Signed emails essentially have two advantages. Firstly, they show the identity of the sender. Secondly, they enable guaranteed content encryption. The solution called PGP can be easily installed and used with email programs like Thunderbird from Mozilla.
Introduction
The GDPR obliges to the security of processing (Art. 32 GDPR). Even sending e-mails means a processing of personal data. Thus confidential mails are to be sent accordingly securely.
According to a ruling by the VG Mainz, emails with sensitive information can however be sent via traditional transport encryption. This way, the content can be sufficiently protected against unauthorized reading according to the court's decision.
However, sender addresses in e-mails can be easily forged. The recipient therefore does not know whether the supposed sender is actually the real one. This can usually be clarified through a two-way communication, i.e., by responding to the supposed sender. In everyday life this often happens implicitly, that is, without explicit inquiry.
An email signed with PGP is more trustworthy than an unsigned email.
My opinion, or even objectively verifiable depending on the certificate.
If someone wants to make sure that the recipient trusts the sender's address, they should use a signature. Such signatures are supported through the Pretty Good Privacy architecture, briefly PGP. That probably has another advantage. Signed e-mails will be potentially less often classified as spam, I suppose.
Unfortunately, it is not possible with Microsoft Outlook at present to satisfactorily install a PGP signature stably. This is shown by self-experiments and discussions with readers of Dr. GDPR. In particular on systems that have the character of a developer machine, conventional solutions fail.
For someone looking for a free and well-functioning solution, Mozilla Thunderbird can be an option. Thunderbird is a powerful email program. If you don't want to leave your current email program, you should at least use Thunderbird as a secondary program. In some cases, such as when serving a message in a legal dispute, it may seem necessary to use a signed email.
PGP and Mozilla Thunderbird
Mozilla Thunderbird is a free email program (Download Link). PGP can be easily installed there with an add-on named Enigmail. Even a PGP key can be created in a simple way. Update: See comment under this post, which I couldn't check. Apparently OpenPGP has been integrated into Thunderbird by now.
The following information applies to a installation under Windows 10.
A prerequisite is the installed Mozilla Thunderbird and a set up email account in Thunderbird. If you have just performed an installation, it's best to restart Thunderbird now.
Install PGP Plugin
To use PGP in Thunderbird, the add-on Enigmail is recommended.
Enigmail can be easily installed. To do this, either call up the add-on management and search for Enigmail there:
Then enter the term Enigmail in the search field and start searching.
Alternatively, call up the result of searching for Enigmail directly via this button:
The first hit shown on the appearing page is the correct one:
After clicking the button Add to Thunderbird, Enigmail is installed. Don't forget to activate the add-on, if necessary.
This is what it looks like when Enigmail is installed and activated
Restart Thunderbird.
Link email account with PGP
Now select the desired email account to link with PGP.
To do this, call up the account settings. This can be done for example via the menu on the right top corner of Thunderbird.
If needed, create a new email account. This is very easy because you don't have to enter ports and mail protocols. Thunderbird recognizes these automatically. With my mail provider this worked wonderfully.
Now, enable signature of e-mails as follows in content settings.
The screenshot shows the Key Management. There, a key can be added if none is available yet. After that has happened, the key should be selected. In the screenshot shown above, this can be recognized by the option field below ("None").
Next we add a digital signature to every email.
The screenshot shows the relevant setting in red outline.
If encryption is enabled by default, the recipient must support it. This can be a bit annoying because a popup appears for each email sent if encryption is not possible or still needs to be set up for a recipient address.
Check settings
Before sending an email, check the settings for signature and encryption. To do this, click on the arrow pointing down directly to the right of the Sicherheit-button in the email editor:
What's most important is that the option "Sign this message" is enabled. The recipient then receives a message with a signature. Many email programs display such messages in the inbox with an icon like this one.:
In Thunderbird, the validity of the signature is displayed as follows when the "OpenPGP" button in the received message is clicked:
To Encrypt Messages, a recipient's key must be available. Otherwise, the following error message appears:
If the recipient's PGP key is available, the message is sent directly and encrypted to the recipient. When the recipient views the message, the encryption is displayed. In Thunderbird it looks like this.
The corresponding proof of encryption is shown by clicking on "OpenPGP" in the received message.
The current Thunderbird (as of 03.11.2021) contains an error: When opening a received, signed email in the inbox by selecting it (without double-clicking), the signature is not displayed as invalid (by clicking on the button "OpenPGP" mentioned above). A double-click on the mail then shows that the signature is valid. This bug is known on the internet and can be easily mitigated by viewing in double-click mode. I am sure there will soon be a correction for this.
Conclusion
With Mozilla Thunderbird and the aforementioned PGP Plugin, it's easy to sign and encrypt messages. At least it what easy for me to do so within a few minutes.
With Mozilla Thunderbird, emails can be quickly and easily signed with a digital signature.
Encrypting content with PGP is also successful if the recipient's key is known.
In Microsoft Outlook, however, it didn't work out in a sensible way to set up PGP keys. This what probably mainly due to the fact that my user has too many rights (!). Maybe not everyone understands or believes this. But it's like a discussion with someone who paid for support from a special company themselves, who also couldn't believe it. My 30 years of IT experience lead me to suspect that in my case there is no OSI 8-layer problem. The OSI model is a reference model for network protocols. It only has 7 layers. When the human being in front of the computer is jokingly referred to as OSI 8 layer.
My recommendation for all who want to keep their current email program and not replace it with Thunderbird: Use both email programs. Thunderbird should be used for correspondence that seems sensible due to confidentiality or an identity check. For example, this is sensible for emails sent in the context of a data disclosure according to Art. 15 GDPR.
Key messages
This guide explains how to set up end-to-end email encryption using Enigmail and Thunderbird.
Thunderbird makes it easy to encrypt and sign emails, while Outlook is more difficult to set up for this purpose.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
