This should be a short experience summary about using "secure" e-mail
(S/MIME) in business environment for about 2 years.
We are a small/midsized company with customers mainly insurance
companies and other larger organisations most located in germany. Our
decision at end 2009 was to digital sign *every* outgoing e-mail with
the Djigzo gateway (Thanks Martijn!) to get tamper-proof mail and
provide our customers the possibility to send us encrypted mail. Our
mail volume is very low with about 50 signed mails outgoing per day to
around 150 different business domains. The incoming volume is about
three times as high, mostly from the same 150 domains plus
additionally advertising/status/newsletters and some minor fraction
With this after nearly two years we got the following public
certificates in our store:
- about 10 different business related domains with around 20 different
- around 80 certificates from extern all together
- about 25 trusted root-CAs (+sub-CAs) needed for trust relation
With this we can see less than 10% usage of S/MIME by companies for
which e-mail security should be a must
Additionally there seems to be companies which sign their newsletters
but not their business mail coming from the employees. Sad but true we
even had one big company where digital signed mail was repeatedly
lost, so we had to disable s/mime mail to them altogether. In other
cases there clearly was a s/mime gateway at the other end, but no
certificates where used, the root-CAs seem to be out of date and no
one was reachable for inclusion. Two cases where found where the
content of the mails where altered by some virus/content scanner in
between making the signature invalid.
After automatically encrypt all outgoing mail where we have valid
certificates for, another three domains had at least intermediate
problems with key handling leading to support calls about external
recipients not able to decrypt their own mail
So in sum we ended with not even 5% targets to reliable exchange
s/mime e-mails with, noticeable in a environment where confidentially
is often required because of law and business requirements. An attempt
to contact remote postmasters (7 different domains) to fix the
problems lead to three bounces, one silently included the CA used by
us and three with no reaction at all.
That said Djigzo worked reliable from day one and we never had any
technical problem related to our setup.
I'm really baffled that it is still that troublesome *and* nearly
useless because of missing S/MIME capable mail infrastructure even in
companies spending a lot of $ on mail security.
Would be nice to here from others about there findings.