• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 457
  • Last Modified:

Verifying email identities of senders, digital signature and what else?

I'm trying to find any technology method to verify outgoing emails to recipients. For example, when I send an email asking credit card information to a client, I include a sort of mechanism or certificate and the recipient verifies the email is actually from me.
After doing some research, I think it's possible to do using digital ID with Outlook. When include my digital ID, the recipient sees the little icon on right top of the message which includes my digital ceritificate. But this works only with Outlook, both sender and recipient have to have Outlook. I sent the same email to a gmail, the email comes with an attachment '.p7s' extension file, which seems it doesn't work.

Is there anyway to make my outgoing email so that the recipient can verify the email is from me?

This is something other than spoofing emails. For example;

my email address is myname@domain.com and I have been communicating a recipient for long time. Once day, some bad buy jumps in and created an email address myname@domainn.com (notice 'n') and tried to steal some information from the recipient by email. In order to prevent this, I guess I have to establish some sort of mutually agreed mechanism to verify in/out emails with the recipient. One way I looked into was digital ID which is provided with Outlook(Tools/TrustCenter/Email Security). But this works only with recipients using Outlook.
0
crcsupport
Asked:
crcsupport
  • 3
3 Solutions
 
Sean JacksonCommented:
You can get a client or mail certificate, which will be sent out like your Digital ID is right now.  It will 'sign' your emails, but the recipient needs to be using a client that can read those things.  Gmail, Yahoo, and the like cannot.  Outlook, Thunderbird, etc.

You're looking for integrity in your emails, and that's the best way to do it.  What's even better is if you are communicating with a user and they also have a mail certificate, you can begin encrypting your email back and forth.  

Typically a user is not going to check for the little icon that says it's you when they get an email, so your scenario of the bad guy sending an email is more often than not going to fool them.  But they'll be able to verify that your emails truly come from you, not a third party ne'er do good.
0
 
skullnobrainsCommented:
if you can afford to send keys to your recipients and have them do a little setup, pgp (and a few alternatives such as gpg) is available in most mail clients and some webmail.

but then this is quite a hassle for the end user.
0
 
skullnobrainsCommented:
also note that what produces the .p7s is smime which is NOT a microsoft project and hence can be used and configured in most mail client including thunderbird (since many years before it made it's way into outlook)

have a look at this nice doc with screenshots (old but it has not really changed since, more complex than what you are looking for but both are configured using that same interface)
http://users.wfu.edu/yipcw/atg/tb/security/
0
 
crcsupportAuthor Commented:
I guess I have to approach with a different look. Having digital certificate set up with recipient seems not practical for communication with clients having various mail clients.
I would have our staffs to setup their own procedures on how to request/obtain sensitive information.

Thank you all, great information.
0
 
skullnobrainsCommented:
sorry i'm unsure there is actually a good solution that does not provide hassle for the clients. maybe cert authentication in browsers is easier to setup. providing your own mail service is obviously an option but i wonder how many clients only use webmails and will neglect to check

note that anyway, sending credit card information by mail is crazily unsafe if the mails are not encrypted even if they have the proper recipient.

you may wish to setup a procedure involving a phone call and let your clients know about this procedure so they do not answer further email. if you have some kind of changing data pertaining to the user, it may be possible to include that piece of data in your communications and let them know.

feel free to post details, and possible solutions
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now