Mac OS X Encrypted Mail: howto, pitfalls

A year or more ago, I quietly started digitally signing most of my outgoing email messages. This trick, made possible by the S/MIME support in Mac OS X’s email client, is about providing authentication—proof that the message came from me and not from someone spoofing my return address, like an email virus or spammer. For the most part the digital signature is handled painlessly by receiving email clients; some will display a “digitally signed” graphic, but that’s about it.

If you want to get your own digital signature enabled in Mac OS X, this tutorial at O’Reilly’s MacDevCenter is the best I’ve found for going through the process, including signing up for your own free digital certificate at Thawte.

I should mention a few issues, however:

  1. Recent versions of Outlook enforce some stringent rules about attachments and digital signatures; specifically, if IE doesn’t know about the agency that issued my certificate, Outlook won’t allow you to open attachments in signed mails from me. Which to me seems silly, as it will allow you to open attachments in unsigned mails from me. But oh well.
  2. Other users with unspecified email clients have had problems with their clients treating the digital signature (which is attached to the email like a file) as a graphic file of some sort.
  3. Thawte certificates are only good for one year, and Mac OS X doesn’t warn about expiring certificates. I stopped sending signed emails and didn’t notice for about a week, then had to figure out how to get an updated certificate. It was a pain. Long story short—remember the password for your login on Thawte’s site.