What Is S/MIME Encrypted Email?

When it comes to safeguarding sensitive information, email security is a critical concern for both individuals and organisations—especially as cyber threats become more sophisticated. One of the most effective methods for bolstering email security is through encryption. In this article, we’ll explore what S/MIME encrypted email is, how it functions, and why it plays a key role in modern cybersecurity practices.

Understanding S/MIME

S/MIME, short for Secure/Multipurpose Internet Mail Extensions, is a widely recognised protocol that provides email encryption and digital signatures.

Initially developed in 1995 by RSA Data Security, S/MIME has since become a standard for securing email communications.

S/MIME offers two primary security features:

• Digital signatures: By using a unique signing certificate, digital signatures confirm the identity of the sender and ensure the integrity of an email’s content.
• Encryption: S/MIME employs a pair of mathematically related public and private keys to ensure that only the intended recipient can access an email’s content.

How Does S/MIME Work?

S/MIME operates on a cryptographic framework called Public Key Infrastructure (PKI) to provide both encryption and digital signatures for secure email communication.

This dual approach ensures confidentiality and integrity in emails.

Let's delve deeper into the key aspects of how S/MIME works:

The Encryption Process

S/MIME uses asymmetric encryption, which involves a pair of public and private keys:

1. Public key retrieval: When the sender composes an email, their email client first retrieves the recipient’s public key certificate, which is stored in a trusted certificate directory or shared directly with the sender. This certificate includes the recipient’s public key, which will be used to encrypt the email.
2. Encryption of email content: The sender’s email client then uses the recipient's public key to encrypt the email content and any attachments. Since the public key is accessible to anyone, encryption does not compromise security—only the recipient can decrypt the message using their private key.
3. Decryption by the recipient: Once the email is received, the recipient uses their private key to decrypt the email. As the private key is confidential and only stored on the recipient’s device, no one else can decrypt or access the content of the message, ensuring that the email remains confidential.

Digital Signature Authentication

S/MIME also secures emails by adding a digital signature, which ensures the authenticity of the sender and the integrity of the message:

1. Creation of the digital signature: The sender’s email client uses their private key to generate a digital signature. This involves hashing the email’s content and encrypting the hash with the sender’s private key. The resulting digital signature is attached to the email.
2. Verification by the recipient: Upon receiving the email, the recipient’s email client uses the sender’s public key (which can be obtained from the sender’s certificate) to decrypt the digital signature and verify the hash. If the decrypted hash matches the hash of the received email, it confirms that the message has not been altered during transit. The signature also verifies that the email indeed came from the sender, as only the sender’s private key could have generated the signature.
3. Non-repudiation: By signing the email with their private key, the sender cannot deny having sent the message (non-repudiation), as their digital signature uniquely ties the email to their identity.

Certificate Authorities (CA) in S/MIME

A critical component of S/MIME is the use of trusted third-party Certificate Authorities (CAs).

These CAs issue digital certificates, which contain the public key, to verify the authenticity of users.

CAs play a key role in ensuring the trustworthiness of the S/MIME system:

1. Issuance of certificates: Both the sender and the recipient must acquire S/MIME certificates from a trusted CA. The CA verifies the identity of the users before issuing a certificate, which contains their public key and other identifying information.
2. Trust verification: When an email is signed with a digital certificate, the recipient’s email client checks the certificate against a list of trusted CAs to confirm that it is valid and issued by an authorised source.

How S/MIME Addresses Email Security Challenges

S/MIME encryption effectively tackles several common email security challenges:

• Phishing attempts: 96% of organisations have experienced at least one phishing attack in the past year. S/MIME’s ability to authenticate sender identity helps mitigate the risk of phishing by verifying that an email is genuinely from the claimed sender.
• Man-in-the-middle attacks: This type of attack involves intercepting communications between two parties. According to IBM’s X-Force Threat Intelligence Index, 35% of exploitation activity involves man-in-the-middle attacks. S/MIME’s encryption makes it exceedingly difficult for attackers to access or alter emails while they are in transit.
• Email spoofing: A common tactic in spam and phishing campaigns, email spoofing is combated by S/MIME’s digital signature, which confirms the email’s authenticity and ensures it hasn’t been tampered with during transmission.

Benefits of S/MIME Encrypted Email

Using S/MIME encryption for email communications offers several advantages:

• Enhanced security: S/MIME provides a higher level of security for emails containing sensitive information by encrypting the email content and attachments, making it difficult for unauthorised parties to intercept or tamper with the message during transit.
• Encryption: S/MIME encrypts email content such that it can only be decrypted by the recipient who has the corresponding private key. However, this is not always considered true end-to-end encryption since intermediaries, such as enterprise mail servers, may have access to the encryption keys in some cases.
• Authentication: Digital signatures are used to confirm the sender’s identity, reducing the risk of email spoofing. This helps the recipient verify that the email came from the sender and wasn't altered during transmission.
• Message integrity: S/MIME guarantees that the email content and attachments remain unchanged during transmission. The digital signature ensures that any tampering would be detectable, thus preserving the integrity of the message.
• Regulatory compliance: Organisations can meet regulatory requirements, such as HIPAA in healthcare and DFARS in government sectors, by implementing S/MIME to secure email communications and protect sensitive information.

S/MIME Use Cases

S/MIME encryption is employed across a variety of industries and applications:

• Government agencies: Government bodies, including local councils and central agencies, can utilise S/MIME to secure internal and inter-departmental communications. S/MIME helps protect sensitive data transmitted via email from unauthorised access and tampering, ensuring compliance with data protection legislation such as UK GDPR and the Data Protection Act 2018, as well as cybersecurity standards like the UK Government’s Cyber Essentials scheme.
• Healthcare industry: Healthcare providers, including the NHS and private medical organisations, use S/MIME to safeguard the transmission of patients' sensitive medical records and personal data. S/MIME ensures the confidentiality and integrity of these communications, which is critical for maintaining patient privacy and complying with healthcare regulations such as the Data Security and Protection Toolkit (DSPT) and NHS Digital standards.
• Legal firms: Law firms handle vast amounts of confidential client data, including sensitive legal documents and intellectual property. S/MIME is used to protect solicitor-client communications, ensuring that these exchanges remain secure and confidential in line with Solicitors Regulation Authority (SRA) guidelines. This encryption helps legal professionals maintain trust and fulfil their obligations to client confidentiality.
• Financial services: UK banks, investment firms, and other financial institutions use S/MIME to secure sensitive financial information sent via email, such as account details, contracts, and transaction records. This not only reduces the risk of fraud but also ensures compliance with industry regulations such as those set by the Financial Conduct Authority (FCA) and the Payment Services Directive 2 (PSD2), which mandate robust protection of customer data during electronic communications.

Implementing S/MIME in Your Organisation

Successfully implementing S/MIME within an organisation requires careful planning, proper configuration, and ongoing management to ensure both usability and security.

Below is an overview of how to incorporate S/MIME encrypted email in your organisation:

1. Obtain Digital Certificates

Each user who wishes to send or receive encrypted or signed emails via S/MIME will need a digital certificate. These certificates can be obtained from trusted Certificate Authorities (CAs), such as GlobalSign, Sectigo, or Digicert.

The process typically involves identity verification by the CA, ensuring that the certificates are tied to legitimate individuals or organisations.

Tips:

• Choose well-established CAs to ensure broad compatibility across email clients and devices.
• Consider acquiring organisational certificates, which can simplify management and issuance for large teams.

2. Install Certificates

Once the digital certificates are issued, they need to be installed on the user’s device.

This installation process can differ depending on the email client and operating system in use but typically involves importing the certificate into the system’s keychain or certificate store.

Tips:

• Ensure compatibility with commonly used email clients such as Microsoft Outlook and Apple Mail.
• Automate the certificate installation process where possible, particularly in larger organisations, to streamline deployment and reduce errors.

3. Configure Email Clients

After installing the certificates, the next step is configuring email clients to use them for encryption and digital signatures.

This involves setting the default behaviour for signing and encrypting emails, as well as configuring how certificate validation is handled.

Steps:

• Set email clients to sign all outgoing emails by default to ensure authenticity and prevent phishing.
• Configure automatic encryption for emails where the recipient’s public key is available.
• Enable notification of untrusted or expired certificates to ensure prompt action when necessary.

Consideration: While encrypting all emails is ideal, it may cause compatibility issues with recipients who do not have S/MIME configured. Ensure your system allows flexibility to send unencrypted emails when necessary.

4. Train Users

Training is a critical part of implementing S/MIME encryption, as end-users will need to understand not only how to use the system but also why it’s important. It should cover:

• The process of sending and receiving encrypted or signed emails.
• Recognising when an email has not been signed or encrypted.
• How to handle certificate issues, such as expired or untrusted certificates.

Tips:

• Provide simple, clear instructions for day-to-day tasks like signing and encrypting emails.
• Use examples to demonstrate phishing risks and the importance of verifying digital signatures.
• Conduct refresher sessions regularly to keep users aware of security best practices and updates.

5. Establish Policies

It’s essential to create formal policies regarding the use of S/MIME to ensure consistency and security. These policies should address:

• When and how encryption should be used (e.g., for all sensitive communications).
• Procedures for managing certificates, including renewal, revocation, and replacement in case of loss or compromise.
• Steps to take in the event of a certificate-related security issue, such as a revoked or compromised certificate.

Example policies:

• Encryption policy: All emails containing sensitive data, financial information, or personally identifiable information (PII) must be encrypted using S/MIME.
• Certificate management policy: All certificates must be renewed 30 days before expiry and revoked immediately in the event of a suspected compromise.

6. Manage Certificate Lifecycles

Proper certificate management is key to maintaining the security of S/MIME.

Certificates have expiry dates, and it’s critical to keep track of when they are due to expire to avoid any service disruption.

Key tasks:

• Renewal: Automate certificate renewal processes to minimise the risk of expired certificates causing communication breakdowns.
• Revocation: Have clear procedures for revoking certificates in the event of a breach or lost key. Make use of Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) to ensure revoked certificates are no longer trusted.

Alternative Email Encryption Methods

While S/MIME offers robust email security, there are other encryption methods available that may better suit different organisational needs.

Below are some common alternatives, along with their pros and cons.

1. PGP (Pretty Good Privacy)

PGP is another widely used encryption method that offers both encryption and digital signature capabilities, similar to S/MIME.

However, instead of relying on certificates issued by centralised authorities, PGP operates on a web-of-trust model.

Pros:

• PGP users create their own key pairs and trust relationships, which makes it more flexible than S/MIME.
• Widely supported and used in both personal and professional settings.
• Does not require certificates from a Certificate Authority, reducing reliance on third parties.

Cons:

• PGP can be more challenging for non-technical users to understand and implement.
• Users must manually manage their web of trust, which can be cumbersome in large organisations.
• Not all email clients natively support PGP, and it may require additional software or plugins.

2. TLS (Transport Layer Security)

TLS is a protocol that encrypts the transmission of emails between mail servers.

This ensures that emails are protected while in transit between servers but does not offer end-to-end encryption like S/MIME or PGP.

Pros:

• TLS encryption happens at the server level, so no user action is required once configured.
• Most modern email providers and servers support TLS encryption.
• Protects email data from interception during transmission between servers.

Cons:

• Once emails reach the recipient’s mail server, they are no longer encrypted, leaving the content potentially vulnerable.
• TLS depends on both the sender's and recipient's mail servers supporting encryption. If either server doesn’t, the email may be transmitted in plaintext.

3. End-to-End Encryption

End-to-end encryption (E2EE) ensures that only the intended sender and recipient can access the content of the email.

Unlike other encryption methods like TLS, E2EE secures the data from the moment it leaves the sender’s device until it is decrypted by the recipient, leaving no point during transmission or storage where intermediaries (like email servers) can access or read the email.

Pros:

• Emails are encrypted at the sender’s device and decrypted only by the intended recipient, ensuring that no third parties, including email service providers, can read the contents.
• Since the encryption is applied at the user level, E2EE doesn’t depend on server-based encryption protocols, which can be vulnerable if a mail server is compromised.
• Even if communications are intercepted during transmission, the data remains encrypted and inaccessible, protecting against man-in-the-middle attacks.

At Beyond Encryption, we offer Mailock, a secure email solution designed to provide end-to-end encryption for businesses looking to protect sensitive communications.

Mailock seamlessly integrates with Outlook, encrypting emails between users and verifying the identity of the recipient to ensure that sensitive information is only accessible to the right people.

Conclusion

S/MIME encrypted email is a powerful solution for enhancing email security, offering strong encryption, authentication, and message integrity.

However, it's important to consider alternative encryption methods depending on your organisation’s specific needs.

By evaluating these options and understanding their pros and cons, businesses can choose the encryption method that best aligns with their security requirements, ensuring that sensitive communications remain protected against evolving cyber threats.

References:

Introduction to S/MIME, Microsoft Support, 2023

Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification, IETF RFC 3851

Email Security and Anti-Spoofing Guidance, NCSC, 2023

Reviewed By:

Sam Kendall, 11.10.2023

Sabrina McClune, 11.10.2023