mail.example.com (Postfix) with ESMTPSA id 92CD297DEA;

What mail clients currently don’t show that in the header ?

Also do they give the user the option to disable that in settings ?

Offroad · February 3, 2024, 5:09am

Yes, from the thread you referenced:

In addition, the final post of the thread demonstrates that RFC 5321 indicates hosts should be known by names and not numerical addresses:

{Section 4.1.2}

Gary · February 3, 2024, 11:18am

Please see RFC 2821 requirements:

The FROM field, which must be supplied in an SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source.

But in the end, it is the SMTP server that adds the IP address to the header, not eM Client. Maybe something to speak to your email provider about?