Skip to content

DA4. Email Security

Statement

Solution

To assess the advantages and disadvantages of using email encryption and digital signatures by individuals, we must first understand how email works. The email journey involves the following actors (Blitstein, 2023):

  • MUA (Mail User Agent) - The email client used to send and read emails.
  • MTA (Mail Transfer Agent) - The email server that sends and receives emails.
  • MDA (Mail Delivery Agent) - The email server that stores emails.
  • SMTP (Simple Mail Transfer Protocol) - The protocol used to send emails.
  • IMAP/POP (Internet Message Access Protocol/Post Office Protocol) - The protocol used to receive emails.

According to (Osais-Open, 2023), the email journey is as follows:

  • The sender creates an email using their MUA.
  • The email is then sent to the sender’s MTA through SMTP protocol.
  • The sender’s MTA does a DNS lookup to find the recipient’s MTA, along with other tasks such as spam filtering, virus scanning, etc.
  • The sender’s MTA forwards the email to the recipient’s MTA through SMTP protocol, where it is being stored.
  • The recipient’s MUA then retrieves the email from the recipient’s MTA through IMAP/POP protocol.

By examining the journey above, we can see that encryption is possible at any stage, that is, in MUA, MTA, and MDA. To know where exactly the encryption happens, let’s dig into the protocols used in each stage.

SMTPS is the secure version of SMTP, which is an application layer protocol that runs on top of TCP/IP and uses the TLS protocol to encrypt connections between MUA/MTA, MTA/MDA, and MDA/MUA. And here are some considerations around the use of SMTPS (Cloudflare, 2023):

  • The TLS implements an asymmetric encryption scheme, where the sender (MUA, MTA) encrypts the message using the receipt’s public key, and the recipient (MTA, MDA) decrypts the message using their own private key.
  • The TLS Authentication is done using digital signatures, which also help to verify the integrity of the message.

So at the moment, since there are multiple access points, protocols, and actors involved in the email journey, it is not possible to use end-to-end encryption on an individual level, but if that happens, here are the advantages and disadvantages:

The advantages include more privacy and security as only the sender and recipient can read the message.

The disadvantages may include:

  • Each sender and recipient must have their own public/private key pair, where public keys must be shared in a global repository that senders can access (similar to DNS servers).
  • Managing all the keys and certificates can be an issue.
  • The sender and recipient must be online at the same time to exchange keys and deliver the message (if we want to cut out the MTA and MDA completely).
  • This encryption may limit the MTA/MDA from performing their tasks such as spam filtering, virus scanning, etc.
  • This may increase the cost of email services (as end-to-end encryption is available today but only for paid users).

My experience with digital certificates was always painful as I never understood what they meant and I run a couple of websites where I have to deal with their certificate without proper knowledge. But I think after this course, I know better what they are and how they work.

To conclude; currently, email encryption is not used on an individual level, but it is possible if the PKI (public key infrastructure) can handle the vast increase in the issued keys and certificates; along with overcoming the other challenges.

References

‌ ‌ ‌