Best practices, Security

Verified email address badge

Natalia Zacholska, 16 May 2022

verified-e-mail-address

Have you noticed that there is a verified email address badge next to some senders in your inbox? For example – iCloud Mail shows a small stamp with a checkmark, Gmail shows a green shield or circle with a checkmark, while Outlook shows a red ribbon.

These badges of a verified email address, which are visible in most popular email clients, mean that the email has been digitally signed using a certain security protocol, more specifically, S/MIME.

What is S/MIME?

Secure/Multipurpose Internet Mail Extensions is a digital signature that confirms that the sender’s email address was in fact used to send the message by its owner. “Verified email address” means that the sender has been confirmed via a digital signature.

The S/MIME protocol has been in use since around 2004, but it is still fairly unpopular, and not many email users have heard of this security feature. Mainly fintech or the financial sector, e.g. banks or lending companies, choose to use the certificate in their emails. This applies mostly to all transactional messages and those containing sensitive data – these in addition to the signing, are also often encrypted. Employees of various companies very often decide on signing messages with the mentioned certificate in their business mailboxes. Since it is issued on the basis of an ID and employment confirmation, you can be sure that no one outside the company can get such a certificate for an e-mail address on your domain.

How does S/MIME work?

An email certificate is like a two-part digital key (consisting of a public and private key) that is associated with your email address. By using a certificate to sign an email, the recipient will know that only the person with the original certificate and private key could have sent it. The public key is used to transmit an identifier – it contains details of the certificate authority, and may also include additional information about the identity of its owner or the company they work for.

Theoretically, each person can create their own certificate to prove that they are the given email address’ owner. However, this is where Certificate Authorities (CA) comes into action. These are institutions that issue different types of certificates – e.g. SSL certificates for encrypting websites or VMCs for displaying BIMI. There are relatively few such Root CAs – all are widely recognized by businesses around the world as trustworthy and secure.

If the mail client notes the presence of an incorrect certificate or issued by one of the non-approved CAs, the message will be marked “Untrusted Signature” with the following (or similar sounding) message:

Mail was unable to verify the authenticity of the S/MIME certificate provided by “sender name and address”. Messages signed by this user may come from another source.

How to obtain an S/MIME certificate?

The certificate can be purchased directly from the Certification Authorities mentioned above or from a retailer. A list of CAs approved by Google is available here:
(HERE).

It should not matter which provider you choose. What does matter is which email client you use to send emails – e.g. Outlook, iCloud Mail, etc. Most web-based services – such as Gmail (not counting Google Workspace), do not allow you to add certificates to emails when sending, but if you use e.g. Outlook to send emails from a sender in the Gmail domain, then certificates will work.

You can also use S/MIME for mailings sent through EmailLabs. The self-purchased certificate must be forwarded to us in a secure way (via SFTP) so that we can deploy it on our sending servers. Adding and maintaining a certificate is possible starting from the PRO Plan – ask our Sales Support for details.

If you decide to purchase and implement S/MIME then please note that certificates have a specific expiry date after which they must be renewed. The certification authority can also revoke (cancel) a certificate before its expiry date e.g. in case of false certification or suspicious sendings.

How is the S/MIME certificate displayed in the inbox?

The recipient of the message does not have to do anything special to make the badge visible – certificates are supported by default by many popular email clients. As mentioned in the introduction – the badge will be presented differently depending on the email client you are using.

The following graphics show examples of how a digitally signed message will look.

 

For a recipient receiving e-mail from their iCloud account on an Apple device

Verified email address badge

For a recipient receiving e-mail from Gmail on an Android device


gmail-mobile

 

In the web service

gmail-desktop

 

For  a recipient receiving mail from Outlook

Verified email address badge

SUMMARY

Thanks to S/MIME the recipient can be sure that the message comes from the sender, whose e-mail address was indicated in the from field. However, be aware that anyone can buy such a certificate for their e-mail address and then use it illegally. Phishing or Spoofing are some of the most popular methods of fraud on the Internet, which use the sending of e-mails deceptively similar to those we receive every day from known senders. This is often done from the same or a slightly different domain. This is why it is so important that S/MIME itself is complementary to other authentication methods – such as SPF, DKIM, DMARC, and the fairly new standard – BIMI. In addition, it is very important to apply the principle of limited trust to received emails. If you are not sure about their credibility, contact the sender through another channel – e.g. by phone.

Would you like to know more? Contact our Customer Service Team

Most popular