PGP (Pretty Good Privacy) has been around for quite a while now, and the GNU code for it (GNU Privacy Guard, or GPG) is free.
Amongst other things you can encrypt and/or sign emails using PGP.
Unfortunately it has yet to catch on for a common usage. We use it a lot in A&A. We sign the emails we send in almost all cases and have done for decades (I like how I can say "decades" now when referring to A&A). We are just starting more comprehensive encrypting of emails we send as per another blog post.
But it is still uncommon. It is not properly supported in almost any common email clients. I use thunderbird and there is a good plugin (enigmail) which works well, but still a plug-in. It puzzles me a bit as to why it is not a lot more standard in major email clients yet, after all this time.
Of course, one of the big problems, is the "trust" of keys. There is (deliberately) no central authority. Sadly, a central authority model, like that used for https, is way easier for end users. They could automatically trust an email claiming to be signed by their bank because it would be signed by a chain of authority their email client knows to trust. This is the same as the way you can go to https for you bank and know it is them.
There is an email system for this, S/MIME, but even support for that is complicated and not simply included in major email clients, as far as I can see. It also has the problem that individuals want keys, and a central authority model makes that a pain and probably involves paying to have your key signed.
I do think some organisations could do more to encourage PGP. It would be great if Companies House, for example, would sign company keys as a service that is part of managing company registrations. They already have security measures, and they could use the fact they can trust a signed company email as an added feature in dealing with companies. That may encourage more companies to check signatures, and maybe even use company key signed emails as signatures for contracts.
You still have the issue with individuals, but again, organisations that already do security checks, like banks, could easily include key signing. It would be a way to advertise their bank as a source of trust.
Anyway, enough of solving the problems of the world for a moment, the main reason for writing this is that I have to assume more people are using PGP at last...
How do I know? SPAMMERS!!!
I am seeing more and more spam that includes a PGP signature block or a PGP public key block in the spam email. These are usually broken or bogus, which is silly, but they almost certainly look close enough to get an improved anti-spam checking score, and give an impression of more credibility to people.
That would only happen if people really are using PGP more. So, interesting times.
Of course, if people do use PGP more, then spam checking can start actually checking signatures and trust chains, as part of the scoring. Get enough people using PGP, even if only for signing, and we could ultimately eliminate spam (ha!).