Part 1: Verifying an Email Sender's Identity

Recently, someone hacked the Gmail account of "Susan", one of my wife's friends, and started sending emails with a link to a website that presumably would attempt to install malware on the recipient's phone or computer. My wife was suspicious of the email and replied asking if this was a really Susan. The response came back quickly...yes it was Susan and she should click on the link for the really cool photo. Still suspicious, my wife called Susan, who said that she did not send the email and was understandably apoplectic that someone else was in control of her Gmail account.

My wife sent a note to all of their mutual friends telling them about the compromised email and not to click on any of the links--Susan couldn't send the email, because she didn't have control of the account. A friend replied that she had almost been fooled, and was about to click on the link. Her antivirus software might, or might not have stopped the malware attack.

Receiving spoofed or hacked email from a trusted friend's email address is all to common today. How can you tell that your friend is actually the person that sent the email? Fortunately, there is a way to do this, but it isn't really used all that often. The article that follows will tell you how to set things up to tell whether or not the email you receive is from a trusted friend--if they take some steps on their side as well.

The article will cover setting up your email clients to receive Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME is a protocol that allows a sender to digitally sign an email to authenticate themselves, and to allow you to send encrypted email to them. It is based upon the signer obtaining an SSL certificate from an authorized Certificate Authority (CA). To digitally authenticate the email that they send, your friends will have to obtain and install a certificate. To authenticate the email that you send, you will need to obtain and install a certificate. This article discusses how to receive S/MIME email. A separate article will discuss how you can send S/MIME email to authenticate the emails that you send and to allow others to encrypt emails sent to you.

The article covers the following topics:

Choosing phone and email clients that support S/MIME

There are many email clients that support S/MIME, but the following are some of the popular clients that offer support

  • Microsoft Outlook
  • Thunderbird
  • Gmail within Firefox with "Gmail S/MIME" or "Panango" add-on. Panango is also available for Microsoft Internet Explorer

The following popular email clients DO NOT at this writing support S/MIME email. This is not a comprehensive list.

  • Gmail within Chrome/Chromium

Choosing a phone that supports S/MIME is easy--get an iPhone. align=center although there are corporate S/MIME email solutions available for Windows, Android and Blackberry, the iPhone is the only one with a convenient consumer solution. If someone knows of a client for these devices, please, please tell me.

On Android, Dgigzo, R2Mail2 and a few others offer consumer email solutions, but they aren't really all that convenient--you have to know a number of settings for you email server to get them working.

I haven't been able to find consumer S/MIME clients on Windows and Blackberry.

Receiving a Digitally Signed Email on an iPhone

Turning on S/MIME for an iPhone

Since my wife and many of her friends do most of their email on an iPhone, that is the first device that I'll cover. Surprisingly, you have to turn on a setting to receive S/MIME email--it isn't on by default.

For each email account on your iPhone, go to the Advanced settings and turn on S/MIME as in the screen capture below:

Screen capture of iPhone email account advanced setting to enable S/MIME email signing and encryption.
Screen capture of iPhone email account advanced setting to enable S/MIME email signing and encryption.

Notice that the Sign and Encrypt sliders are still turned off--we will turn those on in the article on setting up to authenticate the email that you send. For now, let's look at an email to figure out how to tell if it was digitally signed.

Receiving a Digitally Signed Email on an iPhone

In the email below notice that blue circle with the check-mark that you've never seen before, and which only shows up on some emails. This circle means that the email was digitally signed and that the iPhone client has verified the signature against the Certificate Authority. If your phone does not have a data connection when you open the email, or the signature is invalid, it will show up as red.

Since all of my email is digitally signed, my wife knows not to trust any from me that does not have the blue circle.

Screen capture of iPhone email client to show blue check-box that indicates a valid S/MIME digital signature.
Screen capture of iPhone email client to show blue check-box that indicates a valid S/MIME digital signature.

To find out more about the sender, select the sender's name to get the address book entry

Viewing a certificate, then installing it

Screen capture of iPhone email client to show address book entry for an S/MIME signed email.
Screen capture of iPhone email client to show address book entry for an S/MIME signed email.

From here, select "View Certificate" to look at the information on the certificate.

Installing a certificate...this allows you to send encrypted email to the person named on certificate

The "View Certificate" screen shows which Certificate Authority issued the certificate and whether or not it has been validated against the CA. For untrusted certificates, you can view the reason for the problem. You might accept a recently expired certificate, but you shouldn't do that as a standard practice. Email certificates are usually good for one year.

Screen capture of iPhone S/MIME email certificate information.
Screen capture of iPhone S/MIME email certificate information.

The next step is to install my certificate on my wife's phone so that she can send encrypted email to me if she wishes. Select "Install" and that's about it. If you send or recieve enctyped email, it is imperative that you have antivirus scanning software. Most email providers have some antivirus scanning capability in their servers, but these scanners cannot scan an encrypted email or attachment--that can only be done by antivirus software on the client after it decrypts the email.

View the certificate chain

If a certificate from someone that you normally trust shows up as untrusted, the most likely cause is an expired certificate. Most commonly, the person forgot to renew it and get a new one (you will have to install the new one), but sometimes it means that you are woefully out of date on your device software.

In the certificate chain below, You will notice that the Certificate Authority root certificate installed on the phone has an expiration date. Apple distributes updated root certificates as part of the IOS maintenance process. If you haven't applied maintenance in a long time, some of your root certificates may have expired. This will cause the email sender's certificate to show as untrusted even though it has not expired. Never, ever install a root certificate unless it is part of the normal maintenance stream for your device.

Screen capture of iPhone S/MIME email certificate chain.
Screen capture of iPhone S/MIME email certificate chain.

Receiving a Digitally Signed Email on Thunderbird (Windows, Mac and Linux)

Thunderbird is an old email client that runs on Windows, OS X and on Linux. To receive digitally signed email, you don't need to do anything. In the figure below, the small envelope with the red sealing wax in the email header indicates that this email was digitally signed. If you click on the envelope icon, it will give you information about the certificate.

Screen capture of Thunderbird email client with icon indicating S/MIME digital signature.
Screen capture of Thunderbird email client with icon indicating S/MIME digital signature.

Receiving a Digitally Signed Email on Outlook

In Microsoft Outlook, the red ribbon in the email header indicates that the email was digitally signed. Clicking on the ribbon icon will give you information about the certificate.

Screen capture of Microsoft Outlook email client with icon indicating S/MIME digital signature.
Screen capture of Microsoft Outlook email client with icon indicating S/MIME digital signature.

Receiving a Digitally Signed Email on OS X Email Client

In the Apple OS X 10.9 email client, there is no default display of whether or not an email was signed.

Screen capture of Apple OS X default email display, which hides S/MIME certificate information.
Screen capture of Apple OS X default email display, which hides S/MIME certificate information.

To find out if the email was signed, you must select the "Details" text in blue, which will display the certificate information shown below. Once you turn on the details display, it will stay on for reading other emails.

Screen capture of Apple OS X email display after showing details to display S/MIME certificate information.
Screen capture of Apple OS X email display after showing details to display S/MIME certificate information.

Receiving a Digitally Signed Email on Firefox for a Gmail Account

The first step in using S/MIME to sign or encrypt Gmail using a browser is to install a browser and extension that supports S/MIME signing and encryption. At this writing, Chrome doesn't have add-ons or otherwise offer the support for S/MIME certificates. On Firefox, the Gmail S/MIME and Panango add-ons provide S/MIME support, but I was not able to get either one to work on Firefox 28.0 on Ubuntu Linux. Panango is available for Microsoft Internet Explorer, but I have not attempted to use this configuration.

The preferences for S/MIME and Panango are needed for sending email but not for receiving it.

Sending Digitally Signed Email

To send digitally signed email, go to the next article in this series Email Security Part 2: Digitally Signing your Email