Message Signing FAQ
General
An electronic signature is a simple digital representation (like typing your name or inserting an image of a handwritten signature) used to sign documents. A digitally signed email, on the other hand, uses encryption to authenticate the sender and ensure the message's integrity. Digital signatures rely on certificates and cryptography to verify the email's origin and prevent tampering, making them more secure than regular electronic signatures.
So a digital signature is always an electronic signature while an electronic signature is not always a digital signature.
It depends on your local regulation.
As from the last years the number of spam and phishing emails have increased, recipients are more and more reluctant to open emails they received. Digitally sign emails sent by your business applications will make your communication more trustworthy and increase the probability that recipients actually open your messages.
No. Some Mail Transfer Agents (MTA) may favour emails that have been signed, but in general digital signature increase the acceptance of the recipients, for instance by not reporting it as a spam, phishing attempt or simply opening the email instead of deleting it right away.
Most mailbox providers, such as Gmail or Outlook, integrate a built-in certificate reader. Of course, every provider has its own way to display the information into the User Interface. Most of the time, a green mark is added near the sender email address to highlight that it has been verified.
Please review the examples described into the section “How a digitally signed email looks like?”.
Every digital communication consisting in providing sensitive content is a good candidate for using the Message Signing feature. In a Business-to-Consumer (B2C) context, it could be about sending invoices, order confirmations or parcel tracking notifications. In some highly regulated market, such the banking sector, digital signature
No. In case your are both using the Message Signing and Trace & Recover features, they will have no impacts on your mailflow. Trace & Recover stores your original email without the signature attached. Each time you resend that stored email to a new recipient, this email will go through the signing mechanism again.
This service is billed per sender address per month. Each S/MIME certificate you import into the built-in Message Signing PKI is related to one specific sender address. We rely on this number of sender address(es) to charge you. On top of this, you pay your regular Transactional Email monthly volume consumption.
Please contact your Sales contact to get more details about the pricing.
Authentication and security
SPF, DKIM and DMARC and S/MIME are complementary. These are several authentication and security layers. While SPF, DKIM and DMARC standards are closely monitored by Internet Service Providers and mailbox providers to evaluate the legitimacy of the sender domain, S/MIME is an additional layer that verify the sender identity. These authentications methods combined ensure protection againt phishing and email tampering.
TrustedDialog program is only relying on DKIM. The Message Signing feature for Transactional Email, however, is all about certificate-based S/MIME signing. The main difference is that Message Signing at the recipient level proves the authenticity of the sender and ensures the message has not been modified in transit.
Furthermore, the checkmark added into the recipient inbox is only visible for specific participating mail services, such as GMX, Freenet, 1&1, Deutsche Telekom and web.de. Retarus is relying on a more agnostic approach by adopting the S/MIME standard.
No, enforced TLS is not a signing mechanism. It ensures that emails are encrypted during transmission between mail servers, protecting them from being intercepted. However, TLS does not provide sender authentication or message integrity.
It is about signing the email body (including attachment), not the Headers or it will break the signature for every hop during transmission.
Certificate management
Retarus does not act as a Certificate Authority. However, Retarus can support you into the process of getting your own digital certificate by putting you in touch with its preferred partner Swiss Sign. Generally, in 3 weeks your company will receive its unique digital certificate, Retarus will had it directly into the Message Signing built-in PKI (Public Key Infrastructure).
A Certificate Authority is a company that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of electronic documents known as digital certificates.
Retarus has build a partnership with Swiss Sign to help its customers to get certificates. However, Retarus has no competence to recommend any particular Certificate Authority on the market.
Of course! Our Implementation Team can import your existing S/MIME certificate(s) into the Message Signing PKI and link them to your Transactional Email account. To do so, please open a Service Request.
A wildcard certificate is a single certificate which can sign all local parts belonging to the same domain name.
Wilcard certificates are not permitted for the moment.
Retarus recommends to use a paid S/MIME certificate to digitally sign emails as this method is the most common and used standard on the market.
This is possible. Retarus has built an unique tool to streamline key management from your infrastructure into the Message Signing PKI: the “User Synchronisation Encryption” tool. Please contact our Technical Consultant team to implement this tool.