search cancel

Header and body flags that indicate PGP encrypted email for SPAM filter and mail server configuration

book

Article ID: 150133

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Encryption Management Server Gateway Email Encryption

Issue/Introduction

This article will describe the headers that PGP encryption uses for the different encoding methods: PGP MIME, PGP Partitioned and EML.

 

For information on how to configure mail policies for the Symantec Encryption Management Server, see the following article:

180151 - HOW TO: Create Policy Chains to Set Mail Policy in PGP Server (Symantec Encryption Management Server)

 

Resolution

SPAM filter and mail server flags to detect the presence of PGP encrypted emails sent by Symantec Encryption Management Server (Formerly PGP Universal Server) and Symantec Encryption Desktop (Formerly PGP Desktop):

From the "Content-Type" header of the encrypted email message:

MIME encrypted email:

  • multipart/Encrypted
  • multipart/Signed
  • application/pkcs7-mime
  • application/pkcs7-signature
  • application/x-pkcs7-signature
  • application/x-pkcs7-mime

PGP encrypted messages:

  • X-PGP-Encoding-Format
  • X-PGP-Encoding-Version

 

Important Note: In some situations, an email with attachments may show a content type of "multipart/mixed", and this denotes one or more attachments are embedded on an email.  One of these such attachments could be encrypted, however, if you are looking only at the above header content type values, you may miss the message.  As a result, please ensure you can parse these "multipart/mixed" messages, because other attachment types may be included, such as "Content-Type: Application/pkcs7-mime".

The list above is not an exhaustive list, but provides most of the scenarios for encryption or signing.


From the body of the encrypted email message:

  • "Begin PGP Message" will be present in the body of PGP encrypted emails such as the following example:

    -----BEGIN PGP MESSAGE-----
    Version: Encryption Desktop 10.5.0 (Build 1180)
    Charset: utf-8

    qANQR1DBwEwDLuPpsaG3WhIBCACroez6eJgYyTZBfed44P4bfEWPR2rdghtFYzgi
    bjUyGRQzn9xMzcOIG0Bik/23rm5iXLa01cbrwUU9OBYnKTVDAYgwXQF5WRGnj6mV
    Rze3EEWON9Jfz3ZWqyh3c/UL+e+pbifjE/F/XAp1Ns25yQOKXE06sS9XoJpbbMXG
    q072HrjUNRcvgAg50zGqMKIemCBwYK3D8jBGEL3OA97mnCs8M/xSVcxDM6SEAUb6
    4GVTOnw28t4lZ2VwF4A9oxrcryDIfOmVDuNwUiy5GGA1XqBSTb3VHZ9Q85dt/XSz
    lnyQYpJWKpLBzgUyO7l541J1UP3XKm3bTMCdzverJePlWU4Y0kkBf8kETdJIFaf/
    1IQOsZVCPmUITES5UeVLPgQXKEVa7EEVZkvP7E+6KDtAm+IzGiY8avARFeAbQji3
    AwMkzC0P5BLIi1luKqNn
    =vgmS
    -----END PGP MESSAGE-----


Also, if Symantec Encryption Management Server has been deployed into the mailstream (Gateway mode), when it processes messages, it will add headers to the email:

X-PGP-Universal: processed - This doesn't mean the message was necessarily an encrypted message, but that it processed the message.  You will need to test this in your scenarios to see when to review this header into your header-evaluation logic.

X-PGP-Universal-Decrypted: TRUE - This header means the message was decrypted.  As such, for message integrity, do not attempt to modify these files, as doing so will break the signature verification process.

 

The following are some examples of how the headers may appear on emails in their particular encoding:

 

PGP MIME Encoding example:
X-PGP-Universal: processed;
X-PGP-Encoding-Format: MIME
X-PGP-Encoding-Version: 2.0.2
Content-Type: multipart/encrypted;
 boundary="PGP_Universal_08189068_0E0D0370_82C5016E_197E5405";
 protocol="application/pgp-encrypted"


PGP Partitioned example:
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Type: text/html
Content-Type: application/octet-stream; name="PGPexch.htm.pgp"
Content-Transfer-Encoding: base64

 

PGP EML Encoding example:
X-PGP-Encoding-Format: EML
X-PGP-Encoding-Version: 2.0.2
Content-Type: application/octet-stream; name=Message.pgp
Content-Disposition: attachment; filename=Message.pgp
X-Content-PGP-Universal-Saved-Content-Type: message/rfc822; name=Message.eml

 

 

Note: For more information on encoding methods, see article 203838.

Additional Information

EPG-26056