Header Protection for Cryptographically Protected Email
RFC 9788, “Header Protection for Cryptographically Protected Email”, is a Proposed Standard document published in August 2025 by D. K. Gillmor, B. Hoeneisen, A. Melnikov. It updates RFC 8551. The canonical text is published by the RFC Editor.
Abstract
S/MIME version 3.1 introduced a mechanism to provide end-to-end cryptographic protection of email message headers. However, few implementations generate messages using this mechanism, and several legacy implementations have revealed rendering or security issues when handling such a message.
This document updates the S/MIME specification (RFC 8551) to offer a different mechanism that provides the same cryptographic protections but with fewer downsides when handled by legacy clients. Furthermore, it offers more explicit usability, privacy, and security guidance for clients when generating or handling email messages with cryptographic protection of message headers.
The Header Protection scheme defined here is also applicable to messages with PGP/MIME (Pretty Good Privacy with MIME) cryptographic protections.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9788 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9787 Guidance on End-to-End Email Security
- RFC 9789 MPLS Network Actions Framework
- RFC 9786 EVPN Port-Active Redundancy Mode
- RFC 9790 IANA Registry and Processing Recommendations for the First Nibble Following a Label Stack
- RFC 9785 Preference-Based EVPN Designated Forwarder Election
- RFC 9791 Use Cases for MPLS Network Action Indicators and Ancillary Data
- RFC 9784 Virtual Ethernet Segments for EVPN and Provider Backbone Bridge EVPN
- RFC 9792 Prefix Flag Extension for OSPFv2 and OSPFv3