Sending certified email

I’m working on a project that involves “send certified email”, however, I don’t understand how that process works technically. In my research, I discovered that the process of sending a message with these characteristics (A → B) uses the following: i) Hires the service of a third party (certifier) ​​who uses digital signatures and timestamps; ii) In copy (CC) they place the address of an email of the contracted third party (A → C) to certify the sending of the message; iii) Then, you can get a report indicating that the message was delivered to the recipient.

However, during my research, I discovered that the third party uses SPF records and the SMTP protocol to ensure that the message was delivered to the recipient, but honestly, I am not sure about this and I have the following concerns that perhaps with your experience you can helpme to solve them:

• If you use SPF records to ensure message delivery, what happens when there are hops between mail servers from different providers? Use ARC records?
• What happens if SPF records are not configured on the destination server?
• Really, what certifies the timestamp and the digital signature during the sending of the message? of A–>B or A–>C? or both, if so, how do you do the former?

Thanks for your help

Are you able to provide an example service provider for the certification service (C) that you described? This doesn’t have to be the provider you are considering using, but something within the same realm so we can ensure we are talking about the same process.

Also, what is the ultimate objective? For example, to certify that:

• A actually sent the email with the specific contents at a certain point in time
• The email was delivered to B’s mail exchanger
• The email was delivered to B’s mailbox
• B opened the email
• B opened the attachments of the email, if any

Hi Arman and thank you for your prompt response.

A little history. In Spain and Colombia (I think in other LATAM countries as well), notifications of legal matters through email became recurrent during and after the pandemic, that is, through email, judges, lawyers, companies , etc., they notify about the decisions taken in contracts, orders, legal matters, etc., to people or companies. Of course, this notification has consequences for or against (it depends).

In this sense, there are services called "sending mail certified ", for example “e-Garante”, a Spanish company that does exactly this (eG mail | eGarante: tu testigo online), in Colombia as well (https: //web.certicamara.com/products_and_services/Platforms_Zero_Paper/42-EMAIL_ELECTRÓNICO_CERTIFICADO#:~:text=Certimail%20Massive,También%20allows%20send%20files%20attachments), and they say to do what you you raise:

• A actually sent the email with the specific contents at a certain point in time
• The email was delivered to B’s mail exchanger
• The email was delivered to B’s mailbox
• B opened the email
• B opened the attachments of the email, if any

In general, the objective is to demonstrate to the judge or lawyer that it was served on a specific date and that it contained certain attachments.

Regards,

In my view, one can certify the submission part of the process with minimal effort using DKIM and ARC. Let’s say you run a law firm that uses O365 for its email service. You can open a free Gmail account for such certification and BCC every important communication to this filing address—either manually, or by setting up a rule.

This way, you would have a DKIM signature from Microsoft on your outbound messages that covers From, Date, Subject, Message-ID, message body & attachment contents, and more. You would also have ARC signatures from both Microsoft and Google. Fortunately, Google’s ARC signature also covers the To header field

Successful verification of these signatures on the inbound message to the filing mailbox would confirm when the message was sent, to/from whom it was sent, and the contents of the message body and all attachments.

A few things to be mindful of:

• The duration of the certification coverage needed. DKIM & ARC public keys are not available forever. If long-term coverage is needed (i.e., several years), special arrangements would need to be made to preserve the keys.

• You would want to monitor the DKIM & ARC signatures periodically to make sure that the metadata fields you care about are covered.

• Although DKIM & ARC are standardized and are fairly easy to verify, it may be necessary to retain an expert to perform such verification if a dispute arises. On the other hand, if you use a trusted third-party certification service, a report or receipt from them may alleviate concerns quicker.

• You may want to consider whether Gmail’s end user license agreement & ToC align with your privacy expectations for these communications. If not, perhaps Google Workspace or another provider that supports DKIM & ARC may be appropriate.

A third-party provider would come into play if you need to verify the delivery as well as the opening of the messages and their attachments. For delivery, the provider would take each message from you, deliver it itself, and log the corresponding response from the target mail exchanger. I believe eGarante refers to this when they say:

Entrega doble por eGarante refuerza el envío

It sounds like the message is delivered once (by your original submission), and a second time by eGarante’s submission to the recipient’s mail exchanger.

Tracking email opens could be handled in at least two different ways:

• One can embed tracking pixels into outbound emails and log information based on HTTP requests for the image. This is very brittle as there may be automated caching of the image by service providers without user interaction, and mail user agents often block linked images by default.

• The provider can take the sender’s message and its attachments, put them behind a wall, and present a link to the recipient to get there. In essence, your original message body and attachments would be replaced with one or more links. When the recipient explicitly follows the links and opens the message and/or attachments, their details and actions are tracked, logged, and perhaps timestamped (as in RFC 3161).

In either case, you may need to consider the privacy implications, applicable laws, and the overall legality of such tracking.

I did not get the impression that eGarante does the above. But there are services that do, in some cases to the level of how much time is spent per page of the attached document (only works for their native docs, not external attachments such as PDFs).