[tsally]

Regardless of whether the exchange happened or not, the claim that "[the email headers] were legitimate, and that the entire thread would be extremely hard to fake, if not impossible" is an exaggeration. For reference, open up the headers of an email you've recently received from a Gmail address. Notice the DomainKey-Signature field?

  DomainKey-Signature: a=rsa-sha1; c=nofws;
          d=gmail.com; s=gamma;
          h=mime-version:in-reply-to:references:date:message-id:subject:from:to
           :content-type;
          b=IBLt9oYlFSwflVBrLP4Rq64gpUeIHJMkvAjbVoYin9vugJBa4E4hxqfKeFLp/Gw3XT
         2V/PR4M4M/Kz9CU8n7poGJ+JUBcxyT4LZc4SYNHTV1TD6nmk77Pvl7E7f8uY1sAMrR9c
         F+2HiY9MMKgb0SlPdRVqUUF0QX9XoQRzA3jFs=

That's there because Gmail (along with a few other providers such as Fastmail) implement what's called DomainKeys Identified Mail (http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail). It can provide cryptographic assurance that the domain name associated with an email is valid. So using the DNS records on the Gmail domain, I can pull the public key and verify the cyptographic signature.

  mil:~ tim$ host -t txt gamma._domainkey.gmail.com
  gamma._domainkey.gmail.com descriptive text "k=rsa\; t=y\;   

  p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIhyR3oItOy22ZOaBrIVe9m/iME3RqOJeasANSpg2YTHTYV+Xtp4xwf5gTjCmHQEMOs0qYu0FYiNQPQo
  gJ2t0Mfx9zNu06rfRBDjiIU9tpx2T+NGlWZ8qhbiLo5By8apJavLyqTLavyP  
  Srvsx0B3YzC63T4Age2CDqZYA+OwSMWQIDAQAB"

If the signature is valid, I can be reasonably confident that the email is valid. (Note that some sort of DNS compromise or attack would allow an attacker to pass me a fake public key)

Now take a look back at the email headers in the article. There is no cryptographic signature that you can verify. Note that if these headers are made up, the forgery is quite good. There's even some nice SPF authentication going on in there. But it's not impossible to forge these headers. In a targeted attack, I could do just that. Depending on how much the guy got paid for the story, it might even be worth the time.

(If there's someone with domain knowledge/experience etc. in this area and has an addition or correction, I'd love to hear it)

[bradleyland]

There's a simple way around all of this, and it doesn't require a lot of in depth knowledge. Notice that DomainKeys says nothing about the content of the email. It's only a tool for preventing false relay (spam), not content forgery.

Let's say I email you with a simple question, you reply, and we trade emails three or four times. Gmail supports IMAP, which lets me move emails to and from my Gmail inbox without much trouble. So, all I need to do is move the mail to a server where I can alter the content (I can leave the headers intact), then copy the email back over to my Gmail inbox using an IMAP client.

I just did this using Mail.app on my Mac. It wasn't even all that time consuming. The hardest (maybe most time consuming) part would be getting a reply from Steve Jobs. I'm sure he doesn't reply to everyone.

The bottom line is that unless the mail was signed using something like PGP, it can be forged using trivial methods.