Organizational Email Footer in O365, but with S/MIME Certificates

2

My organization uses S/MIME certificates to digitally sign and encrypt emails. We would like to add a disclaimer at the bottom of our emails, which can be done via the mail flow settings in Office 365.

However, if the message is edited by the server after it has been signed by the sender, the certificate will show as invalid.

Is there a way to add an organizational email footer without affecting S/MIME functionality? Or is the only solution to add the disclaimer to to the client's signature?

SamTheSammich

Posted 2016-05-23T20:56:36.333

Reputation: 45

1

Email disclaimers are a waste of time and electrons. Disclaimers in Email Signatures are Not Just Annoying, But Legally Meaningless: "Lawyers and experts on internet policy say no court case has ever turned on the presence or absence of such an automatic e-mail footer in America, the most litigious of rich countries."

– DavidPostill – 2016-05-23T21:33:35.983

Answers

2

Short answer: No, if your message is S/MIME signed you cannot add a footer without invalidating the signature.

Long answer: While an added footer would invalidate the message, it is possible to work around this in a few ways.

  • Fallback Rules to encapsulate the signed message as an attachment with a footer. I'm not sure this is smart enough to understand the footer invalidates S/MIME signatures and not encryption. You'd have to experiment.

  • OME deliver encrypted messages from a middle tier and skip S/MIME (significant change to mail flow, compatiblity, and use).

  • Use PGP instead of S/MIME, which allows you to use PGP inline. However, it's not supported natively in Office 365, so you'd have to manage PGP extensions in browser and on Outlook clients.

  • Third Party encryption or encapsulation equivalents outside of Office 365.

Edit: There is some dispute over PGP Inline and whether it is a sound security process or harmful.

krondor

Posted 2016-05-23T20:56:36.333

Reputation: 473

1Given that MIME allows arbitrary nesting, couldn't you nest the whole multipart/signed part alongside a separate footer part, much like some mailing lists already do? – user1686 – 2016-05-24T05:03:58.763

2

S/MIME nesting is usually ignored by mail clients, however, and poses a security risk (same discussion as PGP Inline). Hence I omitted it as an option, but you are correct the RFC does allow for it, but they leave it up to clients to decide. Most clients I know of do not honor a signature on a nested MIME. See Mozilla Thunderbird's response; https://bugzilla.mozilla.org/show_bug.cgi?id=578295#c3

– krondor – 2016-05-24T11:40:20.167

Asked: 2016-05-23T20:56:36.333

Viewed: 530 times

Active: 2016-05-23T21:48:51.260