How to Hash an Email and Its Attachments (Step by Step)

Introduction: Preserving an Email as Evidence

Emails are some of the most common digital evidence there is — a contract confirmation, a notice, a suspicious message, a thread that turns into a dispute. But an email is fragile. Forward it, drag it between folders, or paste its text into a document, and you have quietly changed what you are holding. If you ever need to show that a message is exactly what arrived in the inbox, you need a defensible way to fix it in time. That is precisely what hashing does. This guide explains how to hash an email and its attachments correctly: export the original message, hash the message and every attachment on its own, keep the headers intact, and record the values. You can do all of it offline with e-Dex (formerly Hash Calculator).

Step 1: Export the Original Message File (.eml / .msg)

The single most important rule is this: save the original message, do not copy and paste the text. Almost every mail program has a Save As or Export option that writes the message to a file on disk — typically an .eml or .msg file. That exported file is the complete email: visible body, formatting, embedded data, and — crucially — the full set of headers. Copy-pasting the text into a document throws all of that away and produces a brand-new file that no longer represents the original message. So begin by exporting the message to a dedicated evidence folder, and leave it untouched from that point on.

Step 2: Hash the Exported Message AND Each Attachment Separately

A cryptographic hash is a fixed-length fingerprint computed over a file's bytes; change one byte and the hash changes completely. Compute hashes over the exported .eml / .msg file itself, and then save each attachment to disk and hash every attachment on its own. Keeping them separate matters: each file gets an independent fingerprint, so you can re-verify a single attachment later without re-processing the whole email, and a change in one file never hides the integrity of the others. e-Dex computes several algorithms per file — SHA-256, SHA-512, BLAKE3 and others — and lists them side by side, which is the modern, collision-resistant way to record integrity.

Why Headers Matter (A Screenshot Loses Them)

It is tempting to "preserve" an email with a screenshot. Don't rely on one as your primary record. A screenshot captures only what is on screen — the body, maybe the From and Subject lines. The headers, where the routing path, server timestamps and authentication results live, are nowhere in the picture. Those headers are often the most useful part of an email when origin is in question. Exporting the original message to an .eml or .msg file keeps the headers intact inside the file you hash, so the fingerprint covers the whole email rather than a stripped-down view. A screenshot can be a helpful supplement, but it is no substitute for the exported message file.

The Full Step-by-Step Workflow

Put together, the routine is short and repeatable. Export the original message to an .eml or .msg file and save every attachment to disk. Hash the exported message and each attachment separately with e-Dex. Record the resulting values on an evidence integrity certificate and write them into your custody notes. Re-verify whenever the files change hands — recompute the hashes and confirm they still match what you recorded. If every value matches, the email and its attachments are provably unchanged since the moment you preserved them.

A Note: Hashing Proves Integrity, Not the Sender

Be precise about what the hash does and does not do. Hashing fixes the file you exported in time — it proves the message and attachments have not changed since you recorded them. It does not, by itself, authenticate the sender. Whether a message genuinely came from a particular person or domain is established from the headers and from the mail provider's own records, not from the hash value. So treat the hash as your integrity guarantee, and lean on the preserved headers and provider logs for questions of origin. For the wider workflow around suspect messages, see our phishing email evidence collection guide.

Custody and the Certificate

Hashes are only as useful as the record that surrounds them. Once you have computed the values, e-Dex can produce an evidence integrity certificate that lists every file, its hashes and an explicit MATCH / MISMATCH verdict on re-verification — a clean one-page document you can hand on with the evidence. Pair that with simple chain-of-custody notes: who exported the message, when, from which mailbox, and who has handled the files since. The certificate proves the bytes are unchanged; the custody notes record who held them. Together they turn "trust me, this is the email" into something a reviewer can independently check with file hash verification.

Frequently Asked Questions

How do I hash an email correctly?
Export the original message to a file first, using your mail program's Save As option to produce an .eml or .msg file. Then hash that exported file with a tool like e-Dex, and hash each attachment separately. Do not copy and paste the message text into a document, because that discards the headers and changes the file, so the hash would no longer represent the original email.

Should I hash the email and attachments together or separately?
Hash the exported message file and each attachment separately. A standalone hash per file gives every item its own independent fingerprint, so you can re-verify any single attachment without re-processing the whole email, and a change in one file does not obscure the integrity of the others. e-Dex computes one set of hashes per file and lists them side by side.

Why do email headers matter when preserving an email as evidence?
The headers carry routing, timestamps and authentication results that help establish where a message came from and when. A screenshot or copy-pasted text shows only the visible body and loses those headers. Exporting the original message to an .eml or .msg file keeps the headers intact, so the file you hash is the complete email rather than a stripped-down view of it.

Does hashing an email prove who sent it?
No. Hashing fixes the exported file in time and proves it has not changed since you recorded it. It does not by itself authenticate the sender. Sender authenticity is established from the headers and from the mail provider's own records, not from the hash. The hash protects integrity; the headers and provider logs speak to origin.

Do I need an internet connection to hash an email with e-Dex?
No. e-Dex runs fully offline on your own Windows machine. Exporting, hashing and generating the evidence integrity certificate all happen locally, so the email and its attachments never leave your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

Conclusion

Preserving an email properly comes down to a habit: export the original message, hash it and every attachment separately, keep the headers, and record the values so anyone can re-verify them later. Done that way, you can show that a message is exactly what arrived — provably unchanged, with its headers intact. You can run the whole workflow in minutes, fully offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Try the free hash tool and start preserving your emails the right way.