Initial situation:
All outgoing emails are generally to be signed with S/MIME. However, for reasons of costs, only one certificate is to be used for this purpose across all domains.
Background:
The domain signature, i.e. the signature of all outgoing emails with one S/MIME (domain) key, may seem to be a low-cost alternative to the signature with personalised S/MIME keys in each individual case. However, this procedure will lead to problems and/or enormous administrative efforts sooner or later.
On the functional principle:
To ensure that the applicant of a domain certificate corresponds to the sender of the email and thus that the signature verification at the recipient can be implemented successfully, the sender of the email must be manipulated with each outgoing email so that it correspond to the applicant of the domain certificate. Thus, the actual sender address (for example john.doe@mycompany.tld) is written in the “reply to” header, while the content of the “from” header (john.doe@mycompany.tld) is replaced with the address of the applicant of the certificate (for example signature@mycompany.tld) for each email.
If the recipient of such an email replies directly, the address of the “reply to” header is used, and everything works as expected.
However, if the recipient adds the sender of the email to their address book (Max, Mustermann), not the email address (john.doe@mycompany.tld) of the indicated sender (john.doe@mycompany.tld) is added into the address book under their name, as expected, but the changed address from the “From” header (signature@mycompany.tld). If the original recipient now sends an email to the original sender john.doe@mycompany.tld, this email will be sent to signature@mycompany.tld instead of john.doe@mycompany.tld.
Similarly, non-delivery reports (NDR) are always sent to the actual sender of an email. This means that, if the email of a sender from the domain mycompany.tld does not even reach the external recipient, the NDR will be sent to signature@mycompany.tld instead of the original sender. This means that the sender has no idea that their email has not reached the recipient.
Conclusion:
The longer you work with a domain signature, the more and the more frequently emails are – erroneously – sent to the applicant’s address from the certificate. This also means that somebody has to check this inbox regularly, in short intervals, and the incorrectly sent emails have to be forwarded manually to the correct recipients (if possible/identifiable). Failure to do so may even result in legal consequences.
Therefore, we strongly advise against using this option!
This is also the reason why this option has been removed from the administration interface with version 10.0 of the SEPPmail Secure E-Mail Gateway.
