How S/MIME Works for Encrypted Email

If you want to encrypt emails and attachments, you have several options available to you, ranging from simple to complex. So, how should technology buyers choose the best email encryption software for their organizations? The answer to that question depends on your organization’s data-sharing workflows and requirements.

In our previous post, How to Encrypt an Email: The Easy Way and the Hard Way, we highlighted S/MIME as one method for email encryption. In this post, we’ll go in depth on S/MIME, its requirements, how it works, its pros and cons, and what kinds of organizations S/MIME works best for. 

What is S/MIME? 

Created by RSA Data Security in 1995, S/MIME (Secure/Multipurpose Internet Mail Extensions) is a widely used set of specifications for encrypting and digitally signing emails, based on the MIME standard. It provides security features like confidentiality, authentication, message integrity, and non-repudiation.

Think of S/MIME email encryption like a secret handshake between the sender and the recipient. That handshake (the exchange of digital signatures) authenticates the identities of the sender and the recipient and creates a trusted connection between Point A and Point B, through which you can safely transport sensitive information. 

Like PGP encryption, S/MIME requires some initial setup for both the sender and recipient. (More on that later.) But, unlike PGP encryption, which creates new session keys for each data exchange, S/MIME establishes a connection between two trusted collaborators through the exchange of signed messages, and then uses the same key pairs to encrypt subsequent messages between those two parties. 

If you are a Google customer, you may recognize S/MIME as the encryption standard used for Google Gmail Client-Side Encryption (CSE). 

S/MIME Requirements for Senders and Recipients

To exchange emails with S/MIME encryption, both senders and recipients need to do a few things. 

S/MIME requires senders and recipients to: 

• Use an S/MIME compatible email client. This shouldn’t be difficult, as most major email clients support S/MIME.
• Purchase and install an S/MIME certificate issued by a trusted certificate authority (CA). Each user needs their own certificate. These certificates do expire, so you’ll need to renew them periodically to ensure emails are being properly encrypted. 
• Exchange digital signatures before sharing encrypted content. 

If you’re using S/MIME in the context of Google Gmail CSE, you’re also required to either manage your own keys using the Google CSE API, or select a CSE key management partner.  To read how S/MIME works for Gmail CSE specifically, check out our step-by-step Gmail CSE Setup Guide. 

How S/MIME Works

S/MIME uses public-key cryptography to encrypt message contents and attachments. The sender's email client retrieves the recipient's public key certificate from a directory or other trusted source, then uses the public key to encrypt the email, ensuring only the holder of the corresponding private key (the intended recipient) can decrypt and read it.

With S/MIME, the sender and recipient must exchange a digitally signed message (the secret handshake) to establish a trusted connection. Digitally signing the email confirms the sender's identity to the recipient. The client uses the sender's private key to create a digital signature, which the recipient verifies against the sender's public key certificate.

There’s a training component of S/MIME that’s important to highlight here: Both parties (sender and recipient) need to be well-versed in S/MIME in order to exchange that digital signature before they can exchange encrypted information. 

Once that digital signature exchange has taken place, the sender and recipient can then exchange encrypted messages and attachments with each other, and each future exchange will use the same key pairs. 

Senders should be aware that they will need to repeat this process for every new contact who will be receiving S/MIME-encrypted messages. This includes sending encrypted emails to a group of people:  This process needs to be followed for each contact on that thread — and all of these contacts also need to have S/MIME certificates in place for an end-to-end encrypted exchange to be successful. 

Pros and Cons of S/MIME

Like any technology, S/MIME has pros and cons. To decide whether S/MIME is right for you and your organization, you need to decide what your priorities and goals are for email encryption. 

S/MIME Pros

S/MIME has endured for nearly 30 years because it is a secure and reliable standard for encryption. Here are a few of the benefits: 

• End-to-end encryption protects email contents from being read by unauthorized parties.
• Digital signatures verify the email originated from the claimed sender. 
• Provides authentication, data integrity, and non-repudiation.
• Compatible with most email clients and servers.

S/MIME Cons

While there are benefits to S/MIME, it is also one of the more complex methods of email encryption. Here are some of the downsides:

• Overhead is resource-intensive compared with other encryption methods, including the purchase of S/MIME certificates; maintaining those certificates when employees onboard or offboard; training employees on how to send and receive S/MIME-encrypted messages; and providing support for situations where recipients may not be prepared to accept S/MIME messages.   
• Using the same key pairs over time may increase risk. Because S/MIME uses the same key pairs between sender and recipient over time, this can create issues if the sender or recipient’s private keys become compromised, as those same keys may protect extensive amounts of information. 
• The recipient experience comes with friction, particularly if those recipients aren’t tech-savvy or don’t have an understanding of S/MIME. If recipients don’t have an S/MIME certificate installed, this can create bottlenecks in the secure exchange of information. 
• Friction can reduce user adoption. For individuals that need to share information externally with new contacts on a regular basis, you may find that users circumvent the S/MIME protocol, creating potential security risks for data leaving the organization unprotected.

Who Should Use S/MIME?

Any organization can use S/MIME, but it should be well prepared. S/MIME can be a good fit for certain organizations, while others may find the complexity and overhead unsustainable. 

For example, organizations with predictable, established workflows between the same individuals — or organizations whose email correspondence is largely internal — may opt for S/MIME. While it does require a more substantial lift to set up S/MIME, obtain certificates, assign key pairs, and establish trusted connections with any external collaborators, it then becomes straightforward for team members to exchange information securely with those same partners who are set up to receive S/MIME emails. For example, a government department may correspond primarily with the same individuals at another government agency, but not with the general public — repeating the same data sharing patterns with the same individuals consistently. This kind of organization may choose S/MIME as their encryption method to secure those predictable workflows. 

However, for organizations with more dynamic secure workflows that involve new contacts and organizations on a regular basis, S/MIME may be more complex than your IT team would prefer. As we mentioned above, a secure exchange must be made to establish a trusted connection before an encrypted email can be shared, so internal users and external recipients must be educated on how to exchange that digital signature and what to look out for. If the recipient does not understand S/MIME or doesn’t respond to the initial email, then encrypted information cannot be shared. 

For some administrators, this can be a dealbreaker: They want to make it as easy as possible to protect the sensitive information being shared externally. Further, the purchase and setup of S/MIME certificates for every user is cumbersome for large organizations, where employee turnover can result in additional tasks for the IT team.  

Alternatives to S/MIME

If you’re looking for an alternative to S/MIME, you have a few options. 

End-to-End Encryption Software: Virtru for Gmail and Microsoft Outlook

If S/MIME proves too cumbersome for your organization’s data-sharing workflows, you can explore security software like Virtru, which provides client-side encryption for Gmail, as well as Outlook encryption. Virtru is deployed as a Chrome extension for Gmail and an add-on for Outlook. This makes deployment fast and lightweight for admins and users alike, and it does not require S/MIME certificates or key pairs to set up, while still providing the powerful data security your organization demands. This also empowers your organization to meet strict regulatory obligations including CMMC, ITAR, CJIS, HIPAA, and more. Your users can start exchanging encrypted emails in minutes — no “secret handshake” necessary. 

Legacy Encryption Methods: Portals or PGP Encryption

Other S/MIME encryption alternatives include PGP encryption and secure email portals, which do provide encryption, but may be lacking in terms of user experience and efficiency. 

Bottom Line: S/MIME Works Well for Some, But May Be Cumbersome for Others

S/MIME secures important email communications for businesses, government agencies, and individuals handling sensitive data. While it involves some overhead, its encryption, authentication and non-repudiation capabilities make it a solid choice for organizations with predictable data exchange workflows. Those with more dynamic data sharing needs may find the maintenance of S/MIME too cumbersome — especially if those organizations operate at scale. 

Ultimately, it’s good to have several encryption options to choose from — and whether you’re looking for an S/MIME encryption key management partner or an alternative to S/MIME altogether, Virtru can support you with powerful capabilities that lighten the load for your team. We have a long history of supporting a wide range of email encryption workflows, and we would love to talk with you about your organization’s needs and how we can best support you. 

Ready to learn more about how Virtru can support your chosen email encryption strategy? Contact our team to start the conversation.