What is S/MIME and how does it work?

Email security

Whether it's for personal or professional use, sending and receiving email is a part of our daily routines and has been for quite some time. Even though we're using email services frequently, that doesn't mean security is automatically built-in. That's where S/MIME plays a pivotal role.

Secure/Multipurpose Internet Mail Extensions, or S/MIME, is a security protocol that digitally signs and encrypts emails. This protocol also proves that emails weren't altered in any way and that they came from the sender specified. This proof is critical for businesses sending sensitive data, like in the healthcare industry, for example. 

How to define S/MIME and the role it plays in encryption

The "multipurpose" part of S/MIME refers to the fact that it's a type of email encryption and a standard for authenticating email data to confirm a sender's identity. 

Ensuring S/MIME works as intended, it implements the following features:

  • Digital signature: Using a unique signing certificate means digital signatures confirm the authenticity of the sender and the message's content.
  • Encryption: Using mathematically-linked public and private keys ensures that only the intended recipient can read the email's content. 

That means this security protocol ensures that data in transit is only accessible to authorized individuals and that neither the message nor attachments have been altered in any way. 

If you were to equate using S/MIME digital signature to securing an actual, physical letter, it would be the equivalent of you (sender) using a personalized postage stamp and return address with your handwriting to your friend (recipient). That allows recipients to confirm that it is, in fact, from you. 

How S/MIME works

Using a public key infrastructure (PKI) allows S/MIME's encryption and digital signatures to work. PKI is the framework for setting up the technology and processes to distribute and store digital certificates while also managing public-key encryption. 

The encryption that S/MIME uses is end-to-end encryption. That means the message is entirely inaccessible while in transit, and only the sender and recipient have access to the message’s contents. This process would require the sender to encrypt the email then have the recipient decrypt, creating the "end-to-end" comparison.

That means the encryption is asymmetric because keys are needed for both encrypting and decrypting. By using PKI, the recipient's public key is used to encrypt an email by the sender, while the private key, only known by the recipient of the email, is the decryption mechanism. 

Upon obtaining a certificate from a digital certificate authority, S/MIME certificates are installed to each email domain. At the same time that an email is sent and public and private keys are being used for email encryption, the S/MIME protocol makes it so that a digital signature is attached to the email, which authenticates the sender. 

Why S/MIME is beneficial for a business

Using S/MIME when sending sensitive or highly confidential emails is straightforward and offers two features in one security protocol—email encryption and digital signature authentication. Aside from the usability aspect, here are other benefits businesses can take advantage of by using S/MIME:  

  • Encryption provides higher security levels for the data within the email 
  • End-to-end encryption increases data privacy as only the sender and recipient can access the data 
  • Digital signatures provide proof that the sender is whom they say they are 
  • Digital signatures ensure that message contents and attachments have not been altered by anyone else 

How to activate S/MIME?

Depending on the email provider you use, activating S/MIME involves a few steps. For example, if you send and receive email through Microsoft Outlook, you'll need to follow these steps:

  1. Obtain a certificate from your company's IT administrator or the domain's helpdesk
  2. In the email program, click on Settings > Mail > S/MIME
  3. Look for the phrase, "To install it, click here," and click that link
  4. You'll see a pop-up asking to "Run," "Open," or "Save" the file -- depending on the browser you're using, you'll either click "Run" or "Open" to continue the installation.
  5. Internet Explorer Users: You'll see a question pop up asking you if you trust the domain -- select "Yes."

If you're a Chrome user, you may receive an error message stating that S/MIME isn't configured to work with your domain. If that error message appears, add a S/MIME extension by going to your browser settings.

As soon as you close and re-open Outlook, activation is complete. You won't be able to use the S/MIME control until completing this action.

How do you enable and use S/MIME encryption?

To use S/MIME encryption, you need to enable it on your email application after it's activated. Like with activation, the process of enabling it differs depending on the email provider and web browser your organization uses. 

For individual Outlook emails, assuming that you already have a digital certificate installed for your business, enable S/MIME by clicking "Select More Options" from the message you're composing. Then select "Message Options" and click the option that reads, "Encrypt This Message (S/MIME)." That encrypts the message, so you need to make sure the recipient has what's needed to decrypt it on their end. In the same menu options, you can also select "Digitally Sign This Message (S/MIME)." That turns on the digital signature to authenticate your identity to the recipient.

For individual Gmail emails, as you're creating a message and adding recipients, look for a lock icon next to their names in the message. Click on the lock, select "View Details," and you can see if the S/MIME encryption is activated.