Generally adopted by SMEs, Microsoft Outlook and Gmail messaging are particularly concerned. Analysis of an email reveals a structured set of metadata. Each message thus includes technical fields integrated into headers, which allow its routing, identification and traceability.
Among the elements systematically accessible to suppliers, we note for example:
The sender and recipientwith the name and email address of each part (from, to, CC, CCI). Microsoft and Google servers have access to it as part of messages, whether you are viewed via the web or by dedicated software.
The date and time: The date date registered with precision the time to send the message, which allows to reconstruct the chronology. By extension, it is therefore possible to know the frequency of exchanges between several identified correspondents.
The object of the message: Outlook and Gmail keep this parameter in clear, because it is used for local indexing as well as notifications. Even when an email is encrypted, the object remains visible in standard headers.
Connection and routing information: Each passage on a server leaves a horoded trace (Received field), indicating the complete route traveled.
The original IP addresssometimes masked according to the configurations, appears in certain contexts. This can estimate the geographic origin of the message.
Information on attachments: The names of the files sent, their type and size are added in content-typical metadata. Their existence is reported even if access to content requires an additional step.
Authentication and follow -up: Fields such as message-ID, Return-Path, or electronic signatures (DKIM, SPF, DMARC) are kept for antispam filtering, responses and detection of usurpations.
This level of visibility allows, for Outlook as for Gmail, effective mail management, but exposes all of these traces to their infrastructure, even when the content of the email benefits from partial or total encryption. Besides, Google even has a tool to analyze the contents of email headers. Since these messaging is managed by American companies, they are subject to the Cloud Act and can be forced to transmit these metadata to the American authorities, even if they are stored in the European Union.