Certification & Online Trace Collection · service active
WACZ · ISO 28500/ eIDAS timestamping/ Client area
C.E.R.T.O.
Sign in Register free
IT EN
C.E.R.T.O. / Guides / Email

Email as evidence

Email · 29 June 2026 · C.E.R.T.O.

An email can be worth as much as a contract: an order confirmation, a cancellation, a dispute, an agreement "in writing". Yet the usual way to bring an email into a case — forwarding or printing it — is also the easiest to challenge.

Forwarding an email rewrites its headers and loses the original trail; printing it produces a PDF anyone can retouch. Either way, all that is left is your word.

What makes an email disputable-proof

An email's evidential strength is not in the text, but in what sits "behind" it: the full source (the .eml file with all its technical headers) and its authentication results. In particular:

  • the Received chain — the list of servers that carried the message, with times and IP addresses: the real path and the certain time of arrival at the destination server (not your PC's clock);
  • SPF — checks that the sender domain authorised that IP to send;
  • DKIM — a cryptographic signature by the sender domain over the message: proof the content was not altered in transit;
  • DMARC — the rule that ties SPF and DKIM together, showing whether the message is consistent with the claimed domain.

What the C.E.R.T.O. Email module captures

The Email module connects to the mailbox over IMAP and saves the full .eml source, automatically analyses the headers (Received chain, IP, SPF/DKIM/DMARC, TLS version) and extracts attachments, computing a fingerprint for each. Every message becomes an exhibit with its own battery of hashes (several digital fingerprints that change at the slightest edit).

Certified mail (in Italy, PEC): what changes

With certified electronic mail the value is even higher: besides the message, C.E.R.T.O. captures the transport envelope and the acceptance and delivery receipts, signed with a qualified eIDAS certificate by the provider. These are what fix the legal date of sending and delivery.

What it proves (and what it does not)

A disputable-proof email acquisition shows who sent it (domain authentication), when it arrived (transport timestamp) and that the message is intact (hash). To be honest: it proves what was captured at that moment, not a prior conversation that never passed through that mailbox.

It all ends up in a BagIt bundle with a timestamp and a chain of custody, verifiable by anyone. See also: capturing a web page as evidence.

Keep reading