A&A and PGP
For a start, I think all automated and even staff emails (e.g. ticket replies) from the company should be signed. We already have a system of staff keys signed by the company (which I control personally as owner/director).
At present accounting emails are signed, and some staff emails are but most are not.
But we need to go further.
My thought is that we need a way for customers to register that they want encrypted emails as standard and register key and email address.
Then, all automated and ticket manages emails should not only sign emails but encrypt, even including things like call recordings from our VoIP systems.
I suspect we need to work out the top level registration system first, then we can work system by system to ensure emails signed and, where requested, encrypted.
But ideas welcome.