What is S/MIME Encrypted Email?

Written by Sabrina McClune | 11 10 24

When it comes to keeping sensitive information safe, email security is a top priority for both individuals and organisations.

I’ve spent years studying the best practices for safeguarding personal and professional data, so I understand the critical importance of getting email security right.

One effective way to boost email security is through encryption, and S/MIME is one of the main types of encryption used for email.

Let’s explore what S/MIME encrypted email is, how it works, why it matters, and how you can put it to use in your organisation.

Understanding S/MIME

S/MIME, short for Secure/Multipurpose Internet Mail Extensions, is a widely used protocol that enables email encryption and digital signatures.

Originally developed in 1995 by RSA Data Security, S/MIME has since become a standard for securing email communications, ensuring confidentiality and authenticity for both senders and recipients.

With S/MIME, you get two core layers of security:

Digital signatures: Using a unique signing certificate, S/MIME adds a digital "stamp" that confirms the sender’s identity and ensures the content has not been altered.
Encryption: A pair of linked public and private keys ensures only the intended recipient can access an email’s content.

How S/MIME Works

S/MIME is built on a cryptographic foundation known as Public Key Infrastructure (PKI).

This framework provides the basis for the encryption and digital signature functionality that keeps emails secure and authentic.

The Encryption Process

S/MIME uses asymmetric encryption, a system that employs two keys - a public key and a private key - to lock and unlock content:

Public key retrieval: The sender’s email client retrieves the recipient’s public key from a certificate directory or direct sharing.
Encrypting the email: The email is encrypted using the recipient's public key, making it unreadable to outsiders.
Decryption: The recipient uses their private key to decrypt and read the email.

Digital Signature Authentication

S/MIME also secures emails by applying a digital signature:

Signature creation: The sender uses their private key to generate and attach a digital signature.
Verification: The recipient’s client uses the sender’s public key to validate the message’s integrity and origin.

This also enables non-repudiation - the sender cannot deny having sent the email.

"Implementing S/MIME is like adding a secure seal to every email - this helps to make sure only the right eyes see your message."

Mike Wakefield, CTO, Beyond Encryption

Certificate Authorities (CAs) in S/MIME

S/MIME relies on Certificate Authorities (CAs) - trusted third parties that issue digital certificates:

Issuance: CAs verify identities and issue certificates that include public keys and identity data.
Validation: Recipients’ email clients check the certificate’s issuer against a trusted CA list.

Because of the strict standards and audits involved, impersonating a CA is exceptionally difficult.

How S/MIME Addresses Email Security Challenges

S/MIME helps mitigate common email threats, including phishing, man-in-the-middle attacks, and email spoofing:

Phishing

96% of organisations have faced phishing attacks in the past year.

S/MIME reduces the risk by verifying the sender’s identity, giving recipients confidence the email is genuine.

Man-in-the-Middle Attacks

These attacks intercept communications between sender and recipient.

According to IBM, 35% of exploitation activity involves this type of attack.

S/MIME’s end-to-end encryption makes it nearly impossible to read or modify emails during transit.

Email Spoofing

S/MIME uses a digital signature to confirm the email’s authenticity.

This ensures recipients can trust the source and integrity of the message, laying a foundation of trust.

Benefits of S/MIME Encrypted Email

Enhanced Security

Encrypting content and attachments ensures messages cannot be read if intercepted.

Authentication

Digital signatures confirm the sender’s identity and prevent spoofing.

Message Integrity

S/MIME detects any tampering, maintaining trust in email content.

Regulatory Compliance

Using S/MIME can help meet regulations like the UK GDPR, Data Protection Act 2018, and FCA guidelines.

"In an age of relentless cyber threats, email encryption has evolved from a security measure to a legal obligation."

Paul Holland, Founder, Beyond Encryption

S/MIME Use Cases

S/MIME is widely used across sectors where data privacy and security are critical:

Government Agencies

Used to secure internal communications and comply with Cyber Essentials and data protection laws.

Healthcare

Healthcare bodies like the NHS use S/MIME to protect confidential medical records and patient data in line with the DSP Toolkit.

Legal Sector

Solicitors use it to secure client-attorney communications, meeting SRA guidance.

Financial Services

Banks and financial institutions use S/MIME to protect email communications and meet requirements from the FCA and PSD2.

Implementing S/MIME in Your Organisation

Rolling out S/MIME involves strategic planning, proper configuration, and ongoing certificate management.

Here’s how to get started:

1. Obtain Digital Certificates

Each user needs a certificate from a CA such as GlobalSign, Sectigo, or DigiCert.

Use established providers to ensure compatibility.
For larger teams, consider organisation-level certificates for easier management.

2. Install Certificates

Install certificates in users’ email clients or keychains.

Provide clear install guidance or automate the process.
Check compatibility with clients like Outlook or Apple Mail.

3. Configure Email Clients

Ensure settings support signing and encryption by default.

Enable automatic signing and encryption where possible.
Allow fallbacks when recipients aren’t S/MIME-ready.

"Proper configuration of email clients is the linchpin in S/MIME deployment - it bridges the gap between security and usability."

Carole Howard, Head of Networks, Beyond Encryption

4. Train Users

User training is essential to ensure adoption and security compliance.

Teach users how to send, receive, and verify signed and encrypted emails.
Explain what unsigned emails mean for trust and security.
Offer ongoing support and periodic refresher sessions.

5. Establish Policies

Create clear, enforceable policies covering S/MIME usage.

Encryption policy: All sensitive emails must be encrypted. Non-compliance may result in disciplinary action.
Certificate management: Renew 30 days before expiry. Revoke immediately upon compromise.

6. Manage Certificate Lifecycles

Ongoing certificate management prevents expired or compromised credentials from disrupting secure communication.

Renewal: Use automated systems where possible. Maintain manual fallback procedures.
Revocation: Act fast. Use CRLs or OCSP to ensure revoked certificates aren’t trusted.

"Managing certificate lifecycles proactively prevents security gaps that could be exploited - it's a vital part of any encryption strategy."

Mike Wakefield, CTO, Beyond Encryption

Alternative Email Encryption Methods

While S/MIME suits many, it’s worth knowing the alternatives:

1. PGP (Pretty Good Privacy)

Uses a decentralised web-of-trust model instead of certificate authorities.

Pros: Flexible, cost-effective, widely used.
Cons: Complex setup, steep learning curve for large teams.

2. TLS (Transport Layer Security)

Secures messages between email servers but doesn’t encrypt the content itself.

Pros: Easy to implement. Compatible with most email systems.
Cons: Vulnerable once emails reach the inbox. Server-dependent.

"TLS offers a good baseline of security, but for sensitive data, end-to-end encryption methods like S/MIME are indispensable."

Emily Plummer, Marketing Director, Beyond Encryption