Protecting Transport Headers

From Direct Project
Jump to: navigation, search

SMTP message bodies can be encrypted, but SMTP headers must be transmitted in the clear.

Intermediaries legitimately add, remove and rewrite RFC 822 headers in transit. RFC 822 headers are mutable. Consequently, S/MIME protects only MIME headers and the MIME body.

Some headers (such as Subject) may unwittingly contain Protected Health Information (PHI) or other sensitive health information.

You can protect message headers by using Message Wrapping - as described in RFC 5751 (S/MIME 3.2), section 3.1.

Both the C# and Java reference implementations wrap outbound messages by default.

Message Wrapping

To reliably protect the entire message, you must embed it in the body of a wrapping message. 


  1. Create a new message
  2. Copy the minimal required routing headers - as listed in the Content Container Specification - from the original message.
  3. Create a new entity with Content-Type: message/822 where the body is the bit-identical original document

The resulting message/822 MIME entity is termed the wrapped message. The original message is in embedded in the body of the new message and can now be effectively signed and encrypted in its entirety.


  1. If the message has Content-Type: message/822, extract the MIME body from the wrapper message and treat it as the real message.
  2. Discard the wrapper message, and subsequently work only with the extracted message.
  3. Perform Signature Validation and other operations on this extracted message.