"View Original" — The Button Nobody Uses

Every email client on the planet has a button that shows you the “real” version of an email — the full headers, the raw relay chain, the receipt of every verification check the receiving server performed. Almost nobody has ever clicked it. It’s not hidden because it’s dangerous. It’s hidden because most people don’t need it. You’re about to need it.

Finding the Button (4 Clients)

The button has a different name and a different hiding place in each client. Here’s the exact path for the four most common ones.

Gmail (web)

1. Open the message.
2. Click the three-dot menu on the message itself (the one inside the message pane — not the three-dot menu for the whole Gmail window).
3. Select “Show original”.

A new tab opens with the full raw message. You can copy the whole block from here.

Outlook (web / Microsoft 365)

1. Open the message.
2. Click the three-dot menu at the top of the message.
3. Choose “View” → “View message source”.

A pop-up or panel appears with the raw source.

Apple Mail (macOS)

1. Select the message in your inbox.
2. From the menu bar: View → Message → “All Headers” (shows headers inline above the body) or “Raw Source” (shows the complete message — headers plus body — in a separate window).

“Raw Source” is what you want for forensics.

Thunderbird

1. Select the message.
2. View menu → Message Source (or press Ctrl+U on Windows/Linux, Cmd+U on macOS).

A new window opens with everything.

What You’ll See (And Why It’s Fine You Don’t Understand It)

The first time you open “Show original” or “Raw Source,” you’ll see a wall of text. Dozens of lines. Abbreviations. Timestamps. Domain names. Numbers in brackets. Cryptic strings that look like passwords. It’s overwhelming on purpose — email headers were designed for machines, not humans, and every mail server that touches the message adds its own commentary on the way through.

Here is the thing nobody tells you: you do not need to read all of it. You don’t need to know what “ESMTPS” means. You don’t need to parse the timestamps. You don’t need to understand the Received: chain. All of that is signal for forensic specialists running deep investigations. For TRACE, you need three lines — and the rest of Module 3 teaches you to find them and what they mean.

The Headers’ Job

Every server that touches an email adds to its headers, stamping it like luggage at an airport. By the time the message reaches your inbox, the headers tell a story — where it really originated, who relayed it, who verified it along the way, and what the destination server thought of the result. That story is what we’re reading. Not the body. Not the signature. The metadata underneath.

The body of an email is whatever the sender chose to type. The headers are what the infrastructure chose to record. Attackers control one. They mostly don’t control the other.

One More Thing: Mobile is Limited

iOS Mail has almost no “View Original” capability — you’ll find a cramped “View Message” option that shows a truncated view, and that’s about it. Android Gmail works the same way as the web version (three-dot menu → “Show original”). If you’re investigating on a phone and you’re not using Android Gmail, expect to switch to desktop.

This is fine. Investigation is not a mobile-first activity. The same mailbox is almost always accessible from a browser or a desktop mail client, and that’s where the real forensic tooling lives.

Key Takeaways

1. Every major email client exposes the raw message behind a menu: Gmail’s “Show original,” Outlook’s “View message source,” Apple Mail’s “Raw Source,” Thunderbird’s “Message Source.”
2. The raw message is a wall of text on purpose — designed for machines. You only need three lines out of dozens.
3. Mail servers stamp headers as the message travels, creating a record of the journey that attackers cannot fully rewrite.
4. Mobile clients (especially iOS Mail) are limited for this work — move to desktop or webmail when you need to investigate seriously.