Your legal department drafts a contract. The contract gets signed electronically. You send an email to your customer. All seems in order, professional and legitimate.
Except for what you don’t see. An attacker hijacks that email mid-flight and replaces the attached PDF with a modified one that contains new contract details and then releases the email to the final destination. Your client receives a seemingly innocuous email from a known sender, reads through the apparently agreed contract terms, and signs it without even realizing that it’s not the original document they’re dealing with.
But wait a second. This scenario does happen. In just 2024, BEC attacks cost companies $2.77 billion dollars in losses. And contracts and payments are top on the list of targets attacked. This kind of breach happens because companies consider email security and signature protection to be completely separate concerns. But in truth, they represent a unified data chain whose integrity is compromised at any point of it.
What Email Encryption Protects – and What It Doesn’t
In most cases, ordinary business email – whether through standard Gmail or standard Outlook – relies on the use of TLS (Transport Layer Security). TLS encrypts the connection from one server to another through which your email moves, just as an armored vehicle would protect its payload. However, once the email reaches the destination provider’s servers, it lies there ready for decryption by the server.
End-to-end encrypted emails work differently. First, the message gets encrypted in the sender’s device and only decrypted by the receiver’s device using the correct decryption key. In providers with zero-access architecture, all data that lies in their servers will be unintelligible ciphertext.
In this way, you protect three types of data: confidentiality while in transit and at rest, access controls limiting the number of users that may access your emails, and the security of your data even when your service provider’s server has been compromised.
However, you do not protect any other information. While you secure your channel through encryption, you do not secure the content. For instance, an email that has undergone perfect end-to-end encryption still carries with it the risks of forged contracts or invoices.
That’s the gap document signing exists to close.
What Digital Signatures Actually Do
Upon signing the document digitally, your signing software generates a hash, which is a unique mathematical signature for the exact content contained in the document. This hash is then signed using your private key; this gives rise to the digital signature. Once the recipient opens the document, the signing software uses your public key to decrypt the digital signature and recalculate the hash. The difference is that, should any alteration be made to the document in any form after the signature is put in place, the two hashes will not match, and the signature will not validate.
The above description is crucial for distinguishing between a digital signature and an electronic signature. In the case of the latter, the signing software simply documents your intent by recording that you approved the document at the particular point in time. No cryptographic confirmation of the document’s integrity can be provided. Thus, any change made to the document either before or after the approval will remain undetected by such a signature.
In contrast, a certificate-based digital signature gives an indication of tampering. As soon as you alter the document after the signature has been placed on it, the validation process will fail immediately.
What digital signing does provide protection for: integrity (the file is the same that was signed), non-repudiation (it is impossible for the sender to dispute signing), and verification of the signer’s identity based on the associated certificate.
Protection is not provided against: the transport mechanism for the signed file. An ideally signed agreement sent through unsecured mail could be intercepted, and the attachment substituted for another one which would be fraudulent. The security of the actual document is maintained.
The Chain of Custody Problem
In any business documents’ transaction, there are two aspects: the document and the channel used to transmit the document. Document signing will ensure the safety of the document, while email encryption will ensure the security of the transmission channel. Hackers target the space between them.
How the attack works. The hacker will position himself between the sender and the receiver using the compromised infrastructure, email account, or domain. The transmission channel only has TLS for security purposes. The hacker will intercept the message, replace the attached document with another fraudulent one that has a new agreement on the mode of payment and new bank accounts. Afterward, the hacker will release the email. In the receiver’s email inbox, he will receive an email, which appears to be legitimate. He will open and follow the instructions. There will be no verification of the signature since most email services do not notify the recipient.
Reverse problem. A business transmits an unsigned document using the end-to-end encrypted channel. While the channel is completely secure, the recipient will not have any clue on whether someone altered the documents.
Document signing locks the document. Email encryption locks the channel. Leaving either lock off doesn’t weaken the other – it creates an entirely different vulnerability.
4 Scenarios Where You Need Both
Contract signing. In every client contract and non-disclosure agreement there are two potential threats that have to be mitigated. One of them is modification of the contract. The other one is intercepted by unauthorized persons. Digitally signed contracts mitigate the risk of modification. Encrypted email mitigates the risk of interception. Most organizations take those two risks without even knowing it since their signing system does not consider the threat from the email and vice versa.
Financial approvals. When it comes to wire transfers the most important and valuable information in any communication will be the wire transfer request. Encryption will prevent interception of it, but digitally signing such documents guarantees that nothing has been modified and that the account number, amount and other information included is exactly what the sender approved.
HR and onboarding. The documents that HR professionals use include personally identifiable information that falls under GDPR and California Consumer Protection Act (CCPA). Encryption is used for securing that data in transit and document signing will create audit proof documentation of the terms used in the contract.
Regulated industries. Compliance with the rules set by HIPAA, GDPR, and eIDAS require all three controls – encryption, digital signature, and audit logs.
What to Look for in Your Setup
Automatic end-to-end encryption by default. If users have to enable encryption for each message manually, sensitive emails would be delivered unencrypted due to high loads. The only solution is an automatic one that will encrypt all outgoing messages.
Support of certificate-based digital signatures. It is essential that your provider supports real PKI digital signatures that use certificate validation. Do not believe the promises of approval-only workflows. Ask your vendor directly if it creates cryptographic signatures or only logs approval actions.
Full audit trail coverage. A complete trail logs who sent what, when, and whether the document’s signature was verified. This satisfies compliance requirements and provides evidentiary records for dispute resolution. An audit trail covering email delivery but not signature verification is only half a record.
Zero access architecture. A provider that can access your email content can access the contracts, financial documents, and HR agreements traveling through it. Zero-access providers store only ciphertext – they cannot read your content even with a valid legal request. This eliminates the provider as a breach vector for both the channel and its contents. Atomic Mail is one example of this approach: its infrastructure is built on end-to-end encryption and zero-access design, meaning signed documents sent through it travel a channel that even the provider cannot read.
Compliance fit by design. Compliance with eIDAS, E-SIGN, GDPR, and HIPAA should not be achieved via special configurations after you signed up. A service that provides compliance out-of-the-box is inherently different from a service that needs additional enterprise features to achieve the same result.
FAQ
Is a digitally signed document legally binding? Yes – under both eIDAS and the E-SIGN Act, certificate-based digital signatures carry full legal weight. The evidentiary strength depends on the certificate validation level. For high-value contracts, higher validation means stronger legal standing.
What’s the difference between encrypting an email and digitally signing it? Encryption protects confidentiality – only the intended recipient can read the message. Signing protects integrity – the content hasn’t changed since signing, and the sender is verified. Each closes a gap the other leaves open.
Do both parties need the same encryption system? For end-to-end encryption, both need compatible systems. However, many providers support secure portals or password-protected links for recipients on different platforms, allowing encrypted delivery without requiring the recipient to switch providers.
What regulation requires both email encryption and document signing? No single regulation mandates both – but the combination of requirements across HIPAA, GDPR, eIDAS, and financial compliance frameworks effectively demands it. Confidentiality plus integrity plus audit trail is what full compliance actually requires.
The Bottom Line
Email encryption and document signing serve different purposes – channel privacy and document authenticity – and both are needed. The signed document relies on its channel for security, while the encrypted channel depends on its document for integrity.
Both rely on architecture. In the case of email, it entails a provider whose architecture is based on end-to-end encryption and zero-access model – where all documents sent will pass through a channel that even the provider cannot access. In terms of document signing, the architecture of the platform ensures cryptographic signatures using blockchain or certification systems – where every signed document cannot be forged or manipulated.
Your documents are not tampered with. Your channel is not intercepted. Both can be achieved. Neither entails sacrifice.
