Frequently Asked Questions on the following categories:

• Usage
• Security
• Cost
• Why not ...?

USAGE

Can I use SecMX now?

Yes.  Anyone can implement SecMX on their mail system. 

How do I use SecMX?

Your email administrator will need to configure your email system, using our instructions. 

Use this tool SecMX tool to see if:

1. Your own organisation can send email securely
2. The receiving agency can receive email securely

If I use SecMX, will it work with anyone?

According to our research, approximately 10% of mail servers have TLS enabled, but they do not use use it as the preferred option.

Why does SecMX use a domain naming convention?

The domain naming convention for SecMX is secmx.youragency.com.  The domain naming convention is to differentiate a SecMX server from a normal email server.  A SecMX server breaks one of the normal Internet rules, when it refuses to talk to an insecure server.

SECURITY

How do I know if I send something, that it will be sent securely?

Most users cannot test their own email systems.    If a receiving server is a SecMX system, then the user can test the receiving server, using our SecMX tool.

How do I know if I receive something, that it will be sent securely?

Most users cannot test their own email systems.  They can test their own system, using our SecMX tool.

What about someone reading the email on my PC (trojan horses, spyware)?

Think of SecMX as the trusted postman, who securely delivers your mail to your letter box.  If someone reads your mail, once you have received it, then it is your problem.

What about someone intercepting the email between my ISP and my PC?

Think of SecMX as the trusted postman, who securely delivers your mail to your letter box.  If you open your letter on the way back from the letterbox, to your home, then it is your problem.  Many email clients offer TLS as an option for protecting the link between the ISP and the PC -- you will have to ask your ISP if they suppor this option.

COST

How much does SecMX cost?

SecMX is free.  Most organisations will be able to reconfigure their existing mail systems, at minimal cost.

WHY NOT?

Why not web mail?

Web mail has a number of issues.

From a customer perspective:

• they have a proliferation of mail boxes - a different one for every organisation they deal with;
• the mail boxes are outside their control.  If the service is removed, the customer loses their interaction history;

From an organisation perspective:

• A legal requirement to have sending and receiving email systems under separate control, to provide the same legal certainty as postal mail.
   
  

Why not individual S/MIME email?

Individual S/MIME email has a number of issues:

• Content: Organisations find it hard to enforce content policies - all content is encrypted to individuals;
• Accessibility: Vendors cannot not guarantee the long-term technical ability to decrypt material;

Why not PKI?

The use of PKI has a number of issues: 

• Losing the private key causes big disruptions: all incoming email has to be stored until the key can be recovered;
• The Certificate Revocation List (CRL) is a central point of failure.  Whenever the CRL is unavailable most commercially available software simply stops;
• The different World views of security and email.  Security often implies waiting or stopping until the issue has been clarified; email is about speedy delivery;
• Commercially available software often has management intensive processes (e.g. key loading, key discovery, key renewal).  
• Limited ability to test exceptions.  As far as we are aware, no certificate authorities offer a service to generate broken, corrupt or expired certificates to test the behaviour of commercial products.