What is S/MIME Encrypted Email?

When it comes to keeping sensitive information safe, email security is a top priority for both individuals and organisations.

I’ve spent years studying the best practices for safeguarding personal and professional data, so I understand the critical importance of getting email security right.

One effective way to boost email security is through encryption, and S/MIME is one of the main types of encryption used for email.

Let’s explore what S/MIME encrypted email is, how it works, why it matters, and how you can put it to use in your organisation.

Contents:

• Understanding S/MIME
• How S/MIME Works
• Benefits of S/MIME
• S/MIME Use Cases
• Implementing S/MIME
• Alternative Encryption Methods
• S/MIME: A Summary

Understanding S/MIME

S/MIME, short for Secure/Multipurpose Internet Mail Extensions, is a widely used protocol that enables email encryption and digital signatures.

Originally developed in 1995 by RSA Data Security, S/MIME has since become a standard for securing email communications, ensuring confidentiality and authenticity for both senders and recipients.

With S/MIME, you get two core layers of security:

• Digital signatures: Using a unique signing certificate, S/MIME adds a digital "stamp" that confirms the sender’s identity and ensures the content has not been altered.
• Encryption: A pair of linked public and private keys ensures only the intended recipient can access an email’s content.

How S/MIME Works

S/MIME is built on a cryptographic foundation known as Public Key Infrastructure (PKI).

This framework provides the basis for the encryption and digital signature functionality that keeps emails secure and authentic.

The Encryption Process

S/MIME uses asymmetric encryption, a system that employs two keys - a public key and a private key - to lock and unlock content:

1. Public key retrieval: The sender’s email client retrieves the recipient’s public key from a certificate directory or direct sharing.
2. Encrypting the email: The email is encrypted using the recipient's public key, making it unreadable to outsiders.
3. Decryption: The recipient uses their private key to decrypt and read the email.

Digital Signature Authentication

S/MIME also secures emails by applying a digital signature:

1. Signature creation: The sender uses their private key to generate and attach a digital signature.
2. Verification: The recipient’s client uses the sender’s public key to validate the message’s integrity and origin.

This also enables non-repudiation - the sender cannot deny having sent the email.

"Implementing S/MIME is like adding a secure seal to every email - this helps to make sure only the right eyes see your message."

Mike Wakefield, CTO, Beyond Encryption

Certificate Authorities (CAs) in S/MIME

S/MIME relies on Certificate Authorities (CAs) - trusted third parties that issue digital certificates:

• Issuance: CAs verify identities and issue certificates that include public keys and identity data.
• Validation: Recipients’ email clients check the certificate’s issuer against a trusted CA list.

Because of the strict standards and audits involved, impersonating a CA is exceptionally difficult.

How S/MIME Addresses Email Security Challenges

S/MIME helps mitigate common email threats, including phishing, man-in-the-middle attacks, and email spoofing:

Phishing

96% of organisations have faced phishing attacks in the past year.

S/MIME reduces the risk by verifying the sender’s identity, giving recipients confidence the email is genuine.

Man-in-the-Middle Attacks

These attacks intercept communications between sender and recipient.

According to IBM, 35% of exploitation activity involves this type of attack.

S/MIME’s end-to-end encryption makes it nearly impossible to read or modify emails during transit.

Email Spoofing

S/MIME uses a digital signature to confirm the email’s authenticity.

This ensures recipients can trust the source and integrity of the message, laying a foundation of trust.

Benefits of S/MIME Encrypted Email

Enhanced Security

Encrypting content and attachments ensures messages cannot be read if intercepted.

Authentication

Digital signatures confirm the sender’s identity and prevent spoofing.

Message Integrity

S/MIME detects any tampering, maintaining trust in email content.

Regulatory Compliance

Using S/MIME can help meet regulations like the UK GDPR, Data Protection Act 2018, and FCA guidelines.

"In an age of relentless cyber threats, email encryption has evolved from a security measure to a legal obligation."

Paul Holland, Founder, Beyond Encryption

S/MIME Use Cases

S/MIME is widely used across sectors where data privacy and security are critical:

Government Agencies

Used to secure internal communications and comply with Cyber Essentials and data protection laws.

Healthcare

Healthcare bodies like the NHS use S/MIME to protect confidential medical records and patient data in line with the DSP Toolkit.

Legal Sector

Solicitors use it to secure client-attorney communications, meeting SRA guidance.

Financial Services

Banks and financial institutions use S/MIME to protect email communications and meet requirements from the FCA and PSD2.

Implementing S/MIME in Your Organisation

Rolling out S/MIME involves strategic planning, proper configuration, and ongoing certificate management.

Here’s how to get started:

1. Obtain Digital Certificates

Each user needs a certificate from a CA such as GlobalSign, Sectigo, or DigiCert.

• Use established providers to ensure compatibility.
• For larger teams, consider organisation-level certificates for easier management.

2. Install Certificates

Install certificates in users’ email clients or keychains.

• Provide clear install guidance or automate the process.
• Check compatibility with clients like Outlook or Apple Mail.

3. Configure Email Clients

Ensure settings support signing and encryption by default.

• Enable automatic signing and encryption where possible.
• Allow fallbacks when recipients aren’t S/MIME-ready.

"Proper configuration of email clients is the linchpin in S/MIME deployment - it bridges the gap between security and usability."

Carole Howard, Head of Networks, Beyond Encryption

4. Train Users

User training is essential to ensure adoption and security compliance.

• Teach users how to send, receive, and verify signed and encrypted emails.
• Explain what unsigned emails mean for trust and security.
• Offer ongoing support and periodic refresher sessions.

5. Establish Policies

Create clear, enforceable policies covering S/MIME usage.

• Encryption policy: All sensitive emails must be encrypted. Non-compliance may result in disciplinary action.
• Certificate management: Renew 30 days before expiry. Revoke immediately upon compromise.

6. Manage Certificate Lifecycles

Ongoing certificate management prevents expired or compromised credentials from disrupting secure communication.

• Renewal: Use automated systems where possible. Maintain manual fallback procedures.
• Revocation: Act fast. Use CRLs or OCSP to ensure revoked certificates aren’t trusted.

"Managing certificate lifecycles proactively prevents security gaps that could be exploited - it's a vital part of any encryption strategy."

Mike Wakefield, CTO, Beyond Encryption

Alternative Email Encryption Methods

While S/MIME suits many, it’s worth knowing the alternatives:

1. PGP (Pretty Good Privacy)

Uses a decentralised web-of-trust model instead of certificate authorities.

• Pros: Flexible, cost-effective, widely used.
• Cons: Complex setup, steep learning curve for large teams.

2. TLS (Transport Layer Security)

Secures messages between email servers but doesn’t encrypt the content itself.

• Pros: Easy to implement. Compatible with most email systems.
• Cons: Vulnerable once emails reach the inbox. Server-dependent.

"TLS offers a good baseline of security, but for sensitive data, end-to-end encryption methods like S/MIME are indispensable."

Emily Plummer, Marketing Director, Beyond Encryption

3. End-to-End Encryption (E2EE)

Encrypts email content directly on the sender’s device, keeping it secure until the recipient decrypts it.

• Strong protection even if mail servers are compromised.
• No third-party access during storage or transit.

S/MIME: A Summary

S/MIME provides powerful email security through end-to-end encryption, authentication, and message integrity.

It’s a trusted, scalable option for organisations handling sensitive communications - from finance and law to healthcare and public sector services.

Consider your business needs and technical capacity to determine if S/MIME or another encryption method is best for you.

FAQs

What Does S/MIME Mean in Email?

It stands for Secure/Multipurpose Internet Mail Extensions. It secures emails with encryption and digital signatures.

Should I Turn On S/MIME for My Emails?

If you handle sensitive data, yes. It reduces risks like phishing, spoofing, and unauthorised access.

How Does S/MIME Address Email Security Problems?

By encrypting messages, confirming sender identity, and detecting tampering.

What Are the Disadvantages of Using S/MIME?

Certificates can be costly and administratively heavy. Both sender and recipient must be configured to use it.

Does Gmail Support S/MIME?

Only for Google Workspace enterprise accounts. Setup requires certificate installation and configuration.

How Do I Get an S/MIME Certificate for Outlook?

Buy one from a trusted CA. Install it and configure Outlook to sign and encrypt your emails.

References

Introduction to S/MIME, Microsoft Support, 2023

Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification, IETF RFC 3851

Email Security and Anti-Spoofing Guidance, NCSC, 2023

The Latest Phishing Statistics, AAG IT Services, 2023

Man-in-the-Middle Attacks Explained, SecureW2, 2024

The UK GDPR, ICO, 2024

Data Protection Act 2018, Gov.uk, 2024

UK Government’s Cyber Essentials, NCSC, 2024

Data Security and Protection Toolkit (DSPT), NHS, 2024

Solicitors Regulation Authority (SRA), 2024

Financial Conduct Authority (FCA), 2024

Payment Services Directive 2 (PSD2), 2024

GlobalSign (Digital Certificate Provider), 2024

Sectigo (Digital Certificate Provider), 2024

DigiCert (Digital Certificate Provider), 2024

Phishing Statistics, IT Governance, 2023

Reviewed by

Sam Kendall, 15.11.2024

Sabrina McClune, 13.06.2025