Avatar of hypercube
Flag for United States of America asked on

email digital signatures / Certificates

I need to produce emails with digital signatures.
I understand this requires a Certificate.
I imagine our plan would be to use Office 2016 or 365 Outlook email client.

I find, GlobalSign, Identrust, Sectigo with prices that vary quite a bit.
I have NO idea what's best.
This would be for communications sent to the Veterans Administration.

Comments and suggestions would be appreciated.
Microsoft Office* certificate servicesOutlook

Avatar of undefined
Last Comment

8/22/2022 - Mon
David Johnson, CD

There is no difference between certificates from different suppliers.  As long as they are in the list of trusted certificate authorities whether or not the certificate cost $1 or $1M

Well, I kinda believe in competition's affect on pricing.  So it seems there must be a reason why the prices vary so widely.

Pricing aside, it appears that the user needs (i.e. wants) to use Gmail webmail.  I've set up a G Suite account so I can experiment with it.
I don't know if the information I'm seeing is "old" as is often the case with web searched info.
But some seem to suggest that web mail can't be securely signed.  And others suggest the opposite.
I don't want to waste time and money on a blind alley....

Along with that I believe we only need a secure digital signature but wonder with what I'm reading whether message encryption is separable.
My experience with encryption is that it's a PITA.

Since I have very little idea what I'm getting into here, let me explain:

Encrypted messages such as those supported through Cisco services always arrive like this:
An email arrives and it has an encrypted attachment.  One has to "join the club" in order to see the attachment.
This can be cumbersome, certainly at the beginning.
So, I'd avoid it if we can be allowed to do that.  
So, I ask this question......

What I'd like is to receive a message that is automagically confirmed to be sent from Joe Dokes; and that is all.
And, I'd like to avoid the cumbersome process of decrypting messages altogether.

I know the objectives makes sense but is it doable?  Is it normal?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
David Johnson, CD

Google discontinued GAME and there are several competitors in the market place i.e. zix https://support.google.com/a/answer/6105277?hl=en
Office 365 E plans can secure mail

I know that you get it David but others may be misled so I'll just comment:
- I don't need a way to paste in a text signature block.
- I don't need a way to paste in a cursive signature image.
- I need a way to certify a message with a digital/electronic "signature" that can guarantee the sender using keys, certificates, etc.

I have found that Google Suite email can support DKIM and have tested it (I think).  
It seems that DKIM is exactly what I was looking for.  Comments?
I like it in that there's no requirement for recipient coordination.  But they do have to read the header to find it / know that it is signed.
It would be great if there were a way to have the email say "this is signed" - short of adding a legend....  but that may suffice.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
David Johnson, CD

DKIM has absolutely nothing to do with email encryption. DKIM doesn't sign messages.
DKIM/SPF help prevent spoofing of the email address
A signed email message is prevented from any changes and it verifies that the email is exactly as sent by the sender.

David Johnson:  I don't believe that I indicated a desire to encrypt messages here.  Although, that may be of interest as I move along with this.  So, for now, encryption isn't an objective.

Since DKIM is presented as a "signature" then one might well say that it does "sign messages".  I'm not disagreeing with you, just wanting to understand better.  e.g.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=coastal-computers-networks.net; s=google;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;

Open in new window

So, it appears that I'm missing something....

David Johnson, CD

Line 1 of your question: I need to produce emails with digital signatures.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

David Johnson: I'm sorry, that's just too cryptic for me.  
I guess I should take the hint and figure out why you equate digital signatures with encryption.  
Well, I relate encryption with public and private keys.  And, as I get it, DKIM uses public and private keys.  
So, I'm still missing the point.
I admit, I started referring to Certificates without knowing how they might play into this objective.
If I knew the answers I wouldn't be asking.
Scott Fell

I think what you are referring to is getting the little lock shown in outlook. https://www.globalsign.com/en/secure-email/

For GSuite, you would have to have the enterprise edition https://support.google.com/a/answer/6374496?hl=en.  

Take a look at the GSuite help docs on security https://gsuite.google.com/faq/security/ and see if what is already being done is helpful

DKIM is something different and more about preventing spam and spoofing.  Start here https://support.google.com/a/answer/174124?hl=en You will want to use both DKIM and SPF. This will be adding information to your DNS. You will do this in your admin panel and if you have a well known registrar such as godaddy, there is an option to use their api where you authorize godaddy to interact with Google and all of this is generated through a wizard.   In any case, nothing you need to do with a certificate for DKIM or SPF.

Thanks folks!  
Well, I'm back at this issue now.  
I set up a GSuite account because it was supposed to provide what I need.
Now they are telling me that they don't provide....
I'm going around in circles it appears.
Either this is a common capability or it isn't.  Either way, I need it.
I am clearly not "checked out" with the lingo in this regard - so it's hard for me to convey my needs and understand the answers.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Scott Fell

Just focus on the first sentence in your question.

I need to produce emails with digital signatures.

This means different things to different people and that is the cause for confusion.

Can you describe what you mean by a digital signature?  
A digital signature attached to an email message offers another layer of security by providing assurance to the recipient that you—not an imposter—signed the contents of the email message. Your digital signature, which includes your certificate and public key, originates from your digital ID. And that digital ID serves as your unique digital mark and signals the recipient that the content hasn't been altered in transit. For additional privacy, you also can encrypt email messages.

Scott Fell:  Thank you!

I perhaps should have said what I *don't* need:
- I don't need an automatic text signature block at the end of the message.
- I don't need a signature image at the end of the message.

I need what you described - provide assurance to the recipient that you - not an imposter - signed the message.

Additionally, the User has specified Google Mail must be used.  This requirement came later but that's what they want.
Scott Fell

Fred, That is what I thought.  I pointed out here https://www.experts-exchange.com/questions/29136552/email-digital-signatures-Certificates.html?anchorAnswerId=42808145#a42808145 that for GSuite, you have to be on enterprise / enterprise education level.
Your help has saved me hundreds of hours of internet surfing.
Scott Fell

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thank you both!  As a result of the discussion, I was able to at least implement digitally-signed emails from my Outlook installation.
Having done that, it's much clearer how the pieces of the puzzle fit together - which is what I was wanting to know.
In the meantime, the customer tells me the VA rather lost interest in their own "requirement".  Ah well.....