S/MIME encryption: who needs it & how to get it
Learn more about S/MIME, how to obtain S/MIME certificate, understand how S/MIME encryption works, and S/MIME exchange online.
A lack of email security leaves your business wide open to cybercriminals. Fraudsters take advantage of the fact that more companies are using increased amounts of digital tools and resources, and now 94% of malware is delivered directly to email inboxes. S/MIME is an email protocol that helps organizations maintain the integrity of their messages and reduce data breaches.
What is S/MIME?
S/MIME stands for Secure Multipurpose Internet Mail Extension. S/MIME is an email signing protocol aimed to increase email security using cryptographic functions. S/MIME certificates enable users to verify email senders with time-stamped digital signatures to help avoid phishing, breaches of data, and imposters.
S/MIME comes with built-in security services such as authentication, non-repudiation of origin, message integrity, and privacy. S/MIME lets you encrypt and decrypt emails for extra security, and there are also additional security features that you can use, including signed receipts, security labels, and secure mailing lists.
S/MIME email security protocol ensures that documents can be shared across networks while maintaining file integrity. They can even double as document signing certificates by signing and encrypting files before they leave the network.
One of the critical features of S/MIME is the different classes of certificates that it offers. Since there isn’t a single certificate authority standard, these validation levels allow organizations to tailor their level of email security according to their unique needs.
Validation levels offered by S/MIME:
- Email validation — requires a valid email address and verifies the domain.
- Individual validation — verifies the identity of employees and issues an email signing certificate for individuals.
- Organization validation — certifies the validity of an organization in a process that requires speaking to a representative from the organization and domain verification before a company certificate is issued.
Users around the world send more than 319 billion emails each day. Some may come from trusted senders, others from imposters.
Many emails include deals and discounts, while others contain malicious attachments and code. Although S/MIME has not been widely implemented, it’s still supported by numerous email clients and provides automated tools to implement and manage certificates.
How does S/MIME encryption work?
S/MIME works for a great many businesses worldwide. It’s widely accepted as a robust email encryption protocol. Its two-fold functioning as an encryption protocol and a digital signature provides end-to-end protection, so you know that the messages you send and receive are secure.
Digital Signatures
Digital signatures provide crucial security capabilities:
- Authentication — a digital signature validates the sender’s identity so that you can be sure they are who they claim to be.
- Nonrepudiation — a digital signature ensures that neither party can deny their actions under that signature. This includes sending and receiving messages, approving information, or simply using the digital signature.
- Data integrity — a digital signature assures that emails aren’t altered in transit, or else S/MIME would invalidate the signature.
While digital signatures alone provide integrity, they can’t guarantee confidentiality without encryption. That’s why S/MIME uses a combined approach to email security that includes digital signatures and encryption.
Encryption
S/MIME encryption allows the translation of information sent via email into an unreadable format. The encrypted email can only be decrypted or changed back into its original form by its intended recipient with a private decryption key.
Email encryption refers to the following security services:
- Confidentiality — encryption protects the content of your emails from unauthorized interception. It ensures the information in your messages remains private while it is in transit and when it’s sitting in your inbox.
- Data integrity — similarly to a digital signature, encryption assures that emails have not been altered in transit since no one except the intended recipient can decrypt the message.
S/MIME email security
But without a comprehensive email security protocol such as S/MIME, you can’t be sure that your emails are indeed secure.
S/MIME combines digital signatures and email encryption to create a layered approach to email security. When you receive a message, you can ensure that the sender is valid and that no one else has accessed your documents to change or view the information.
Who should use S/MIME?
S/MIME may not be practical for everyday email applications, but it can be a crucial tool to manage business email. Whether or not you should use S/MIME digital signatures and email encryption depends on how much privacy you need for business operations and the size of your organization. Of course, there are exceptions, and even some individuals, especially those with home offices, can benefit from using S/MIME.
Who needs S/MIME?
- Businesses that adhere to PCI compliance guidelines.
- Organizations that are required to keep information private according to the Healthcare Insurance Portability and Accountability Act, or HIPAA.
- Companies that do business in countries that are protected by the General Data Protection Regulation, or GDPR.
- Government agencies.
- Organizations that deploy enterprise-level security.
- Businesses and individuals that have shifted to remote and hybrid work models.
- Companies that manage email lists and collect personal information via email.
In general, if your company uses business email for internal and customer-facing communications, then implementing S/MIME can add a crucial layer of security.
Cybersecurity experts agree that ransomware poses the greatest threat to businesses in 2022. Since malware and ransomware are most often deployed due to phishing and other email scams, companies should prioritize email security and install S/MIME.
Pros and Cons of using S/MIME
A multi-faceted approach to email security lends itself to innovation as well as complications. Weighing the pros and cons can help you decide if S/MIME is right for your organization.
Pros
- S/MIME is a very secure email encryption protocol. It offers digital integrity and privacy that prevent phishing attacks and enable secure communication.
- S/MIME integrates with several different email solutions. However, some email solutions do not provide native S/MIME certificate support.
Cons
- S/MIME users can only send secure emails to other S/MIME users.
- Setting up your digital signature with S/MIME requires intimate knowledge of the platform you are working on.
- There are also a few cons that are associated with implementing S/MIME certificates. For example, its end-to-end encryption can disrupt email search since the contents must be decrypted to be understood.
- S/MIME can interfere with other security protocols such as anti-virus scanners, archiving tools, and other data loss prevention mechanisms. For example, emails are scanned for viruses on the way out of the network. But because the email is encrypted, S/MIME will hide the contents from the receiving gateway scanner.
How do I get a S/MIME certificate?
A S/MIME certificate is prescribed by a certificate authority. There are public and private authorities of this kind. You must first find a certificate authority you trust, then you can purchase a S/MIME certificate. You can expect to pay anywhere from $25 to hundreds of dollars per year, depending on the certificate authority that you choose.
What is a S/MIME certificate authority?
A certificate authority is responsible for issuing digital certificates such as S/MIME, SSL, and TLS. The certificate authority determines the security procedures, certificate requirements, and the parameters of the certificates they issue. CAs must document these policies and make them public so that individuals can decide whether or not to trust a specific authority.
2 main types of certificate authorities:
- Public — a third party that issues certificates to other organizations. Backed by the regulatory standards set out by the CA/Browser Forum, public certificate authorities are generally accepted as trustworthy.
- Private — an internal certificate authority that only issues certificates for a specific organization. Since they create certificates with specs according to business needs, they are not typically trusted outside the organization.
How to enable S/MIME encrypted emails?
After you get your S/MIME certificate, you will need to enable it in your email client.
Outlook Desktop
- Select File > Options.
- Choose Trust Center at the bottom of the menu in the options window, and open Trust Center Settings > Email Security.
- Now, click Import/Export under Digital IDs, then hit Browse.
- Open the PKCS#12 file and enter your password.
- Navigate to Encrypted Email and click Settings to enter a name for your security settings.
- Navigate to Signing Certificate and click Choose to select your certificate, then confirm your selection.
- Navigate to the Encryption Certificate and confirm your certificate.
- Close the Change Security Settings Window.
- Set your S/MIME defaults in email options.
Outlook 365 Web App (OWA)
- Go to Settings > Mail > S/MIME.
- When prompted, select Run or Open.
- Verify your selection.
- Next, you need to allow Outlook to use S/MIME.
- For Internet Explorer, you will be asked: “Do you want to allow the domain to use the S/MIME control to encrypt and decrypt messages in your inbox?” Select Yes.
- For Edge or Chrome, you will receive a message: “S/MIME isn’t configured to work with the current domain. You can add it in the S/MIME Extension options page in the settings for your browser.” Follow the link to settings and allow the domain to use S/MIME.
Gmail
- After installing the certificate to your device, sign in to your Google console using an administrator account.
- Go to Apps > Google Workspace > Gmail > User Settings.
- Under Organizations on the left side of the screen, select the domain you want to enable.
- Scroll down until you see the S/MIME setting and check the box next to Enable S/MIME Encryption.
- It may take up to 24 hours for your S/MIME settings to update across the network.
Mac
- Double click your downloaded certificate file to open Keychain Access. Then, enter your password to install the certificate.
- Once installed, your certificate will appear in Keychain Access > My Certificates.
- Close and re-open Mail and compose a new secured message.
iPhone
- Import your .p12 file and select Open. Enter your password to open the file.
- Select Install. You may be prompted to enter your password again.
- To enable the certificate for iOS, go to Settings > Mail.
- Select the email account associated with your S/MIME certificate under Accounts.
- Tap your email address on the next screen and then again on the following screen.
- Go to Advanced > Mail, scroll down, and toggle the slider to ON next to S/MIME.
- To turn on digital signing and encryption, toggle their corresponding sliders to ON.
- Close and re-open your mail app to start sending secure emails.
Exchange
- First, install your certificate on your machine.
- Open your Windows Start Menu and choose All Programs > EA Disclaimer and S/MIME for IIS and Exchange Server.
- Follow the steps on the screen to set up S/MIME encryption and digital signatures.
- When finished, make sure that the Microsoft Exchange Transport Service and the Microsoft Exchange Mail Submission Service are running. If not, then start them.
PGP vs. S/MIME: which is better?
PGP and S/MIME are both email security protocols that similarly use encryption. However, some key differences show how S/MIME has evolved from PGP.
While PGP only covers security issues related to plain text emails, S/MIME meets the needs of today’s businesses by extending this protection to other email data and attachments. Also, S/MIME is already integrated into numerous email clients, so you don’t need to download additional software to experience its benefits.
The table below details the main differences between PGP and S/MIME:
PGP | S/MIME |
Designed to process plain text emails | Designed to process email and multimedia files |
Ideal for personal use | Ideal for office, enterprise, and industrial use |
Based on user key exchange | Relies on certificate hierarchy for key exchange |
Requires additional software | Integrated with commonly used email products |
Standard encryption | Strong encryption |
Diffie-Hellman digital signature | ElGamal digital signature |
Can be applied to VPNs | Applies to email services |
Public keys = 4096 | Public keys = 1024 |
Less expensive | More expensive |
Wrapping up
S/MIME is a powerful email encryption protocol that offers digital signatures to keep your email data secure. In today’s world of rising ransomware losses and increased vulnerabilities caused by fragmented security ecosystems, email encryption is your best defense against fraud.
Implementing S/MIME increases your organization’s ability to protect consumer information, internal business data, and login credentials. The email security protocol is the strongest of its kind and is backed by Public Key Infrastructure, or PKI, to secure your email and let your recipients know that your domain can be trusted.
Use S/MIME to protect against phishing, spoofing, man-in-the-middle attacks, with the ability to encrypt and digitally sign your emails. Whether you are just beginning to grow your email list or have legacy security protocols in place, there is a S/MIME solution for every major email client.