Domain to domain encryption

With domain to domain encryption, the gateway is configured to encrypt every email sent to a specific recipient domain with a domain certificate or PGP key. Domain to domain encryption, once configured, is the easiest and most transparent setup for end-users because every email is automatically encrypted and decrypted.

Note

Domain to domain encryption is sort of similar to an SMTP TLS connection. The main difference is that with domain to domain encryption, the email is encrypted and not just the connection.

The requirements for domain to domain encryption are:

  • Both sender and recipient organisation need an email encryption gateway which supports S/MIME or PGP domain to domain encryption.

  • Both sender and recipient organisation an S/MIME certificate or PGP key which is used for domain to domain encryption.

Note

The certificate for domain to domain encryption can be a self signed certificate.

Domain to domain encryption

Setup S/MIME domain to domain encryption

To setup S/MIME domain to domain encryption, a certificate with private key should be available on the gateway which will be used for the domain certificate. Because the certificate will be used for the domain, the email address of the certificate should be set to an email address which indicates that this is a domain certificate. For example: domain-cert@example.com.

Note

There is no such thing as an official S/MIME domain certificate. In principle, any certificate can be configured as a domain certificate. It is however advised to create a dedicated certificate for domain to domain encryption containing an email address that indicates that the certificate should only be used for domain to domain encryption.

The domain certificate of the external organisation should be imported into the gateway.

Warning

To make sure the two parties are using the correct domain certificate, the best procedure to validate the domain certificate is to call the other party and exchange the thumbprint (hash) of the certificate. By checking the thumbprint both parties can be certain that the correct certificate is used.

To configure domain to domain encryption, use the following procedure:

  • Create (or import) a certificate with private key which will be used for domain to domain encryption. You can also use an existing certificate for your domain to domain encryption.

  • Import the domain certificate from the external organisation.

  • Make sure the domain certificate is valid. If the domain certificate is self signed, place the domain certificate on the Certificate Trust List (CTL) to make the certificate valid.

  • Create a domain object for the external domain (Domains ‣ Add domain)

  • On the “Edit domain…” page, open the “S/MIME encryption certificates” page (from the S/MIME pull down menu select “Encryption certificates”)

  • In the “Select encryption certificates for domain…” page, select the certificate which should be used for the domain and click Apply

If email is now sent to the external domain, and email must be encrypted, it will be encrypted with the domain certificate for that domain.

Setup PGP domain to domain encryption

To setup PGP domain to domain encryption, a PGP private key should be available on the gateway which will be used for the domain PGP key. Because the PGP key will be used for the domain, the email address of the PGP key should be set to an email address which indicates that this is a domain key. For example: domain-cert@example.com.

Note

There is no such thing as an official PGP domain key. In principle, any PGP key can be configured as a domain key. It is however advised to create a dedicated key for domain to domain encryption containing an email address that indicates that the key should only be used for domain to domain encryption.

The domain key of the external organisation should be imported into the gateway.

Warning

To make sure the two parties are using the correct domain key, the best procedure to validate the domain key is to call the other party and exchange the thumbprint (hash) of the key. By checking the thumbprint both parties can be certain that the correct key is used.

To configure domain to domain encryption, use the following procedure:

  • Create (or import) a PGP key with private key which will be used for domain to domain encryption. You can also use an existing PGP key for your domain to domain encryption.

  • Import the domain PGP key from the external organisation.

  • Make sure the domain PGP key is valid.

  • Open the details page for the PGP key.

  • On the “Details for key ID…” page, click Email addresses.

  • On the “Manage associated address for key ID…” page, add the domain to the PGP key, click Add addresses and then click Apply.

PGP add domain

If email is now sent to the external domain, and email must be encrypted, it will be encrypted with the domain PGP key for that domain.