This video is going to leave you shocked that
you didn't know about this before. Have you ever looked at those influences who
think they're so cool with their verified Twitter and Instagram badges? Me too.. Me too... * Bruh Sound Effect #2 * But there is one verified badge anyone can
get, but counter-intuitively virtually no one has. And that is for your Email account. Yes it's actually a thing, you can see here
I did it for my generic test email account which is nothing special, and in Apple Mail
it shows an actual check mark, in Gmail it shows a green check, and in outlook it shows
this ribbon badge. And yes of course, the whole point of this
video is that I'm going to show you how to get it yourself. And by the way, no, this is not any kind of
dumb trick like putting some emoji next to your account name, it's a legit special badge. And it's free, mind you. Now, don't be intimidated by the video length,
it will be worth it, and I'll put timestamps in the description if you need to come back
to different instructions, but also don't just skip a head because I need to explain
some context first that you'll want to know, like what the heck this badge is even for
and why it exists. Now I can hear some of your questions already
like, "wait a minute, if anyone can get one of these, why is it so rare?" Well the answer is because it's usually a
pain in the --- to set up if you don't know what you're doing, which by the end of the
video you will. You see these 'verified' badges in the email
software are not actually like verified badges on social media. But rather they signify that an email has
been sent with a certain security protocol called "S/MIME", which is a feature supported
by almost all email clients. And I guess it's just rarely used because
this level of security is just not really necessary. However, I think once people realize that
you can get a super rare badge appearing next to your emails, that might get people's attention. What's really funny is the S/MIME protocol
has been around since around 2004. But despite that, I have literally only seen
it used ONCE, which was an email from some crypto exchange marketing email. And it had a badge in Apple Mail and immediately
my reaction was just... what. is. that. I had never seen it before. So I saw that when you click on the thing with badge,
it says "The sender signed this message with a trusted certificate", and I also looked
in the Gmail web interface which said something similar, so I knew it wasn't just an Apple
thing. And long story short, after quite a bit of
digging, I figured out that it uses that S/MIME protocol I already mentioned, and specifically
you need - tech jargon warning, an: S/MIME Email Certificate from a Root Certificate
Authority, sometimes just called an "email certificate". And to answer a few more quick things you're
probably wondering: It should not matter what service you use for email, whether Gmail,
Verizon, AT&T, Comcast, whatever. Instead what matters is the the email client
software, such as Outlook, or Apple Mail, whatever. Most web interfaces for email services like
Gmail do not actually let you add certificates to emails when sending, but if you use Outlook
for example to send through gmail it will work. Another thing I'll point out is the person
on the other end does NOT need to do anything special for the badge to show up, this is
supported by default by almost all email clients. Again it will be presented different depending
on the client, but considering Apple Mail alone on iOS, iPad, and Mac makes up over
50% of the email client market share, most people will see some kind of badge like this
one. Now before I get into how to get one of these
certificates and how to set it up, let me quickly and simply explain what it even is,
without getting too technical. And yes, it is important to know so just bear
with me. In the simplest terms possible, an email certificate
is like a two-part digital key (made of a public and a private key) that is tied to
your email address. You can use the certificate to 'sign' your
emails in such a way, that the person receiving the email KNOWS that only the person with
that original certificate and private key could have done so. The purpose of the public key is to send along
basically as an identifier, you can think of it as. But here's the other important part of this. You see, anyone can just create their own
certificate and say "uh yea I own this email address". That's where the Certificate Authorities come
in. These are companies that make all sorts of
other certificates like SSL ones for encrypting websites. There are only a handful of these companies
relatively speaking, and all of them are universally considered trustworthy and secure by every
other company around the world. So what these companies do, is they have their
own secret so-called "root" certificates, again that are universally recognized, and
they can use to sign and verify all sorts of other lesser certificates for anyone who
wants one, usually for a price though. So in the context of this video, a really
easy way to understand it, is what happens is we go to a certificate authority, who first
confirms we control some email address like "whatever@example.com". Then they issue a signed certificate, so that
when we send it along with our emails, then Apple, or Gmail, or whatever service sees
it, they'll say "ah an email from whatever@example.com, oh what's this? It included a certificate, well it matches
the email address, but that doesn't mean much, anyone could have made this... Oh wait I see the certificate was signed by
XYZ authority who I do trust..." Then they'll check, "hey XYZ authority, did
you actually sign this certificate?" to which they'll respond "yea I did it's legit, before
I gave them that certificate I made sure they own that email address." And then, the email service will be like 'cool'
and show the badge that it was a trusted certificate. And just a contrary example, if you were to
just send along some random certificate you made yourself, it would look like this on
the other hand, because even though it matches the email, the software has no idea where
it came from, so it's basically useless. Alright so now you know what's going on, let's
go over how to do it. I will warn you, this is going to get somewhat
technical at times. It's not hard per-se once you know the steps,
but you'll soon see why I wanted to explain all the certificate stuff before, because
it will make it easier to follow along if you sort of know what's going on at each step. And think of it this way, maybe it's not a
bad thing that it's not easy, because it makes it more exclusive for you. Right, so the first thing we need is to get
an S/MIME Email certificate from a trusted authority. Years ago there were plenty of them offering
these certificates for free, so if you were to now search "free S/MIME email certificates"
you'll mostly find older articles, and even an old web page from Comodo who used to offer
them, the page is still there, but the links on it are dead and they no longer offer these. And most of the articles and posts I've been
reading recently were all saying there is no way to get free certificates anymore, but
that is not true. I was able to find the last certificate authority
that is offering free S/MIME certificates, and that company is called Actalis. They're an Italian certificate authority,
but it doesn't matter where they're based, because they're recognized as a root authority
globally, that's the whole point. And you can see even on Google's support page
listing trusted certificates for S/MIME, there they are. And real quick by the way, the reason I emphasized
that they're the last one, is if this video becomes popular enough and a ton of demand
appears for these certificates, there's nothing guaranteeing they won't start charging in
the future, in which case you'd just have to instead go to the company of your choice
and buy one. These certificates really aren't expensive
anyway, other authorities offer them for only about $20 per year, but still. So if you ever need some business services
this Actalis company offers, give them a shot. This isn't sponsored or anything, I think
we should just support companies that do things we like like offering free certificates when
no one else will. OK... with all that being said... I mean jeeze how long are we into this video
and I'm only now starting the walkthrough. Well just think of it as filtering out the
lazy people, so it's more exclusive for you patient viewers. So now the first thing to do is to get the
certificate. So go to Actalis' page where you'll enter
your email you want to verify, which I'll put in the description. You just type in your email, prove you're
not a robot, and click send the verification email. After a couple minutes you should receive
it, but be sure to check your spam box too, it went in there for one of mine. Now at first you'll see in the email that
it's all in italian, but just scroll down because they included the same text in english
too. Though all you need is the long verification
code anyway, so just copy that, and paste it into the box back on the first page. Then you should obviously read the different
terms and conditions, and if you agree, check those boxes and click Submit Request. Next this critically is important, it will
now take you to a page with a password, which you'll need to install the certificates on
your devices. This password won't be shown to you ever again
and can't be recovered, so make sure you save that in a safe place maybe print it out, we
will need it shortly. But don't just leave it lying around on your
desktop either. Because if someone somehow gets hold of your
certificate file we'll look at in a second, they could use the password and that together
to impersonate your email address. Next you can go to your email and wait for
the email with your new certificate attached. Now this certificate will be valid for 1 year,
and then you'll have to get a new one. 1 year might not seem that long but actually
it's pretty good. Even if you were to buy one somewhere, they
usually max out at 3 years, and a lot of other free ones used to be for like 30 days. Also you actually don't want it to be valid
forever, because if somehow it got stolen, someone could just impersonate you forever
until you realize it, or they could save it and use it years down the line at the perfect
or worst opportunity. Whereas if it expires, even if the worst happens
and someone is able to steal it, it's only useful to any bad guys for a limited time. However if you do find out it's stolen, you
can actually report it stolen and they can invalidate it so it can't be used anymore. To do that you just use the link in the email
along with the User code and Private code listed there. So download the zip file and extract the pfx
certificate file somewhere you'll remember, and actually give it's own folder, it will
make things easier later. You should also probably back it up, but since
it's only valid for 1 year, as long as your email service saves your emails at least that
a year, you could always just redownload the attachment. But again, you will need that password shown
to you before. So now that you have your certificate, next
we need to install it on our devices. First I'm gonna do on Windows and Outlook,
and then on your iOS or mac for Apple Mail, since those are by far the most popular clients. Unfortunately the Gmail web client does not
let you attach a certificate to get this verified thing. To be clear again though, that's just the
gmail web interface, if you have a gmail email address it's fine, you just have to send the
email with supporting software like Outlook or Apple mail or something. Alright now no matter what email client you're
gonna use, even if you just want to use this on your phone, you'll still need to install
this on Windows first, and I'll show you why in a second. To install it, just double click the pfx file
you downloaded, and select 'current user', then click next. Here it will already have the file location
entered so you can click next again, and here is where you need to enter the certificate
password, which is the one from that page. On the import options, the only one you might
want to change, if you want to change the password later, is to check the box to enable
"Mark this key as exportable". I'm not going to get into how to re-export
the key and all that, that's something you can look up by yourself. And that's because as the file is delivered
here, it should work on all the devices. You might also choose the option that makes
you enter the password every time you want to use it, but that might be a pain, so it's
up to you, I didn't bother. Also I want to be clear the settings you choose
are only going to apply on this Windows computer, it's not changing the certificate file in
any way, it's just importing it into Windows with these settings. On the next page, just let it automatically
select the certificate store, hit next, then finish, and it should say import was successful. Next, before we configure our email clients,
there is one more important step that might be necessary for certain software, which is
to get the intermediate certificates for the authority, but don't worry it's way easier
than it sounds. In the start menu just type "certificate"
and click the result called "Manage User Certificates". There's another one called "manage computer
certificates", but that's different the one we're looking for is not going to show up
in there. Now this will bring up a window showing any
other certificates for the user, which there are many for all sorts of purposes, but we
want to go to "Personal", then "Certificates", and look for the one that has our email address. If for some reason there's others in there
that mentions your email address, just look for the one that says issued by Actalis, and
also the expiration date is exactly 1 year from today when you registered it, plus or
minus a day because of time zones. So double click the correct certificate and
then go to the "Certification Path" tab. This shows basically the 'chain of custody'
(you can think of it) of signatures on your certificate, leading back to the root authority. Our is at the bottom, which was actually signed
by an intermediate certificate, which was in turn signed by the root certificate. And yes this will become relevant it wasn't
a useless tangent, but for now we need to actually export the intermediate certificate
for later, you'll see why then. So click to highlight the middle one, then
click 'View Certificate', and go to the 'Details' tab. And also drag this window to the side a bit
so it's not on top of the other one, you'll want to be able to read off the bottom one. So in this new window, click 'Copy to File',
then click Next, then keep the default format and click next again, and it will ask you
where to save it. Just browser to wherever you have the main
pfx file and put it in the same place just so they're together, that's why I suggested
to give it's own folder. And for the name, you can just read off the
window below and name the file the same as the certificate to make it easy. Then just hit next, then finish, and it will
say successful. Now this next bit probably isn't actually
be necessary, but I would just do it anyway, which is to do the same thing and export the
root certificate also, which is the top one in the chain. Then just put it the folder with the other
two and name it as the root name. That way you have a copy of the whole chain
just in case, but you'll realistically only need the middle one and your personal one. Alright now we're getting to the good part. At this point we have all the certificates
ready to go and organized, so we can actually get into actually configuring the different
software to send those emails. So now let's configure Outlook to send signed
emails. And I'm using Office 365 Outlook specifically,
which is the latest version but it should be basically the same for Outlook 2019 and
2016. If you use Outlook for Web, you can just look
up the specific instructions for that from Microsoft, I do believe that still supports
it. Alright so in Outlook I'm assuming you already
connected outlook to your email account so you can send emails from outlook and stuff
like that. After you do that, go to the top left and
click File > "Options" at the bottom > Trust Center > "Trust Center Settings" button > Email
Security. The first thing to do is go through a few
checkbox options. Here, make sure you DO check "Send clear text
signed message when sending signed messages". This basically makes it like a regular email,
we just send the signature along with it, so if the recipient's client for some reason doesn't support
S/MIME protocol, it's no big deal, they'll still be able to read it. Finally, if you want to enable signing emails
automatically by default, at least for email addresses that have certificates, you can
check "Add digital signatures to outgoing messages", but I would hold off on that for
now until you've tested it out and made sure everything works first. Now what we need to do is click the settings
button here. The window it pops up will probably be all
blank the first time, but if it's not, such as if you're doing this for multiple emails,
or maybe there's some other existing security policy in there, if there is, be sure to first
click "New", which will create a new separate entry we can use. And in that case, if there was an existing
one and you click New, the previous entry will be still available through the dropdown. Otherwise if you don't click new and just
start changing stuff, it would overwrite your existing entry, which you don't want. In any case though, once you have a new blank
entry, type in a name to make it easy to identify, like your email address then "email certificate"
or something like that. Then Uncheck the top checkbox talking about
default security setting. We don't want these as default, just for their
corresponding email accounts. Now, next to where it says 'Signing Certificate',
click choose. This will bring up a window to select the
certificate, you might have to click "more choices", but just look for the same certificate
we've been using, which has your email address in it. Because we installed it to our Windows profile,
it should be right in there, so click to select the right one, make sure it the info at the
top is for the correct one, and then click OK. Ok this next bit is important so pay attention. You'll see it has filled in the rest of the
boxes, but where it says "hash algorithm", we need to change that to "SHA256". If you keep it on SHA1, which is an outdated
algorithm, it will work for some email software like Apple Mail, but for others it might not. In Gmail for example if you use SHA1, it will
say "The signature uses an unsupported algorithm. The digital signature is not valid". Which is obviously not good, so make sure
these are set to SHA256 and AES 256 Bit. Finally, make sure the bottom check box is
enabled, the one talking about sending the certificates. I think it is on by default, just double check. Now we can just click OK on all the windows
to go back down, and we are finally ready to test it out! So go to your inbox, click New Email, just
make sure it's from the right one we just set up. Then add whatever text to the subject and
body, this is just going to be a test email to yourself or another email account you have. But before you click send, we have to choose
to sign it. This can be found at the top in the "Options"
tab, then look for the "Sign" icon that looks like this ribbon. When you click it, it will darken to show
it's enabled, and you're ready to send! Before the moment a truth, a couple notes
here. If you want to add the Sign button to the
main tab for easier access like I did here, just right click the ribbon menu and hit "customize
ribbon", then on the right, click "New Group" to make a custom group, name it what you want,
then on the left, just go to the dropdown to All Commands and scroll down to where you
see the Sign icon. Now I have a second orange one which some
other software added as a plugin, just ignore that. So just make sure the custom group is selected
on the right, then click the 'Sign' icon on the left, and hit "Add", then OK. Now it should be right there always easily
accessible on the main tab. Second note, you will have to remember to
click and enable the 'sign' button for every email you send. You can go back to that other setting I showed
you before, which will make it enabled by default, then if that's enabled, you can individually
select when not to sign. Third note, if you do set up multiple certificates
with multiple emails, outlook will automatically sign the emails with the correct one for that
address, so you don't have to pick which certificate to use every time, it does it automatically. And now with that being said, we can click
'Send' and see what happens. If you sent it to yourself, you'll probably
see it show up right in Outlook, and it will have a similar looking ribbon to the right
of it. If it's a Gmail address, you can also look
at the Gmail web interface and make sure it shows up right there too, with the green check. Although unfortunatelly you have to click
the dropdown to see the green check, but whatever better than nothing. And you can also look on your phone, like
Apple mail, and there it should show the check all good. It's also good to check it on your phone because
you can be sure it shows up on devices even without any extra certificates installed yet,
so you know it will show on everyone elses too. Note that on iPhone it will say it was signed
with a trusted certificate, but if you click "view certificate" it will actually say "Not
Trusted". That's not a problem, that just means you
personally have not installed that certificate on the phone, but obviously it's still signed
by a trusted root certificate so it got the check mark and everything. What that feature is basically if you and
your friend or someone created your own certificates, you can choose to trust them even if they
weren't signed by an authority. Alright now let's move on to setting this
up on an iOS device which should not take as long, we already did most of the legwork
at the computer. To get the certificates to your phone, the
easiest thing to do is email them to yourself. So take all three from the folder, and attach
them to an email to yourself, then just open the email on your iphone. First we can install the personal certificate
simply by clicking the attachment, and then just choose to install it on the iPhone. Then you need to go into the Settings app,
and near the top you'll see a new thing that says "Profile Downloaded", so click into that. It should say something like "Identity Certificate",
and will probably say "not signed" in red, which is fine we'll fix that. So just click Install, then type in your passcode. Click install again at the top, and then install
yet again at the bottom. And now it will ask you for that password
from before, so type that in. Then you click Next, and it will say "Profile
Installed", so click Done. We're not done yet, but you can find the installed
certificates or profiles on iOS, if you go to Settings > General > Profiles. In here notice how if you click into the profile we
just installed, it says "Not Verified". That's because for some dumb reason, the iPhone
doesn't fetch the intermediate certificate, whereas windows did, so we didn't have to
worry about it before. If you were to try and send an email now without
installing the intermediate certificate, it would actually show up to the other person
like this, all in red, with a thing that says "Unstrusted Signature", not a good look, that's
worse than nothing at all. The solution is really easy though, just go
back to the email with the attachements, and click the attachment for the intermediate
certificate, which is probably called "Actalis Client Authentication CA G3" or whatever you
called it, and do the same thing as before. Click it, install it to the iphone, go to
settings, install it from the 'profile downloaded' thing at the top, and it should not require
any kind of password because this is a public certificate. You'll also notice that this one will probably
say "Verified" in green unlike the other one that's red, and that's because this one was
actually signed by the root certificate directly, which is preinstalled on basically every device,
because it's a root, that's the point. And also, now that this one is installed,
if you go into your personal certificate profile again, this time it should indeed say "Verified"
in green, because now the phone has the whole chain, so it can verify it originally came
from the root certificate. One quick important question you might have,
is "wait a minute, if I had to install the intermediate certificate to make it show up
as trusted, won't anyone I send an email to have to do that to on their phone?" and the
answer is no. As long as you, the sender, have the whole
chain installed, the phone sends the whole chain along with it in the email, so it doesn't
matter if it's installed on the receiving device. So yes, it is stupid that the phone couldn't
get the intermediate certificate automatically when you installed it, when windows can, but
whatever. I'll also point out that I believe all of
these free certificates issued by Actalis have the same intermediate certificate, you
should only have to install that one once on your phone, even if you add more personal
certificates for more email addresses. Of course you'll want to double check that. Also like I've said a couple times, you really
should not have to install the third root certificate, but it's still good to check
anyway. Alright so now that the certificates are installed,
there's one more step, which is to enable the signing on outgoing emails. To do that, go back to Settings > Mail > Accounts
> Click the relevent one you're setting up > Click 'Account' again > Then 'Advanced'. Here near the bottom you'll see some options
under S/MIME. Click on 'Sign', and make sure you select
the correct certificate for the email address if there are multipl certificate options there. Then toggle the thing to enable signing, and
now it should say 'Yes' in the previous one next to sign. Also make sure that next to 'Encrypt by Default'
that says No. We do not want that for our purposes and might
not work at all depending on the recipient's device. Finally I would just go into your other email
accounts and make sure it didn't for some reason enable Signing for any other ones besides the one we just
did. It shouldn't have, but just check a couple
to make sure they say No. And now, we are again ready for the moment
of truth. So go back to the Mail app, go into the relevant
email account, compose an email and just send it to yourself, and it should come through
and have a check mark next to it. And here's anothing thing, every time you
set up a certificate on a new device, make sure you send a test email AND look at the
test email on all your other devices. That way you can make sure nothing went wrong
either on the sending side, or any receiving sides. The example I gave before, was in Outlook,
I had the wrong hash algorithm set, and while it showed up fine in Apple Mail (it didn't
care about the outdated algorithm), in Gmail it did give that error, so just check everywhere
to be sure. Because we just set it up on iPhone, I will
point out that on Mac the process is basically the same, you just open the email with the
certificates, then you choose to install it to "Sign In", not iCloud like it has by default. For some reason for me it won't work with
iCloud. However, for me, my Mac actually did sync
the certificates from my phone to my mac automatically, so you might not even need to install them,
you can check. Once they're installed on your Mac, now when
you go to compose an image, by default you'll see a verification badge on the right next
to the subject line to show it will be signed, which you can click to disable if you want. If you're on an android device it should really
be a similar process to iPhone, where generally you just open the attachments for the certificates,
click them to install them, then it's just a matter of whether your email app will support
it. And of course no matter what email app you're
using, you can just look up the instructions for how to enable signing. And like I said, I don't believe Gmail supports
sending with S/MIME either on Desktop interface, or the Gmail mobile apps. So now that you know how to get the badge
set up on your email accounts, the last thing I want to point out is that if you do this
on a work email account or work computer, I'm not totally sure if this will work all
the time. For example, if your email is managed through
an Azure Directory or something like that, they might have Microsoft Outlook set on all
computers to disable those S/MIME settings. At the same time, you might still be able
to do it on your phone even if it's a work email. I really have no idea whether that's something
companies can restrict, but I'm just pointing it out as a possibility, because I do know
some companies actually use S/MIME internally. Anyway though, hopefully now all of you learned
something new. And I bet least a few of you are going to
get some questions by people about how you got that cool checkmark next to your email. Be sure to give this video a like and also
subscribe because I make new videos every week, and let me know what you think in the
comments. If you want to keep watching the next video
I'd recommend is basically my ultimate guide to spotting spoofed and fake emails to a ridiculous
level of detail, you'll never fall for a fake email again (or have to worry about it). You can just click that right there. So thanks for watching, and I'll see you in
the next one.
