Best practices, Dobre praktyki, Security
Best practices, Dobre praktyki, Security
Have you noticed that there is a verified email address badge next to some senders in your inbox? For example – iCloud Mail shows a small stamp with a checkmark, Gmail shows a green shield or circle with a checkmark, while Outlook shows a red ribbon.
These badges of a verified email address, which are visible in most popular email clients, mean that the email has been digitally signed using a certain security protocol, more specifically, S/MIME.
Secure/Multipurpose Internet Mail Extensions is a digital signature that confirms that the sender’s email address was in fact used to send the message by its owner. “Verified email address” means that the sender has been confirmed via a digital signature.
The S/MIME protocol has been in use since around 2004, but it is still fairly unpopular, and not many email users have heard of this security feature. Mainly fintech or the financial sector, e.g. banks or lending companies, choose to use the certificate in their emails. This applies mostly to all transactional messages and those containing sensitive data – these in addition to the signing, are also often encrypted. Employees of various companies very often decide on signing messages with the mentioned certificate in their business mailboxes. Since it is issued on the basis of an ID and employment confirmation, you can be sure that no one outside the company can get such a certificate for an e-mail address on your domain.
An email certificate is like a two-part digital key (consisting of a public and private key) that is associated with your email address. By using a certificate to sign an email, the recipient will know that only the person with the original certificate and private key could have sent it. The public key is used to transmit an identifier – it contains details of the certificate authority, and may also include additional information about the identity of its owner or the company they work for.
Theoretically, each person can create their own certificate to prove that they are the given email address’ owner. However, this is where Certificate Authorities (CA) comes into action. These are institutions that issue different types of certificates – e.g. SSL certificates for encrypting websites or VMCs for displaying BIMI. There are relatively few such Root CAs – all are widely recognized by businesses around the world as trustworthy and secure.
If the mail client notes the presence of an incorrect certificate or issued by one of the non-approved CAs, the message will be marked “Untrusted Signature” with the following (or similar sounding) message:
Mail was unable to verify the authenticity of the S/MIME certificate provided by “sender name and address”. Messages signed by this user may come from another source.
The certificate can be purchased directly from the Certification Authorities mentioned above or from a retailer. A list of CAs approved by Google is available here:
(HERE).
It should not matter which provider you choose. What does matter is which email client you use to send emails – e.g. Outlook, iCloud Mail, etc. Most web-based services – such as Gmail (not counting Google Workspace), do not allow you to add certificates to emails when sending, but if you use e.g. Outlook to send emails from a sender in the Gmail domain, then certificates will work.
You can also use S/MIME for mailings sent through EmailLabs. The self-purchased certificate must be forwarded to us in a secure way (via SFTP) so that we can deploy it on our sending servers. Adding and maintaining a certificate is possible starting from the PRO Plan – ask our Sales Support for details.
If you decide to purchase and implement S/MIME then please note that certificates have a specific expiry date after which they must be renewed. The certification authority can also revoke (cancel) a certificate before its expiry date e.g. in case of false certification or suspicious sendings.
The recipient of the message does not have to do anything special to make the badge visible – certificates are supported by default by many popular email clients. As mentioned in the introduction – the badge will be presented differently depending on the email client you are using.
The following graphics show examples of how a digitally signed message will look.
For a recipient receiving e-mail from their iCloud account on an Apple device
For a recipient receiving e-mail from Gmail on an Android device
In the web service
For a recipient receiving mail from Outlook
Thanks to S/MIME the recipient can be sure that the message comes from the sender, whose e-mail address was indicated in the from field. However, be aware that anyone can buy such a certificate for their e-mail address and then use it illegally. Phishing or Spoofing are some of the most popular methods of fraud on the Internet, which use the sending of e-mails deceptively similar to those we receive every day from known senders. This is often done from the same or a slightly different domain. This is why it is so important that S/MIME itself is complementary to other authentication methods – such as SPF, DKIM, DMARC, and the fairly new standard – BIMI. In addition, it is very important to apply the principle of limited trust to received emails. If you are not sure about their credibility, contact the sender through another channel – e.g. by phone.
Would you like to know more? Contact our Customer Service Team
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
Gmail has announced significant changes in the requirements for email senders to maintain a good reputation and proper classification of messages in user inboxes starting from February 1, 2024....
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Out of all the things that can go wrong when sending out marketing emails, having your emails end up in the recipient’s spam folder is arguably the most dreaded...
Email Authentication, Security
DMARC is an email authentication protocol that is designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Spoofing occurs...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Attaching a folder to an email may seem complicated at first glance, especially if you’re trying to send multiple files or an entire project’s documents to a colleague or...
Best practices, Deliverability
In today’s digital age, email has become an integral part of our personal and professional communication. We rely heavily on emails to send important messages, documents, and updates. But...
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
Best practices, Deliverability
Are you struggling to improve the deliverability and engagement of your email marketing campaigns? Look no further than email subdomains. You can protect your root domain and effectively manage...
What is the darknet? Shrouded in mystery for many years and often associated with ominous connotations, the darknet is a part of the internet that evokes curiosity, fascination, and...
A few weeks ago, at Vercom, we began the process of implementing the NIS2 Directive and preparing to meet the requirements of the Digital Operational Resilience Act (DORA). What...