Hi Everyone, hope you are well.
I'm trying to find a solution for encrypted email.
i have a number of customers that are financial advisers or accountants, each of which have many customers, each of which use any number of email systems - could be anything from 365 to ntlworld webmail
it has to be
1) simple for the end user to use / implement
2) be 2 way encryption
i have today talked to 2 providers, which i wont name at the moment, which proport to be able to deal with any email client. the way they do this is to send the recipient an email saying "you have an encrypted email, click the link below and log in" which take them to a website which lets them log in, where they can view the email and respond to it. if they respond, the originator gets an email saying...you have received an encrypted email etc etc.
they do this so that they dont have to bother doing dkim or spf and send from the originators address.
sounds good right?
easy for the client, easy for the originator.
hilariously, i have been able to spoof both of their email delivery addresses. ive sent them emails from themselves to themselves using fakesend. casued a bit of a stir hopefully, but i am flabberghasted that this is possible.
their spf records are on a ~all and the dmarc records are non existent or say p=none. (i.e. even if it fails, deliver it). both dont have dkim signing.
so some one could send out a massive spam campaign, spoofing the address, using an email that looks like the ones that they send, and have a link to a fake site which then harvests their "secure email" credentials. then they use those to log into the real site, and bingo, they have access to the encrypted emails. encrypted emails usually have stuff worth looking at, so its quite a big honey pot.
has anyone got any suggestions for a proper service?