S/MIME, BIMI, VMC, SPF, DKIM, DMARC, TLS? 08 Dec ‘21
Can’t see the forest for the trees?
Everyone agrees that email security is important. A user name and password are used in order to secure access to email, or preferably a Multi-Factor Authentication (MFA), whereby the connection runs via Transport Layer Security (TLS) by means of an SSL certificate. TLS is also used when sending email between mail servers.
But how can the incoming network, and more importantly the email recipient, be sure that the incoming email was actually sent by the original sender? To check this, there are various standards that complement each other and each has its own specific use.
Secure Multipurpose Internet Mail Extensions (S/MIME) have been around since 2002 and this is a de facto standard for end-to-end secured/verifiable email.
Although Sender Policy Framework (SPF), DomainKeys Identified Email (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) have been around for a number of years, they have only been extensively applied since 2018.
Since 2021, a new standard has been added: Brand Indicators for Message Identification (BIMI), which requires a Verified Mark Certificate (VMC)
What’s the use for all these terms?
All the standards that are mentioned above have their own specific use and application, so they do not replace or exclude each other:
S/MIME | Requires a separate S/MIME certificate, which is usually installed on a user’s device, for each email address. This ensures that:
|
TLS | Requires one or more SSL certificates for every separate email programme that is connected to the network. This ensures that:
|
SPF | Only requires a DNS record. This ensures that:
|
DKIM | Only requires a DNS record. This ensures that:
|
DMARC | Requires only a DNS record. This ensures that:
|
BIMI | Only requires a DNS record. This ensures that:
|
VMC | Requires a verifiable protected logo, whereby 1 Verified Mark Certificate must be purchased per logo (valid for 1 year). This ensures that:
|
Frequent confusions
Now that the different standards have been explained, it is easy to answer frequently asked questions:
- If I use DKIM, do I still need S/MIME for digital signatures?
DKIM provides a digital signature at email level that is only used by, and visible to, the recipient’s email service provider. This DKIM digital signature is not visible or usable by the actual recipient.
An S/MIME-based signature is visible to the genuine recipient. Due to this S/MIME-based digital signature, the email client will immediately give an indication whether an email has been changed, regarding body and attachment, after it was sent AND it allows the recipient to validate who actually sent the email.
- If I send email that is encrypted via TLS anyway, then do I still need S/MIME email encryption?
TLS ensures that email is encrypted from the moment “send” is pressed in the email client until the email arrives at the recipient. In short, data in motion encryption, also called point-to-point encryption.
S/MIME ensures that the outgoing email is encrypted at rest on both the outgoing and incoming side. Also called end-to-end encryption. No one can read the attachments and body text of the email unless they have the recipient’s private key. So even someone who can log into an email account illegally cannot read the emails.
And what’s more, even the email provider cannot scan the content of the emails, for example to deliver specific advertisements.
- Surely, as standards, BIMI and VMC provide extra email security worldwide?
BIMI and VMC ensure brand recognition, and are therefore primarily intended for marketing.
In addition, on a global scale at the time of writing, BIMI and VMC are only supported by GMail and Yahoo! Mail
Microsoft has indicated that it has no intention of supporting BIMI and VMC, nor does it currently support them. Microsoft does not participate in the BIMI initiative. Instead, they have their own approach called “brand cards,” which serve much the same purpose without using DNS.
Checking BIMI/VMC and DMARK/DKIM/SPF online
Do you want to check whether a company has set up DMARK, DKIM, SPF, BIMI, and VMC (correctly) for its domain? This can be done easily via: https://bimigroup.org/bimi-generator/
If you would like to know more on this subject, just contact us here and we’ll contact you!
The KeyTalk Team
