• About
  • Solutions
    • Products
      • SecureMail Gateway
      • Fast&Secure
      • Consulting Services
    • Technologies
      • SecureTier
      • Data Leak Prevention
  • Pricing
  • Partners
    • Technology Partners
    • Reseller Programs
  • Resources
    • Whitepapers
    • Knowledge Base
    • Latest News
  • Contact
    • Contact Info
    • Open a Support Request

Call Toll free (855) 614-2378

sales@globalcerts.net
Manage account
GlobalCertsGlobalCerts
GlobalCertsGlobalCerts
  • About
  • Solutions
    • Products
      • SecureMail Gateway
      • Fast&Secure
      • Consulting Services
    • Technologies
      • SecureTier
      • Data Leak Prevention
  • Pricing
  • Partners
    • Technology Partners
    • Reseller Programs
  • Resources
    • Whitepapers
    • Knowledge Base
    • Latest News
  • Contact
    • Contact Info
    • Open a Support Request

Gateway S/MIME Signatures

Trusted Digitally Signed Emails Without the Headaches

Home SMIME Digital Signatures

In the ever-escalating battle against malicious spammers,

spoofing and email compromise are becoming harder to combat each day.

 

Attackers are getting smarter and sending targeted emails that pass many of the standard spam checks such as blacklists or SPF checks. Rightly, people are becoming more suspect of the emails they receive and the supposed sender’s identity.

One of the best tools available for ensuring the authenticity of your email is an S/MIME digital signature. It is so powerful in fact that the US Department of Defense (DoD) has required all outgoing emails by DoD personnel to be digitally signed since 2011. Digital signatures not only guarantee the identity of the sender, but also protect the contents of the message from being secretly modified.

How do S/MIME signatures work?

A digital signature is a unique ‘fingerprint’ that is created and attached to your email. It is generated by using a user’s ‘private’ key combined with the contents of the email and attachments. This fingerprint generated is practically impossible for any other person or computer to generate from the email if they do not have the private key.

When received, this digital fingerprint can be programmatically verified against the email contents by using the sender’s ‘public’ key. This key is included within the S/MIME signature. Even if one letter or number is changed in the email, the signature will become invalid. Most importantly, the sender’s private and public keys are mathematically linked in such a way that there is no practical way to discover the private key simply by having the public key.

Digitally Signing Emails at the Device

In practice, employing digital S/MIME signatures on emails across an organization can be quite difficult due to a number of factors:

First, you must protect your private key from being discovered by any untrusted party. But at the same time, each user must have their private key installed on ALL their devices used to send email: mobile phones, tablets, laptops, etc.

Second, not all devices are even capable of applying a digital signature. Currently, most mobile email apps (including Outlook mobile) do not allow you to apply a digital signature. Most web mail clients like Outlook Web Access (OWA) also do not allow you to digitally sign emails unless specific software controls are installed, specific browsers are used, and you are using Office 365.

Diagram of End to End S/MIME signature

S/MIME Signatures Performed On Device Endpoints

Lastly, managing your keys and ‘certificates’ lifecycle presents additional challenges. Every email S/MIME certificate has a limited validity period, usually for only 1 to 3 years. Before a certificate expires, you must have a new one issued and installed on all sending devices. If one or your devices may have been compromised, you must ‘revoke’ your private key and corresponding certificate, receive a new one, and install it on your sending devices.

Gateway Level S/MIME Signatures

Instead of each sender installing their respective private key on all their different endpoints, another option is to use a secure email gateway like GlobalCerts SecureMail Gateway (SMG). These servers apply digital signatures and encryption for all users in an organization, moving the process from individual mail clients to a gateway-level solution. This offers a myriad of advantages:

  1. There’s only one key location to harden/protect. Instead of worrying about key compromises from lost or stolen phones, compromised laptop passwords, etc, you can protect all private keys in a hardened, encrypted, secured system with extremely limited physical and network access.
  2. Users can use ANY email client to send emails without worrying about S/MIME capabilities.
  3. Email archiving solutions can easily archive all emails before S/MIME signatures/encryption, and secure the archive with it’s own encryption. No need to manage/archive user’s private keys.
  4. Company-wide footers or disclaimers can be added at the mail server without breaking signatures. You can also use a gateway solution like ‘CodeTwo’ to apply your user’s footer/signatures, without invalidating the digital S/MIME signature.
  5. Certificate issuance, revocations, reissues, etc. can all be centrally managed by security administrators. With our DNS based, patented SecureTier system, certificate revocations and reissues are instantly updated to all other customers. No need to check CRL lists; SecureTier always has the user’s current certificate.
S/MIME Signatures Applied at Gateway Level

S/MIME Signatures Applied at Gateway Level

All these advantages also apply to utilizing S/MIME encryption at the gateway level as well. Because of the many usability and compatibility advantages that secure email gateways offer, the US National Institute of Standards and Technology (NIST) has recommended that the use of a gateway level S/MIME solution instead of end-to-end S/MIME in Special Publication 800-177R1, Trustworthy Email.

The SecureMail Gateway solution as well as our cloud solution, Fast&Secure allow your organization to easily implement organization-wide S/MIME signatures and encryption with no need to install keys on user devices or install any software or apps. All functionality is completely transparent and automatic to users.

View Pricing
Get Price Quote

Important Points to Consider

Although the advantages are overwhelming with gateway S/MIME solutions, organizations must pay much closer attention to the security of their entire email infrastructure.

First, ALL email communication ‘hops’ MUST be secured with TLS encryption. This is now a relatively easy requirement due to the almost universal capability of mail systems and clients to use TLS. User endpoints must connect to the mail server securely and the server must communicate with the email security gateway over TLS as well. Otherwise there is the potential for both eavesdropping on the contents of emails before being S/MIME encrypted, and/or the potential modification of email contents before being digitally signed.

Second, access control to email infrastructure must be tightly controlled. The mail servers/services must be protected from unauthorized access from both internal and external threats. The email security gateway must also be protected, with extremely limited access.

Lastly, email at rest must be protected. Because encryption is no longer taking place at the endpoint, but rather at the gateway, copies of the email will be readable on the user device and the mail server, archive server, etc. Here, it’s imperative that separate access controls and optimally, symmetric, disk-level encryption is used to protect this data at rest.

Contact Us

Have a question? We'd love to hear from you!

Send Message
See how GlobalCerts can secure your organization's email Request a Quote

Latest News

701 Palomar Airport Rd. STE 300
Carlsbad, CA 92011
(855) 614-2378
info@globalcerts.net

Site Search

Copyright © 2024 GlobalCerts LLC, All Rights Reserved Site Map | Privacy Policy | Legal Disclaimer