What is it?
Signing is essentially showing the recipient that your email address is verified by a certificate authority (CA) (hence legit) and that you are presenting that certificate to the recipient so that they can use the public key in it to encrypt the reply back. Once both parties are using each others’ public keys to encrypt the messages and their own private keys to decrypt it, no one in between can intercept it and make sense of it without those private keys that are stored in your computer/phone.
Why do it?
Encryption:
If this is a private email (which email always is, otherwise we use forums), the contents should remain PRIVATE.
There is a long route your email takes from your keyboard to the destination screen! It can be intercepted anywhere in between by either hackers, phishing scams, data miners, government, your email provider that snoops on the contents of your email and creates a profile of you, sells it to advertisers to target ads at you. The information and pictures you send across may come back and bite you or may be used against you at a later time if it’s so easily accessible by the above. Sometimes the harmless of things can get you in trouble down the line, like lawsuits, copyright infringements, fraud, identity theft, or simple personal issues.
Signing:
Besides looking cool with the verified icon next to your email, it sort of authenticates your email coming from legitimate sources. I say sort of, as scammers can also verify their email address using the same techniques but are unlikely to do so. Signing also primarily show that you are offering your public certificate to the recipient for them to have an option to encrypt the reply back.
Get the Certificate
InstantSSL by Comodo provides FREE email certificates. They expire after 1 year, which is better than the 30-60 day trial certificates offered by other big CAs.
Just enter your email in the short form and they will instantly send you a confirmation with the public and private key link to download.
Import it in your Mac and use it with the Mail client
Once you click on the download link, it will download a .p7s file which your Keychains 🔐 App will open. Keep this file safe as it contains both the public and private keys 🔑 . It threw an error (-26276) for me when I opened it, but you can safely ignore that, as it still installs the certificate in your keychain.
Just open the Mail App and hit compose, you will see a checkbox in a star circle ✸ on the right of the subject row showing that your email will be signed.
The lock sign will be unlocked. If you have the certificate of the other party that you’re sending email to, the lock 🔒 (encryption icon) will be enabled and your email will be encrypted.
For iPhone 📱
The iPhone doesn’t recognize the .p7s file so you have to go to your Keychain Access window in Mac and look for the certificate with your email address as the name, right-click and export it as a .p12 file.
Email yourself that .p12 file. Open it with your iPhone mail client. Install it.
I had a hard time finding that file for the 1st time, but as soon as you send a test email out with your client, it asks access to use your keychain, grant access as always, and then you should see that certificate in your keychain window.
Now go to your Settings > Mail > Accounts >[your email] > Account > Advanced Settings > enable S/MIME > enable Sign > click the certificate you want to use. Yes, you really need to drill down!
Go back a few times and press “Done“. Repeat this for all your emails if you want to, from certificate issuance to this step.
Now when you compose a new email, you will see the unlocked padlock sign . You will also see the star circle ✸ icon on emails that are signed. And only to those emails will you be able to click on the lock symbol to encrypt your emails. That just means you are using “their” public key to encrypt your email to them. They have the private key to decrypt it.
All in all, the 15 mins is takes is worth it. Just one more checkbox ticked in your Security & Privacy regimen.