Email chain of custody: from sending to courtroom evidence
An email can be the decisive piece of evidence in civil litigation, criminal proceedings or international arbitration. However, between the moment of sending and courtroom presentation, digital content passes through dozens of steps that can compromise its integrity. Without a documented and verifiable chain of custody, any email risks being challenged and declared inadmissible.
This insight is part of our guide: How to certify email with legal validity: a complete guide to forensic proof
What is a digital chain of custody
The chain of custody is the complete, unbroken record of every step that a piece of digital evidence takes from its creation to its presentation in legal proceedings. For emails, this means documenting: the exact moment of sending, the complete content (body, attachments, headers), server metadata, and every subsequent access or transfer of the data.
ISO/IEC 27037 defines the international guidelines for the identification, collection, acquisition and preservation of digital evidence. This framework requires that every step be traceable, that data integrity be verifiable through cryptographic hash functions, and that the entire procedure be documented in a manner that can be reproduced and verified by an independent expert.
Cryptographic hash, digital signature and qualified timestamp
TrueScreen's email certification implements all the elements needed to build a compliant chain of custody. At the moment of certification, the system calculates the cryptographic hash of the entire message (body, attachments, headers), creating a unique digital fingerprint. Any subsequent modification, even of a single character, produces a completely different hash, making any alteration immediately detectable.
The hash is then embedded in a forensic report protected by a digital signature, ensuring certain attribution, and a qualified timestamp compliant with the eIDAS Regulation (EU 910/2014), which irrefutably establishes the moment of certification.
From certification to courtroom evidence
The eIDAS Regulation establishes that electronic documents bearing a qualified electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings across all EU member states. The UNCITRAL Model Law on Electronic Commerce similarly provides that information shall not be denied legal effect solely on the grounds that it is in electronic form, provided its integrity can be demonstrated.
Requirements for procedural admissibility
For a certified email to be admissible as evidence, the chain of custody must satisfy specific requirements: demonstrable integrity (unaltered cryptographic hash), certain attribution (certifier's digital signature), third-party opposable dating (qualified timestamp), and completeness of acquired content (body, attachments, metadata). Certification with legal validity satisfies all these requirements in a single automated process.
Compliance with ISO/IEC 27037 adds a further layer of robustness, as it allows the forensic expert to verify that the acquisition procedure followed an internationally recognised protocol, significantly reducing the scope for procedural challenges.
The advantage of preventive certification
The difference between an email certified at the moment of sending and an email stored in an ordinary archive is substantial. In the first case, the chain of custody begins at the very moment of communication, with no interruptions or possibility of alteration. In the second case, the party producing the evidence must demonstrate that the email was not modified between sending and courtroom production: an evidentiary burden that is often unsustainable.
TrueScreen enables real-time email certification, automatically building a complete chain of custody that accompanies every communication from the inbox to the courtroom.
