What Is S/MIME Encrypted Email?

When it comes to keeping sensitive information safe, email security is a top priority for both individuals and organisations.

As a researcher of digital identity protection, I've spent years studying the best practices for safeguarding personal and professional data, so I understand the critical importance of getting email security right.

One effective way to boost email security is through encryption, and S/MIME is one of the main types of encryption used for email.

Let's explore what S/MIME encrypted email is, how it works, why it matters, and how you can put it to use in your organisation.

Contents:

• Understanding S/MIME
• How S/MIME Works
• Benefits of S/MIME
• S/MIME Use Cases
• Implementing S/MIME
• Alternative Encryption Methods
• S/MIME: A Summary

Understanding S/MIME

S/MIME, short for Secure/Multipurpose Internet Mail Extensions, is a widely used protocol that enables email encryption and digital signatures.

Originally developed in 1995 by RSA Data Security, S/MIME has since become a standard for securing email communications, ensuring confidentiality and authenticity for both senders and recipients.

With S/MIME, you get two core layers of security:

• Digital signatures: By using a unique signing certificate, S/MIME adds a digital "stamp" to each email that confirms the sender’s identity and ensures the integrity of the content. This verifies that the message is genuinely from the person who sent it and hasn’t been tampered with.
• Encryption: S/MIME uses a pair of linked public and private keys to make sure that only the intended recipient can access an email’s content, keeping communications secure and private.

How Does S/MIME Work?

S/MIME is built on a cryptographic foundation known as Public Key Infrastructure (PKI).

This framework is what makes it possible for S/MIME to provide encryption and digital signatures that keep emails secure and authentic.

The Encryption Process

S/MIME relies on asymmetric encryption, a system that uses two keys—a public key and a private key—to lock and unlock email content:

1. Public key retrieval: When the sender composes an email, their email client started off by retrieving the recipient’s public key certificate, which is stored in a trusted certificate directory or shared directly with the sender. This certificate includes the recipient’s public key, which will be used to encrypt the email.
2. Encryption of email content: Next, the sender’s email client uses the recipient's public key to encrypt the email content and any attachments, making it unreadable to anyone other than the intended recipient.
3. Decryption by the recipient: Once the email reaches the recipient, they use their private key to decrypt the message and view its content. Since the private key is safely kept on their device, no one else can access or interpret the encrypted email.

Digital Signature Authentication

S/MIME also secures emails by adding a digital signature, which verifies the authenticity of the sender and the integrity of the message:

1. Creation of the digital signature: When the sender composes an email, the email client uses their private key to generate a digital signature that is uniquely linked to their account, which is then encrypted and attached to the message.
2. Verification by the recipient: When the email arrives, the recipient’s email client uses the sender’s public key (which is available through the sender’s certificate) to decrypt the digital signature. If the decrypted signature matches the email, it confirms that the message has not been tampered with since it left the sender’s outbox and is proof that the message genuinely came from the sender.

By signing the email with their private key, it also removes the risk of the sender later claiming that they didn’t send the message, adding a layer of accountability (otherwise known as non-repudiation) to the exchange.

"Implementing S/MIME is like adding a secure seal to every email—this helps to make sure only the right eyes see your message."

— Mike Wakefield, CTO, Beyond Encryption

Certificate Authorities (CA) in S/MIME

A key part of S/MIME's security comes from trusted third-party Certificate Authorities (CAs).

CAs are the bodies that issue digital certificates to verify the authenticity of users, playing a crucial role in building trust.

• Issuance of certificates: For S/MIME to work, both the sender and recipient need an S/MIME certificate from a trusted CA. The CA takes on the job of verifying each user’s identity before issuing a certificate that includes their public key and other identifying information. This verification process is a vital step in ensuring the legitimacy of future communications.
• Trust verification: When an email is signed with a digital certificate, the recipient’s email client checks the certificate against a list of trusted Cas. If the certificate is confirmed to be valid and issued by an authorised source, the recipient can trust that the sender is who they say they are.

Becoming a CA involves rigorous processes, as they must comply with strict standards and audits to maintain trustworthiness.

Impersonating a CA is exceptionally difficult due to the numerous security protocols and regulatory oversight involved, making it nearly impossible for malicious actors to forge trusted certificates.

How S/MIME Addresses Email Security Challenges

S/MIME encryption addresses several common email security challenges, including phishing, man-in-the-middle attacks, and email spoofing:

Phishing

96% of organisations have experienced at least one phishing attack in the past year.

S/MIME helps to reduce the risk of phishing by verifying that an email is genuinely from the claimed sender, providing an added layer of reassurance to email recipients.

Man-in-the-Middle Attacks

This type of attack involves intercepting communications between two parties.

According to IBM’s X-Force Threat Intelligence Index, 35% of exploitation activity involves man-in-the-middle attacks.

S/MIME’s encryption makes it extremely difficult for attackers to access or alter emails while they are in transit, reducing this threat.

Email Spoofing

A common tactic in spam and phishing campaigns, email spoofing is combated by S/MIME’s digital signature, which confirms the email’s authenticity and ensures it hasn’t been tampered with during transmission.

This verification establishes a foundation of trust between the communicating parties.

Benefits of S/MIME Encrypted Email

Using S/MIME encryption in email communications comes with a range of benefits that go beyond just security (although that’s a key aspect):

Enhanced Security

S/MIME provides a high level of security for emails containing sensitive information by encrypting the email content and attachments, making it challenging for unauthorised parties to intercept or tamper with the message during transit.

Authentication

Digital signatures are used to confirm the sender’s identity, minimising the risk of email spoofing.

This helps the recipient verify that the email genuinely came from the sender and wasn't altered during transmission, fostering secure communication.

Message Integrity

S/MIME guarantees that the email content and attachments remain unchanged during transmission.

The digital signature makes sure that any tampering is detectable, preserving the integrity of the message and boosting trustworthiness.

Regulatory Compliance

For organisations, S/MIME can help meet regulatory requirements by securing email communications and protecting sensitive data.

This compliance is crucial for avoiding legal repercussions tied to data breaches or compromised information.

"In an age of relentless cyber threats, email encryption has evolved from a security measure to a legal obligation."

— Paul Holland, Founder, Beyond Encryption.

S/MIME Use Cases

S/MIME encryption is used across numerous industries and applications, including government, healthcare, legal, and financial sectors.

Government Agencies

Government bodies, including local councils and central agencies, can use S/MIME to secure internal and inter-departmental communications.

This ensures compliance with data protection legislation such as The UK GDPR and the Data Protection Act 2018, as well as cybersecurity standards like the UK Government’s Cyber Essentials scheme.

Healthcare Industry

Healthcare providers, including the NHS and private medical organisations, utilise S/MIME to safeguard the transmission of patients' sensitive medical records and personal data.

This ensures compliance with healthcare regulations such as the Data Security and Protection Toolkit (DSPT) and NHS Digital standards.

Legal Firms

Law firms handle vast amounts of confidential client data, including sensitive legal documents and intellectual property.

S/MIME is used to protect solicitor-client communications, ensuring that these exchanges remain secure and confidential in line with Solicitors Regulation Authority (SRA) guidelines.

Financial Services

UK banks, investment firms, and other financial institutions use S/MIME to secure sensitive financial information sent via email, ensuring compliance with industry regulations.

These regulations can include those set by the Financial Conduct Authority (FCA) and the Payment Services Directive 2 (PSD2), which mandate robust protection of customer data during electronic communications.

Implementing S/MIME in Your Organisation

Rolling out S/MIME in your organisation requires careful planning, the right configuration, and ongoing management to keep things running smoothly and securely.

It’s essential to clearly communicate the reasons for adopting S/MIME to all stakeholders, emphasising the security and compliance benefits in straightforward terms.

Here’s a quick guide to incorporating S/MIME encrypted email in your organisation:

1. Obtain Digital Certificates

To use S/MIME for encrypted or signed emails, each user will need a digital certificate.

These certificates can be obtained from trusted Certificate Authorities (CAs), such as GlobalSign, Sectigo, or Digicert.

The CA will typically verify each user’s identity, ensuring that the certificates are securely linked to legitimate individuals or organisations.

Tips:

• Opt for well-established CAs to ensure broad compatibility across various email clients and devices.
• For larger teams, consider organisational certificates. These can streamline management and issuance, making it easier to oversee and maintain email security across the organisation.

2. Install Certificates

Once the digital certificates are issued, they need to be installed on each user’s device.

The installation steps may vary depending on the email client and operating system, but they typically involve importing the certificate into the system’s keychain or certificate store.

Tips:

• Make sure the certificates are compatible with popular email clients like Microsoft Outlook and Apple Mail, and offer guidance to users who might need help with installation.
• Where possible, automate the certificate installation process—especially in larger organisations—to streamline deployment and reduce the chance of errors that could lead to security vulnerabilities.

3. Configure Email Clients

After installing the certificates, the next step is configuring email clients to use them for encryption and digital signatures.

This configuration defines the default actions for signing and encrypting emails, as well as how certificate validation is handled, ensuring strong security without compromising usability.

Steps:

• Set email clients to automatically sign all outgoing emails to verify authenticity and reduce the risk of phishing.
• Enable automatic encryption for emails whenever the recipient’s public key is available, helping maintain confidentiality.
• Activate notifications for untrusted or expired certificates so users are alerted to update certificates as needed to keep communications secure.

While encrypting all emails is ideal, it may sometimes create compatibility issues if recipients aren’t set up with S/MIME.

Ensure your system allows flexibility to send unencrypted emails when necessary while still adhering to security policies.

"Proper configuration of email clients is the linchpin in S/MIME deployment—it bridges the gap between security and usability."

— Carole Howard, Head of Network, Beyond Encryption

4. Train Users

User training is essential for successfully implementing S/MIME encryption. It’s not just about showing them how to use the system but also helping them understand why it matters.

Training should cover:

• The steps for sending and receiving encrypted or signed emails.
• How to spot when an email hasn’t been signed or encrypted, and what that means for data security.
• What to do if they encounter certificate issues, like expired or untrusted certificates, and who to contact for support.

Tips:

• Provide simple, clear instructions for day-to-day tasks like signing and encrypting emails to encourage user compliance.
• Use real-life examples to highlight phishing risks and demonstrate why verifying digital signatures is so important.
• Hold refresher sessions periodically to keep everyone up-to-date on security best practices, updates, and emerging threats that S/MIME helps mitigate.

5. Establish Policies

Setting up clear, formal policies for S/MIME use is crucial for maintaining consistent security practices across the organisation.

These policies should cover:

• When and how encryption should be used (e.g., for all sensitive communications).
• Procedures for managing certificates, including renewal, revocation, and replacement in case of loss or compromise.
• Steps to take in the event of security issues, such as a revoked or compromised certificate.

Example policies:

• Encryption policy: All emails containing sensitive data, financial information, or personally identifiable information (PII) must be encrypted using S/MIME. Failure to comply may lead to disciplinary action.
• Certificate management policy: All certificates must be renewed 30 days before expiry and revoked immediately in the event of a suspected compromise, to maintain high levels of security across the network.

6. Manage Certificate Lifecycles

Effective certificate management is essential to keeping S/MIME secure and reliable.

Certificates have expiry dates, and it’s critical to stay on top of renewals to avoid disruptions or lapses in secure communication.

Key tasks:

• Renewal: Automate the certificate renewal process to prevent expired certificates from causing communication issues. It’s also important to have a backup plan for manual renewal in case the automated process encounters any issues.
• Revocation: Have clear procedures for revoking certificates in the event of a breach or lost key. Make use of Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) to ensure revoked certificates are no longer trusted. This helps quickly address any vulnerabilities that might emerge.

"Managing certificate lifecycles proactively prevents security gaps that could be exploited—it's a vital part of any encryption strategy."

— Mike Wakefield, CTO, Beyond Encryption

Alternative Email Encryption Methods

While S/MIME is a powerful option for email security, other encryption methods might better fit specific organisational needs.

Here’s a look at some common alternatives, along with their benefits and limitations:

1. PGP (Pretty Good Privacy)

PGP is another popular encryption method that, like S/MIME, offers both encryption and digital signature capabilities, similar to S/MIME.

However, instead of relying on certificates from central authorities, PGP uses a web-of-trust model, which provides a more decentralised approach to managing trust and keys.

Pros:

• PGP users create their own key pairs and trust relationships, which makes it more flexible than S/MIME, especially in environments where third-party trust is limited or undesirable.
• PGP is widely supported and used in both personal and professional settings, making it a well-established option for email encryption.
• PGP does not require certificates from a Certificate Authority, reducing reliance on third parties and potential costs.

Cons:

• PGP can be more challenging for non-technical users to understand and implement effectively, potentially leading to user errors that could weaken security.
• PGP users must manually manage their web of trust, which can be cumbersome in large organisations where numerous relationships must be verified.
• Not all email clients natively support PGP, and it may require additional software or plugins, adding complexity to the deployment process.

2. TLS (Transport Layer Security)

TLS is a protocol that focuses on securing the connection between mail servers, ensuring that emails remain protected while they’re being transmitted across the internet.

Pros:

• TLS encryption happens at the server level, so no user action is required once configured, offering a simple solution for basic email protection.
• Most modern email providers and servers support TLS encryption, making it highly compatible and straightforward to implement.
• Protects email data from interception during transmission between servers, which is suitable for less-sensitive communications.

Cons:

• Once emails reach the recipient’s mail server, they are no longer encrypted, leaving the content potentially vulnerable to unauthorised access or server compromises.
• TLS depends on both the sender's and recipient's mail servers supporting encryption. If either server doesn’t, the email may be transmitted in plaintext, significantly weakening security.

"TLS offers a good baseline of security, but for sensitive data, end-to-end encryption methods like S/MIME are indispensable."

— Emily Plummer, Marketing Director, Beyond Encryption

3. End-to-End Encryption (E2EE)

End-to-end encryption (E2EE) ensures that only the intended sender and recipient can access the content of the email.

Unlike other encryption methods like TLS, E2EE secures the data from the moment it leaves the sender’s device until it is decrypted by the recipient, leaving no point during transmission or storage where intermediaries (like email servers) can access or read the email.

Pros:

• Emails are encrypted directly on the sender’s device and can only be decrypted only by the intended recipient, ensuring that no third parties, including email service providers, can read the contents.
• Since the encryption is applied at the user level, E2EE doesn’t depend on server-based encryption protocols, which can be vulnerable if a mail server is compromised.
• Even if communications are intercepted during transmission, the data remains encrypted and inaccessible, protecting against man-in-the-middle attacks.

S/MIME: A Summary

S/MIME encrypted email is a powerful solution for enhancing email security, offering strong encryption, reliable authentication, and message integrity.

It strikes a solid balance between usability and robust protection, making it an ideal choice for organisations that need to safeguard sensitive information.

However, it’s essential to explore and consider other encryption options based on your organisation’s specific needs.

By evaluating the strengths and limitations of each method, businesses can select the approach that best aligns with their security requirements, ensuring that sensitive communications are well-protected against evolving cyber threats.

FAQs

What Does S/MIME Mean in Email?

S/MIME stands for Secure/Multipurpose Internet Mail Extensions. It is a widely used protocol that secures email communications through encryption and digital signatures, ensuring both confidentiality and authenticity of messages.

Should I Turn On S/MIME for My Emails?

Enabling S/MIME is highly recommended if you handle sensitive or confidential information. It enhances email security by encrypting content and authenticating the sender, significantly reducing risks such as phishing, email spoofing, and man-in-the-middle attacks.

How Does S/MIME Address Email Security Problems?

S/MIME tackles email security challenges by encrypting messages so that only intended recipients can access them, adding digital signatures to verify the sender’s identity, and ensuring message integrity to detect tampering during transmission.

What Are the Disadvantages of Using S/MIME?

While S/MIME provides robust security, it does come with drawbacks. Digital certificates must be obtained from trusted Certificate Authorities, which can be costly and administratively burdensome. Additionally, both the sender and recipient need compatible email clients and certificates, which can limit usability.

Does Gmail Support S/MIME?

Gmail does offer support for S/MIME, but only for enterprise users with Google Workspace accounts. Configuring S/MIME on Gmail involves using digital certificates to enable encrypted and signed email communication, providing an extra layer of security.

How Do I Get an S/MIME Certificate for Outlook?

To use S/MIME in Outlook, you will need to acquire a digital certificate from a trusted Certificate Authority, such as GlobalSign or Digicert. Once obtained, the certificate must be installed on your device and configured in Outlook to enable secure email encryption and digital signatures.

References:

Introduction to S/MIME, Microsoft Support, 2023

Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification, IETF RFC 3851

Email Security and Anti-Spoofing Guidance, NCSC, 2023

Reviewed by:

Sam Kendall, 15.11.2024

Sabrina McClune, 15.11.2024