Scope of certificate validation, Certificate validation settings – Google Message Encryption Administration Guide User Manual

Policy Enforced TLS

19

To set up Certificate Validation:

1.

Go to Outbound TLS settings in the Administration Console.

2.

If the domain is not already listed in Policy Enforced TLS, add the recipient
domain to Policy Enforced TLS.

3.

Under “Domain-Specific Setting for Outbound TLS,” set TLS Certification to
the appropriate setting and click Save Selected.

Scope of Certificate Validation

Certificate Validation examines SSL certificates to verify a recipient’s identity. The
standard that defines TLS, RFC 2487, states clearly that the possibility of multiple
hops during email delivery makes TLS certificates unsuitable for authenticating a
sender's identity (inbound messages).

To comply with the standard, Certificate Validation authenticates the recipient’s
identity for only outbound Policy Enforced TLS. Certificate Validation is not used
for inbound mail because the RFC standards do not support this use.

Certificate Validation Settings

Certificate Verification is a powerful tool to protect your secure connection from
spoofing and invalid certificates. However, it also will interrupt mail flow if the
recipient’s certificate is not set up correctly. If protection from spoofing and invalid
certificates is not a major concern, use Encrypt Only. Use Certificate Verification if
you wish to set up regular, ongoing secure connections with a specific partner for
extremely sensitive information.

Note:

If you set up Certificate Validation, be sure to set up TLS Alerts as well, so

you will know if a problem occurs. For more information, see “TLS Alerts” on
page 22.

Certificate Validation settings are described below.