How to certify an email: complete guide to email certification

Email communications are the connective tissue of any professional relationship. Commercial agreements, disputes, internal communications, contractual notifications: certifying an email means being able to prove its content, sender, and date at any time, including in court. Yet an ordinary email remains a fragile document. It can be modified, disputed, or denied by the other party without the sender having any means to demonstrate its original integrity.

The problem is not theoretical. Most legal systems around the world now accept electronic records as evidence, but their evidentiary weight depends entirely on the ability to prove integrity and authenticity. Under the UNCITRAL Model Law on Electronic Commerce, a data message is not to be denied legal effect solely because it is in electronic form, yet the party relying on it must still demonstrate that the information has remained complete and unaltered. This means that an uncertified email can lose all evidentiary value the moment its authenticity is called into question. The solution lies in a certification process that freezes the email's content at the time of sending, guarantees its integrity through a digital signature and timestamp, and produces verifiable documentation that is enforceable against third parties.

Legal value of emails: the international framework

Electronic evidence in civil and common law jurisdictions

Across both civil law and common law systems, courts increasingly treat electronic communications as admissible evidence. The Budapest Convention on Cybercrime, ratified by over 60 countries, establishes a common framework for the collection and handling of digital evidence across borders. In the European Union, the eIDAS Regulation (EU 910/2014) provides that electronic documents shall not be denied legal effect and admissibility as evidence solely on the grounds that they are in electronic form.

The critical point, however, is that admissibility does not equal reliability. An ordinary email offers no intrinsic guarantees about the sender's identity or the integrity of its content. Accessing an email account requires only a username and password: anyone with those credentials could send messages. For this reason, without additional supporting evidence, a standalone email has limited evidentiary weight in most jurisdictions.

Registered Electronic Mail (REM) and certified delivery services

Several countries have adopted certified electronic delivery systems to address the authenticity problem. In the EU, the eIDAS Regulation defines the concept of Qualified Electronic Registered Delivery Services (QERDS), which provide legal proof of sending and receipt, protect against the risk of loss, theft, damage, or alteration, and identify both the sender and recipient with a high level of assurance.

These systems, however, are designed for certified transmission between registered users. They confirm that a message was sent and received, but they do not forensically certify the content of the message body or the integrity of attachments in a way that produces independent, verifiable evidence. For organizations that need to preserve and prove the exact content of any ordinary email, a different approach is needed: one based on digital evidence standards rather than delivery confirmation.

When an email can be challenged in court

In most jurisdictions, a party can challenge the authenticity of an electronic document by raising specific doubts about its origin, integrity, or the conditions under which it was produced. Under the ISO/IEC 27037 framework for digital evidence, any electronic record must be collected and preserved following documented, repeatable procedures to withstand scrutiny. If the opposing party challenges the authenticity of an email, the burden of proving the message's genuineness typically falls on the party producing it. Without a certification process that establishes a clear chain of custody, this proof can be difficult and costly to obtain.

Why an ordinary email is not enough as evidence

Technical limitations of an uncertified email

An ordinary email does not retain independently verifiable metadata. Headers can be manipulated, the message body can be altered after sending, and there is no documented chain of custody. The ISO/IEC 27037 standard, which defines guidelines for handling digital evidence, requires that collection be traced and preservation controlled. An email saved in a mailbox does not meet these requirements.

Furthermore, a screenshot of an email is a static image: it does not prove who sent it, when it was actually received, or that the content was not modified before capture. Courts in multiple jurisdictions have consistently held that a mere reproduction of digital content has evidentiary value only if its integrity can be independently verified or goes unchallenged. Without cryptographic proof of integrity, any reproduction remains vulnerable to dispute.

How repudiation works in court proceedings

When a party produces an email as evidence, the opposing party can challenge it by specifically indicating how the document differs from the original. If the challenge is valid, the judge may still assess authenticity through other means of proof, including presumptions and testimony. But this path lengthens timelines, increases costs, and introduces uncertainty about the outcome. Preventive certification eliminates the problem at its root: the content is frozen and verifiable, rendering any challenge unfounded.

How to certify an email with legal validity

Traditional forensic certification

The classic method involves the intervention of a technical consultant or forensic IT expert, who acquires the email following digital forensics protocols (collection of full headers, content hashing, chain of custody documentation). This approach offers the highest level of evidentiary reliability, but comes with high costs and timelines incompatible with day-to-day operational needs. It is not sustainable for a company handling hundreds or thousands of email communications per day.

Automated digital certification

The alternative is a digital certification platform that automates the entire process: content acquisition (message and attachments), application of a digital signature and qualified timestamp, and generation of a technical report with metadata and cryptographic hashes. This approach makes certification accessible, immediate, and scalable, while maintaining compliance with forensic and regulatory standards (ISO/IEC 27037, eIDAS, UNCITRAL).

The essential elements of email certification with legal validity are:

• Content integrity: a cryptographic hash (SHA-256) that guarantees the message has not been altered
• Certain date: a qualified timestamp compliant with the eIDAS Regulation
• Digital signature: an electronic seal attesting to the authenticity of the certification
• Chain of custody: complete documentation of the acquisition and preservation process

Certifying emails with TrueScreen

How TrueScreen email certification works

TrueScreen allows you to certify any email through a simple process: just add the personalized email address provided by TrueScreen (available in your workspace) to the "To", "CC", or "BCC" field of the email you want to certify. The system receives the communication and automatically converts it into certified documentation, applying a timestamp and digital seal to both the message content and the attachments.

The process can also be automated by creating specific rules in the organization's mail server, making certification transparent for users and systematic across the entire organization. Adoption takes just a few minutes and does not require complex technical integrations.

Certified output and regulatory compliance

The certification process produces a ZIP package containing:

• The original files, exactly as acquired, without any alteration
• A PDF report with data, metadata, and operational logs of the certification process
• A JSON file with the same data, intended for integration with information systems
• An XML file with the QTSP certification, including the electronic seal and qualified timestamp

TrueScreen's methodology complies with ISO/IEC 27037 (digital evidence management), ISO/IEC 27001 (information security), the eIDAS Regulation (EU 910/2014), and GDPR. The certified output is recognized under the UNCITRAL Model Law on Electronic Commerce principles for cross-border acceptance of electronic records, and is immediately verifiable and usable as evidence in disputes or to meet legal and compliance requirements.