This article describes best practices for PGP Encryption Server in Gateway Deployment (Mail Stream for Symantec Encryption Management Server Gateway Email).

Outbound “From:” line validation
If the PGP Encryption Server is configured to use Server Key Mode (SKM) keys and also digitally sign outbound email, then the upstream Message Transfer Agent (MTA) that sends outbound email to the PGP Encryption Server must be configured to enforce that all email messages contain a valid RFC 822 “From:” header. The PGP Encryption Server examines this header to determine which internal user sent an email message and thus determine which internal user’s key to sign with. The PGP Server relies on the upstream Message Transfer Agent (MTA) to enforce that all mail claims to be from the actual sender.

“Domain keys”
Each internal user of the PGP Encryption Server Gateway Email must have a unique key. The PGP Encryption Server creates one key per user by default. However, the PGP Encryption Server policy is highly flexible and thus it is possible to configure the PGP Encryption Server in such a way that many users effectively share the same key.
Such a key is often called a domain key as there is one per email domain. Use of a domain key allows anyone with an email address at that domain to decrypt email sent to any other user at that domain. The practice is thus insecure.

Denial of Service Protection
The PGP Encryption Server Gateway Email contains basic anti-denial-of-service (DoS) mechanisms. To ensure the PGP Encryption Server continues to run smoothly, Symantec Encryption recommends that customers ensure that all SMTP systems that PGP Server will accept email from have their own anti-DoS mechanisms. Specifically, the total environment should limit the number of parallel SMTP connections processed by an individual PGP Encryption Server cluster member to approximately 20-50 depending on the underlying hardware.

Opportunistic Encryption
The PGP Encryption Server supports both forced encryption policies and Opportunistic Encryption. With Opportunistic Encryption, the PGP Encryption Server encrypts email only if the
recipient’s key can be found and lets email through unprotected when no key can be found.

While this protects against eavesdropping by agents that cannot interfere with key lookup traffic between multiple the PGP Encryption Server systems, it does not protect against more sophisticated attacks. Symantec recommends that customers ensure their mail policy’s "Key Not Found" setting is one of: Block, Web Email Protection, or PDF Email Protection. This ensures that all sensitive email remains secure.

Verifying signatures processed by the PGP Encryption Server
Annotations appearing inside the email body are for convenience only. Users must not rely on these annotations when determining whether to trust the message’s integrity. This is because a forged email message may contain annotations that look similar to the ones that the PGP Encryption Server adds. Thus there is no way for an internal user of Gateway Email to verify the integrity of a received message.

Placement of the PGP Encryption Server 
When deploying Gateway Email, always place a Message Transfer Agent (MTA) such as Symantec Messaging Gateway (SMG) between the PGP Encryption Server and the Internet. This lets the MTA throttle inbound email and remove spam email before the PGP Encryption Server attempts to apply security policy. It also ensures that message delivery time does not increase the number of parallel messages being processed by the PGP Encryption Server thus improving total message throughput.  Minimizing non-rfc compliance to be processed by the PGP Encryption Server will help ensure that email sent internal will be processed properly.