This article describes best practices for Symantec Encryption Desktop Email.

How to verify signatures in Symantec Encryption Desktop (SED) for Windows and OSX

With default configuration options, three things happen when a user receives a signed email message. First, SED will create a pop-up notification indicating that the message was successfully verified. Second, SED will record a log message noting the details of the signature. Third, SED will add annotations inside the message body indicating that the message signature was verified.

If there is a problem with the signature, the pop-up notification will indicate the problem exists and direct the user to view the log for more details. Users can always trust the pop-up notification and the log to accurately determine an email message signature’s validity.

Annotations appearing inside the email body are for convenience only. Users must not rely on these annotations when determining whether to trust the message’s integrity. This is because a forged email message may contain annotations that look similar to the ones that SED adds.

How to securely use Microsoft Outlook (MAPI) email encryption

Be aware that when using SED to provide end-to-end email security for Microsoft Outlook configured with Microsoft Exchange Server, SED will only encrypt email messages. SED will neither encrypt nor sign meeting invitations, contacts, tasks, and other items created in Microsoft Outlook. Sensitive documents can be protected by emailing them separately from a meeting invitation, or by encrypting the file using the right-click options that SED adds to Windows Explorer.

This limitation does not apply to Microsoft Outlook when Outlook uses the IMAP, POP, or SMTP protocols.

How to securely use SED Email Encryption

When using Microsoft Outlook configured with Microsoft Exchange Server (MAPI) in conjunction with SED Email Encryption, SED may temporarily write some decrypted email content to the user’s hard drive while Outlook is displaying that content to the end user.

When using the IMAP or POP protocols in conjunction with SED Email Encryption, email remains encrypted on the user’s email server. SED decrypts messages on the user’s computer as the user’s email client downloads them. The user’s email client then stores and displays the unencrypted content.

For the above reasons Symantec recommends combining Email Encryption with Symantec Full Disk Encryption to provide complete protection for email messages.

A Note on Secure Management

To ensure that your Symantec Encryption Management Server is considered to be within the trust boundary of SED, Encryption Desktop must verify the TLS certificate of the Encryption Management Server. Once this verification has occurred, then the server is trusted by the client. This setup is also a critical part of the infrastructure, and any compromise to the server may also enable compromise of the end users’ systems.