The source-system (not the source-user) of the email is in the headers.
if you View All Headers and SAVE AS something.txt, then Notepad or Wordpad can be used to plow thru the details. A sample is given in the attached file
The order of the headers(top down) will disclose
- where the email came from
- every system thru which the email traveled
- the final recipient
some gory details:
ARC-Seal: I=1; a=rsa-sha256; t=1524016203; cv=none;
ARC-Message-Signature: I=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
ARC-Authentication-Results: I=1; mx.google.com;
are the SMTP origin server processing, the last one tells you it's Google domain(mx.google.com)
These ARC-xxx headers will be different per-message, per-smtp server software (aka, Exchange will be very different).
That ARC-Authentication-Results has other origin info:
ARC-Authentication-Results: I=1; mx.google.com;
dkim=pass header.I=@twitter.com header.s=dkim-201406 header.b=hVpo6kTX;
spf=pass (google.com: domain of b0639c2c4b6zxcvbnmlasdfghjk=gmail.com@bounce.twitter.com designates 199.59.150.112 as permitted sender) smtp.mailfrom=b0639c2c4b6zxcvbnmlasdfghjk=gmail.com@bounce.twitter.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=twitter.com
There may be several RECEIVED: from lines, but the first one is gold:
Received: from spruce-goose-bq.twitter.com (spruce-goose-bq.twitter.com. [199.59.150.112])
by mx.google.com with ESMTPS id v32-v6si178674plg.105.2018.04.17.18.50.02
for <zxcvbnmlasdfghjk@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 17 Apr 2018 18:50:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of b0639c2c4b6zxcvbnmlasdfghjk=gmail.com@bounce.twitter.com designates 199.59.150.112 as permitted sender) client-ip=199.59.150.112;
The Client-IP is the machine upon which the email was created.
these are email standard protocol controls:
IMO, unless there is a legal reason to confront the sender, to protect your job, I highly recommend you drop the case and just move on.