Verifying an Email Sender’s Identity

Recently, someone hacked the personal Gmail account of “Susan”, one of our client’s bosses, and started sending emails requesting that a supplier’s invoice be paid via bank transfer. Our customer was suspicious of the email because their practice was usually to pay by cheque and replied asking if this was really Susan. The response came back quickly…yes it was Susan and that the invoice needed to be paid immediately. Still suspicious, our client called Susan, who said that she did not send the email and was understandably apoplectic that someone else was in control of her Gmail account.  Note that this is not an isolated incident – there have been many others documented that we have reported to the Singapore Police Force, but if the hacker is located offshore, there is often no recourse for the victim. Separately, there are also malware attacks that come via phishing or compromised accounts which are equally dangerous (one way or another, it almost always leads to getting money from either a credit card or bank account – either by asking you to pay up (ransomware) or by hacking into your internet banking (SWIFT transfers are especially popular).

Receiving spoofed or hacked email from a trusted  email address is all to common today. How can you tell if the person that sent the email is actually the person listed on the From address? Fortunately, there is a way to do this, but it isn’t really used all that often. The article that follows will tell you how to set things up to tell whether or not the email you receive is from a trusted person –if they take some steps on their side as well.

This article will cover how to use your email clients to verify Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME is a protocol that allows an individual sender to digitally sign an email to authenticate themselves, and to allow you to send encrypted email to them. It is based upon the signer obtaining a  Personal Email Certificate from an authorized Certificate Authority (CA). To digitally authenticate the email that they send, your friends will have to obtain and install a certificate. To authenticate the email that you send, you will need to obtain and install a certificate. This article discusses only how to receive and verify S/MIME email. A separate article will discuss how you can send S/MIME email to authenticate the emails that you send and to allow others to encrypt emails sent to you.

The article covers the following topics:

  • Choosing phone and email clients that support S/MIME
  • Receiving a digitally signed email on an iPhone
  • Receiving a digitally signed email on Thunderbird
  • Receiving a digitally signed email on Microsoft Outlook
  • Receiving a digitally signed email email on OS X email client

Choosing phone and email clients that support S/MIME over IMAP

There are many email clients that support S/MIME, but the following are some of the popular clients that offer support

  • Microsoft Outlook
  • Thunderbird
  • Lightspeed Webmail (https://webmail.<yourdomain> if you are a current Lightspeed customer)
  • Office 365 Webmail (allegedly, I have not tried)
  • Mail on iOS 11

The following popular email clients ARE NOT at the time of writing supporting S/MIME over IMAP. This is not a comprehensive list.

  • all Android Email clients from the phone manufacturer
  • K-9
  • Gmail

Choosing a phone that supports S/MIME is easy–get an iPhone. although there are S/MIME over Exchange solutions available for Windows, Android and Blackberry, the iPhone is the only one with a convenient S/MIME over IMAP solution. If someone knows of a client for these devices, please, please tell me.

On Android, Dgigzo, R2Mail2 and Ciphermail a few others offer consumer email solutions, but they aren’t really all that convenient and in my opinion ugly and unworkable in other areas.

I haven’t been able to find S/MIME over IMAP clients on Windows and Blackberry.

Receiving a Digitally Signed Email on an iPhone

Turning on S/MIME for an iPhone

Since most of our customers read their email on an iPhone, that is the first device that I’ll cover. Surprisingly, you have to turn on a setting to receive S/MIME email–it isn’t on by default.

For each email account on your iPhone, go to the Advanced settings and turn on S/MIME as in the screen capture below:

Screen capture of iPhone email account advanced setting to enable S/MIME email signing and encryption.
Screen capture of iPhone email account advanced setting to enable S/MIME email signing and encryption.

Notice that the Sign slider is still turned off–we will turn that on later in the article on setting up to authenticate the email that you send. We do not recommend Encrypt in a corporate setting, but you may do so if the people you have the public key of the people you send to. For now, let’s look at an email to figure out how to tell if it was digitally signed.

Receiving a Digitally Signed Email on an iPhone

In the email below notice that blue circle with the check-mark that you’ve never seen before, and which only shows up on some emails. This circle means that the email was digitally signed and that the iPhone client has verified the signature against the Certificate Authority. If your phone does not have a data connection when you open the email, or the signature is invalid, it will show up as red.

Since all of my email is digitally signed, my correspondents know not to trust any from me that does not have the blue seal next to the email address.

Screen capture of iPhone email client to show blue check-box that indicates a valid S/MIME digital signature.
Screen capture of iPhone email client to show blue seal that indicates a valid S/MIME digital signature.

To find out more about the sender, select the sender’s name to get the address book entry

Viewing a certificate, then installing it

Screen capture of iPhone email client to show address book entry for an S/MIME signed email.
Screen capture of iPhone email client to show address book entry for an S/MIME signed email.

From here, select “View Certificate” to look at the information on the certificate.

Installing a certificate…this allows you to send encrypted email to the person named on certificate

The “View Certificate” screen shows which Certificate Authority issued the certificate and whether or not it has been validated against the CA. For untrusted certificates, you can view the reason for the problem. You might accept a recently expired certificate, but you shouldn’t do that as a standard practice. Email certificates are usually good for one year.

Screen capture of iPhone S/MIME email certificate information.
Screen capture of iPhone S/MIME email certificate information.

The next step is to install my certificate on my wife’s phone so that she can send encrypted email to me if she wishes. Select “Install” and that’s about it. If you send or recieve enctyped email, it is imperative that you have antivirus scanning software. Most email providers have some antivirus scanning capability in their servers, but these scanners cannot scan an encrypted email or attachment–that can only be done by antivirus software on the client after it decrypts the email.

View the certificate chain

If a certificate from someone that you normally trust shows up as untrusted, the most likely cause is an expired certificate. Most commonly, the person forgot to renew it and get a new one (you will have to install the new one), but sometimes it means that you are woefully out of date on your device software.

In the certificate chain below, You will notice that the Certificate Authority root certificate installed on the phone has an expiration date. Apple distributes updated root certificates as part of the IOS maintenance process. If you haven’t applied maintenance in a long time, some of your root certificates may have expired. This will cause the email sender’s certificate to show as untrusted even though it has not expired. Never, ever install a root certificate unless it is part of the normal maintenance stream for your device.

Screen capture of iPhone S/MIME email certificate chain.
Screen capture of iPhone S/MIME email certificate chain.

Receiving a Digitally Signed Email on Thunderbird (Windows, Mac and Linux)

Thunderbird is our favorite multi-platform (Windows, Mac and Linux) email client. To receive digitally signed email, you don’t need to do anything. In the figure below, the small envelope with the red sealing wax

in between the Subject and the Date in the header  indicates that this email was digitally signed. If you click on the envelope icon, it will give you information about the certificate.

 Screen capture of Thunderbird email client with icon indicating S/MIME digital signature.

Receiving a Digitally Signed Email on Outlook

In Microsoft Outlook, the red ribbon in the email header indicates that the email was digitally signed.

Clicking on the ribbon icon will give you information about the certificate.

Screen capture of Microsoft Outlook email client with icon indicating S/MIME digital signature.
Screen capture of Microsoft Outlook email client with icon indicating S/MIME digital signature.

Note that the ribbon needs to be red – different variations are as follows:

Receiving a Digitally Signed Email on OS X Email Client

In the Apple OS X 10.9 email client, there is no default display of whether or not an email was signed.

Screen capture of Apple OS X default email display, which hides S/MIME certificate information.
Screen capture of Apple OS X default email display, which hides S/MIME certificate information.

To find out if the email was signed, you must select the “Details” text in blue, which will display the certificate information shown below. Once you turn on the details display, it will stay on for reading other emails.

Screen capture of Apple OS X email display after showing details to display S/MIME certificate information.
Screen capture of Apple OS X email display after showing details to display S/MIME certificate information.

 

Sending Digitally Signed Email

To send digitally signed email, go to the next article in this series – Digitally Signing your Email