I wondered how email is secured (encryption and signing), then googled this and got the following knowledge.
- Normally, end-to-end encryption is not performed. If it should be encrypted, another protocol such as S/MIME is needed.
- Inter mail server connection mostly be encrypted using StartTLS.
Though, I couldn't find out whether inter mail server connection uses mutual TLS or not. In other words, when the sender's mail server (e.g., owned by Google) sends emails to the receiver's mail server (e.g., owned by Microsoft), the latter check the former's certificate and verify the sender is actually who he says he is?
CodePudding user response:
Nope, no mutual SSL is used by default
emails totally can't be trusted
You are right. The same way as you cannot trust the name of the sender. However there are additional measures (not always used or enforced unfortunately) in the email header
- routing information (can be spoofed
- Domain Keys Identified Mail
see: https://blog.mailfence.com/email-header/
CodePudding user response:
First of all, email is much less secure than one would think and hope. Because I didn't understand email and had similar questions as you do, I spent several months researching all technical aspects of modern email, which resulted in this article.
As you have already figured out, end-to-end encryption is totally independent from everything else. Encrypting email in transit is optional, and the percentage of TLS-secured connections increased from around 40% in 2013 to around 90% in 2020 as reported by Google/Gmail.
ESMTP itself provides only opportunistic security, which is useful only against passive attackers. As a result, the identity of the receiving server is often not even verified.
There are two standards to provide confidentiality even in the presence of an active attacker, which aren't widely deployed yet:
- DNS-Based Authentication of Named Entities (DANE)
- Mail Transfer Agent Strict Transport Security (MTA-STS)
Authenticating that an email is coming from the sender's domain is solved separately with the following standards:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
These standards are more widely deployed than the previous ones, but we're still far away from "universal" adoption and enforcement. One of the reasons for this is that not everyone sees email spoofing as a bug. Mailing lists use this as a feature.