Implementing the certificate-based email signature the right way

“Human-centered security” is the strategy of putting people at the heart of cyber security. After all, too many attacks still take place through people. Self-detection capabilities of, for example, CxO Fraud (email forgery- sender/content), are an important tool in the fight against cybercrime – after all, an estimated 95% of all attacks start with an email.

Unsigned emails may have been sent by fake senders or their content may have been altered on their journey to you – with the deliberate intent to defraud. Many organizations are therefore finding it increasingly important to add a signature to their external emails in order to protect their communications partners.

Advantages of the certificate-based external email signature

When you receive a certificate-based, signed email, you can be certain that the sender has been verified by a third party and that the contents of the email have not been changed on its journey.

For this purpose, companies are using solutions with central certificate management, such as SEPPmail Appliance or SEPPmail.cloud. Integrating this technology is easy, and the administrative workload is pretty much zero. Once signed emails have become established, users quickly come to the view that signed emails are “good” and that unsigned emails are “bad”.

With the advantages that apply to all the external communication partners, the idea of signing emails internally using certificates is frequently being discussed as well.

Companies which have gone down this path create a number of problems for themselves, which we have summarized here:

For an internal signature, emails have to be sent via a central solution or make use of the patchy solution of client-based certificates. The management of client-based certificates is associated with a considerable workload and with errors during the decentralized management on the client machines, so we strongly advise against it.

The more complicated flow of emails makes its operation (collisions with other email flow rules, etc.), the traceability of the email routing, the troubleshooting (bounces, email routing problem analysis, spoofing protection, etc.) and the support far more challenging.

Ergo: many of the supposed advantages of the internal signature are associated with disadvantages, which is why we recommend only signing external emails.

SEPPmail recommends user training and an external signature

Here are some “best practices” of successful implementations which make both external and internal emails more secure.

Give your emails the trust status they deserve and further enhance the reputation of your business communications with an external certificate-based email signature. Your external communication partners (i.e. customers, partners, suppliers, etc.) will be sure to appreciate it.

Your users should be able to distinguish clearly between an email which is from the outside and one which came from inside your organization. In this way, you will be able to effectively prevent phishing attacks with what is known as a “subject tag”.
A subject tag is a text which a central component adds to the subject line of the email on its journey to your internal mailbox. The subject tag is something that cyber criminals are unable to influence.

All emails that arrive from outside should be marked with the subject tag [External]. Therefore, if an email apparently from an internal employee is marked with [External] in its subject line, it is an attack that you can easily recognize as such.

Train your users to recognize a certificate-based signature and to understand its meaning (authenticity and integrity).

An email from the outside which has a valid signature is certain to be from the sender and has not been altered on its journey to you.

As digital signatures become more prevalent in email communications, it is important to think about these things – and to establish “best practices”.

If you have any further questions, please feel free to contact us at any time here.