> From a technical point of view, the app deletes the attachment by inserting a new email (the one without the attachment) into your Gmail, and then deleting the original email (the one with the attachments).
I hope there is a big warning when using the app, because this makes these emails (maybe even the whole conversation chain?) wortheless should they be needed as some kind of legal evidence.
IMAP is really kinda a object store, where the objects are emails. Modify emails stored remotely is already extremely trivial.
DKIM and ARC make this a bit more secure, but they are the only way to validate an email is authentic.
DKIM key rotation with providers like AWS SES and others, after a period of time it is impossible to validate old emails as authentic. For SES it takes only 9 months for that to happen.
I assumed historical DKIM public keys were easy to find on the web, but that doesn't seem to be the case. This is weird because they are very little data and don't rotate every year, so archiving every key from Google, Amazon, etc would be easy.
Of course you would need multiple trusted sources for the key to have confidence that the mail is legit.
The app will soon support the ability to back up the whole original email (in .eml format) before any changes are made, should the originals be needed for whatever reason.
If it keeps the original email then the DKIM signature from the sending domain will still be intact. As people have pointed out, it might be necessary to keep a copy of the public keys of all the senders in order to perform that validation.
Frustratingly, Exchange breaks this possibility immediately, because it decomposes the email into components. It does preserve and validate some fancier signature schemes, but those are rarely used and have their own problems.
I hope there is a big warning when using the app, because this makes these emails (maybe even the whole conversation chain?) wortheless should they be needed as some kind of legal evidence.