Even if it can be done by S/MIME which is a great idea, but I feel S/MIME compatible server products where mail can be signed, encrypted or verified or decrypted centrally needs to be more widespread in that case. Now there is kinda only one solution I know of - called Ciphermail or DJIGZO.
Another thing that is problematic with S/MIME and PGP and such, is that a system can't know if a email is SUPPOSED to be signed. Thats what DMARC solves. Maybe a solution for DMARC that also includes OpenPGP and S/MIME. (Where for OpenPGP, then the public key is transmitted via DNS via an PGPKEY record, and for S/MIME its enough its validated by a CA that is present in a CAA record). Maybe with 2 new commands for DMARC?: asmime=r/s apgp=r/s But you are wrong about verifying authenticy. Verifying authenticy CAN be done on a server, provided you trust the server. The server just need some way to communicate this to an end user in some out-of-band way securely. On Microsoft Outlook you can do this by the "Keywords:" header, which then can be configured in the email client to have nice colors. You of course need to scrub any keywords headers from the email to prevent a hacker from inserting validation results preemtively. best regards, Sebastian Nielsen -----Ursprungligt meddelande----- Från: Jaroslaw Rafa via mailop <[email protected]> Skickat: den 20 november 2025 17:47 Till: [email protected] Ämne: Re: [mailop] VMC/BIMI - Getting a personal VMC certificate? Dnia 20.11.2025 o godz. 09:37:46 Todd Herr via mailop pisze: > In my judgment, telling people that a logo showing in a specific place in > the email client means the email is safe is going to be heard by those > people as "logo means safe", with no differentiator on where that logo > appears. To steal a phrase that I believe I've heard Mr. Levine use before, > that's just teaching people to be phished, because bad guys can figure out > ways to get a logo in a message somewhere, even if it's not the location > that a BIMI logo would show up. I wonder why the companies that want to use BIMI would not rather go the path of signing their messages with S/MIME. That's already supported by most mail clients, the message about mail being properly signed (or not) is prominently displayed by the client, and it's definitely easier for a company to obtain S/MIME certificate(s) for signing mail than to go through all the hassles of getting BIMI-verified. Why don't use a solution that already exists, instead of inventing something new, and very strange in concept (at least in my opinion)? Verifying authenticity of mail on transport stage (SMTP), instead of doing this on the final stage when the mail is actually read (which S/MIME provides) is at least a misconception, in my opinion. You cannot actually verify authenticity of any communication if you aren't doing this end-to-end. -- Regards, Jaroslaw Rafa [email protected] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
