A Tale of Two Messages

I sent out two identical messages that arrived in the receiver’s mailbox. The first (the one on the left) ended up in the recipient’s Junk E-mail folder. When the recipient opened it using Gmail on an Android phone, they saw a very concerning warning message inserted by Google. (Not every system will generate this warning, but you should always be suspicious of messages ending up in your Junk E-mail folder.)

The second one (the one on the right) ended up in the same recipient’s normal Inbox. They could open it and read it without concern.

Both emails were sent from the same system, the same email sender, and contained the same content. So what’s the difference?

Digitally Signed Emails are the New Norm

To thwart spammers, hackers, and phishing attacks, mail should now be digitally signed by the domain sending the mail. Both emails were sent by me from my atlassolutions.ca email account. The second email (the one on the right) has a proper signature installed in the system. When this message was sent out, a signature header (or hash) was inserted in the message. The receiving email system saw that it claimed to be from atlassolutions.ca; it looked up the public signature or key for that domain and tried to use this key to decrypt the hash in the message’s header. Because the key was successful, the system knew that this message did indeed come from Atlas Solutions.

This same test failed on the first message. Either there was no public key to look up, or the public key didn’t match the hash. Although everything about the message said it was from Atlas Solutions, the receiving system had no way of trusting it. So it flagged the message as a failure.

The Envelope Tells the Story

Email, just like regular mail, comes in two parts: an envelope, and the contents. Most of us never look at the envelope and many mail readers never show it to us. But here’s an extract from the header or “envelope” of the first message:

No public key for this message was found when it was received and so therefore it failed the trust test. Furthermore, the recipient’s mail system was set to “QUARANTINE” failed messages–which is why it ended up in the Junk E-mail folder. If the recipient’s mail system was set to REJECT, then the mail would have been deleted without me ever seeing it. More and more systems are being set to “REJECT” in an effort to stop phishing and cyberattacks.

Is Your Mail Getting Through?

The use of digitally signed emails is fairly recent. Many companies email clients only to have mail go missing–it may be in the Junk folder, or it might have been deleted altogether. Only 40% of your mail newsletters are opened. Maybe the other 60% never ended up in the reader’s inbox?

Many companies don’t have the expertise to understand this technology or how to generate and add signatures to their outgoing mail. This is one area where it pays to work with a knowledgeable, experienced, and competent IT company like Atlas Solutions. If you need help, call us.