There seems to be some confusion between different concepts that have something to do with cryptography, particularly in their application to email communications: signature, encryption, encoding, and registration of email messages.
Digitally signed emails
Digitally signing emails only fulfills two objectives:
- Non-repudiation: to accredit who the author of the communication is.
- Integrity: to ensure that data has not been tampered with during transmission.
Digitally signing e-mails seeks to provide the recipient with assurances regarding the source and the integrity of data, and nothing more. Nevertheless, and contrary to what many may believe, it is not foolproof: it is possible to tamper with certain data in a digitally signed email without tampering with the signature itself (while still providing non-repudiation and content integrity) or, despite the disappearance of the signature, without the email message appearing to have been tampered with.
In addition, under no circumstances does the digital signature included with an email provide information on what content has been transmitted or confirmation that it has been effectively sent and received at the destination.
It is a type of email whose content is secured by a cryptographic key to prevent it from being read by unauthorized third parties. Encrypting emails is highly cumbersome, as it requires an exchange of keys between the parties, and as a result, its use is practically non-existent.
The encryption of emails usually also identifies the sender and therefore also provides non-repudiation. However, it does not provide information on what content has been transmitted or confirmation that it has been effectively sent and received at the destination.
Far more than encoded emails, here we’ll talk about encrypting the transmission of an email using a form of email encryption known as Opportunistic TLS. In the same way that you are familiar with concepts such as “secure server” and “SSL” and their use in secure web browsing, the possibility of encoding the transmission of an email using the same technology exists.
It is called Opportunistic because, generally speaking, it does not oblige the sender and receiver to transmit through a secure channel (TLS): opportunistic means that the one who initiates transmission can attempt to do it securely, choosing to go through a non-secure channel when the recipient’s email server does not include encoding.
Encoding of an email transmission does not depend on the user, but instead on the email servers and providers of both the sender and the recipient. In fact, unless email users have purposely chosen to encrypt data transmitted, the majority of them are unaware of whether their emails are sent through a secure channel or not.
In contrast to the cases above, encoding the transmission neither provides non-repudiation nor data integrity. In addition, the content transmitted is irrelevant for encoding purposes, and under no circumstances may be accredited. The same goes for its successful transmission.
Email registration is equivalent to certifying the e-delivery of certain content, regardless of whether the email has been digitally signed, its content has been encrypted, or its transmission has been encoded.
In contrast to the previous 3 concepts, email certification meets the need to accredit its exact content and its successful transmission and acceptance at the destination on a certain date; in a nutshell, who sent what to whom, and when. Just as in other fields where it is necessary to authenticate documents, the responsibility of certifying the content and transmission of an email cannot fall on any of the interested parties, thus necessitating the involvement of a third party.
This third party may act as a “trusted third party” or not, with this understood as someone whose involvement or intervention is agreed upon and known to all parties. When it comes to the matter of registered e-deliveries, there is no need for the certifying body to act as a “trusted third party”, particularly when it involves certifying the content and delivery of an email: when there is no technically reliable method to accredit that an email has been opened, it is enough to certify its transmission to leave a record of this. And to do this, the recipient’s involvement is not necessary.