What about JMAP ? It’s not widely used yet but it seems like Mozilla will start offering it on Thunderbird. I am still a bit confused about the positive aspects for security and privacy this could bring.
IF:
- your MUA is encrypting your messages/subject lines with PQ forward secret OpenPGP
- and you have a TLS connection to your MTA/MDA
- and DNSSEC + DANE gives you downgrade resistant transport encryption between MTAs
… what does SMTP end-to-end encryption protect against?
This was massively informative!
Most people aren’t using PGP though, E2EE for email should be the default. The idea is you make it part of the underlying protocol and everyone will have it.
Wouldn’t the plaintext be accessible to anyone that controls the IMAP/POP server (usually the managed email provider)?
To quote the RFC:
This Internet-Draft proposes adding extensions to the SMTP protocol
that allow for true End-to-End Encryption and cryptographic
signatures between users on a SMTP server. Current DKIM only allows
for server verification, while messages sent through secure channels
only encrypt traffic between servers, not between users.
So it seems to me the idea is you have user-level E2EE.
Since Fastmail is responsible for JMAP, I think it’s worth reading what they said about PGP support ten years ago: Why we don't offer PGP | Fastmail
interesting that DNSSEC is a recommendation here
there was an argument made last year that DNSSEC ought to be abandoned: https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/
I saw this one posted by @soatok:
with that said my comment on it is that we never said that email was going to be the most secure thing and stuff like that
PGP, Proton and Tuta are basically Band-aids, not solutions to the email problem.
With that said I would love to see the SMTP E2EE proposal come forward per the PG Article