What is S/MIME and How Does It Work? | Compuquip
If you’re wondering “what is S/MIME?” after reading the title of this post, don’t worry, you’re not alone. The term S/MIME (sometimes rendered as “SMIME”) isn’t something that most users of the internet are familiar with—even though they may have sent emails using S/MIME encryption certificates numerous times if they have a business email address.
Read on for an explanation of what S/MIME is, how it works, and how to use it to protect your emails.
What is S/MIME?
S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions. It references a type of public encryption and signing of MIME data (a.k.a. email messages) to verify a sender’s identity. With S/MIME, it is possible to send and receive encrypted emails.
S/MIME has been around for a long while—long enough that Microsoft puts their help article for S/MIME under “Legacy security capabilities” on their website. Over the years, S/MIME has undergone several changes to eliminate security weaknesses such as EFAIL, a security vulnerability affecting end-to-end encryption solutions like S/MIME and PGP.
How Does S/MIME Work?
As mentioned above, S/MIME is a type of “end-to-end” encryption solution used for email messages. To be more specific, it uses asymmetric cryptography to protect emails from being read by a third party.
As noted by GlobalSign, a company specializing in Public Key Infrastructure (PKI) solutions for enterprises to secure communications, S/MIME used a public key to encrypt emails and “The email can only be decrypted with the corresponding private key, which is supposed to be in sole possession of the recipient.”
In other words, it’s a two-key system that leverages two different, but mathematically-related cryptography keys to work. This is why it’s called “asymmetric cryptography.” One key may be public, but without the hidden private key held by the recipient, the email should be nigh impossible to crack.
One common criticism of the way that S/MIME encryption works is that, because it encrypts all of the contents of an email, it can make it harder for antivirus/antimalware scanners to detect malicious software downloads and site links in an email. This can make it more difficult for some security measures to stop email-based cyberattacks where a legitimate sender’s email account is either used maliciously or hijacked by hackers.
How Do I Enable S/MIME Email Encryption?
Enabling S/MIME email encryption may be different for you depending on the web browser and email application combination that you use. While covering every possible combination would not be practical, here are a few examples of how your S/MIME control on different email client and browser combinations:
Enabling S/MIME on Outlook 2010 or Later:
(Based on instructions found on the MS website)
- Install a Windows-based Certification Authority and set up a public key infrastructure to issue S/MIME certificates.
- Publish user certificates in your on-prem AD DS (Active Directory Domain Services) in the UserSMIMECertificate and/or UserCertificate attributes.
- If yours is an Exchange Online organization, synchronize user certificates from AD DS to the Azure Active Directory by using DirSync (you may need to check for the right version).
- Set up a virtual certificate collection to validate S/MIME so Outlook can verify the signature on the email.
- Set up the Outlook or EAS endpoint to use the S/MIME encryption.
Note: These instructions only work on Windows-based devices. Devices using other operating systems, such as iOS, Android, or Mac, need to use the “Outlook on the Web” S/MIME setup instructions.
Enabling S/MIME Online Encryption for Outlook on the Web:
(Instructions based on content from the Microsoft Guide to S/MIME for Outlook on the Web)
- For Exchange Online PowerShell. You will require admin-level access to the Exchange Online service for Outlook on the web. Use the Get-SMIMEConfig and Set-SMIMEConfig cmdlets in a Windows PowerShell script to view or manage the S/MIME control feature in Exchange Online PowerShell. This should work for enabling S/MIME in Outlook on most browsers that support PowerShell.
- For Outlook on Chrome. Setting S/MIME Chrome for Outlook on the web will require an admin to configure a policy called ExtensionInstallForcelist to install Microsoft’s S/MIME extension in Chrome. Individual users will still need to download the S/MIME control in Outlook on the web when they first use it.
How to Enable S/MIME Gmail:
To use S/MIME encryption in Gmail, you will need to have G Suite Enterprise, G Suite for Education, or G Suite Enterprise for Education. S/MIME control isn't available for Gmail without one of these products.
The basic setup steps for a hosted S/MIME email encryption solution, abbreviated from a Google Support article on the subject, are:
- Log into an Administrator Account. Non-admin accounts cannot open the admin console needed to set up a hosted S/MIME encryption solution.
- Go to User Settings. From the Admin console’s Home page, select Apps > G Suite > Gmail > User Settings.
- Select the Domain or Organization to Configure. This will be found on the left of the screen, under Organizations.
- Select the “Enable S/MIME” Box. There should be a box with the setting that you can enable with a click.
- Allow Users to Upload Certificates (Optional). You can allow users to upload their own S/MIME certificates as an option.
- Set up Root Certificate Management (Optional). You can manage the root certificates used for S/MIME email encryption by:
- Clicking Add next to Accept these additional Root Certificates for specific domains.
- Clicking on Upload Root Certificate.
- Browsing to find the certificate file and selecting Open. A verification message should appear. Otherwise, an error message may appear.
- Under Encryption level, choose the encryption level to use with the selected certificate.
- Under Address list, enter at least one domain that will use the uploaded root certificate.
- Click Save.
- Repeat these steps for each additional certificate chain.
- Does Your Domain/Organization NEED to Enable Secure Hash Algorithm 1? If so, you may need to select the Allow SHA-1 globally box. Otherwise, this is not recommended by Google.
- Click Save. Save your settings so they don’t get lost.
- Have All Users Reload Gmail. After enabling hosted S/MIME Gmail encryption, users will need to reload their Gmail client to see the change.
- Upload S/MIME Certificates. You can upload personal S/MIME certificates in Gmail if you:
- Go to Settings.
- Click on the Accounts tab.
- Click on Edit Info in the Send mail as area. A window should appear with the “enhanced encryption” option—if this was enabled in Step 5 listed above.
- Click on Upload a personal certificate.
- Select the certificate and click Open. A password prompt should appear if this works.
- Enter the password and click on Add certificate.
- Have Users Exchange S/MIME Keys. To decrypt encrypted messages, users in the organization will need to exchange S/MIME encryption keys. This can be done by:
- Sending an S/MIME encrypted message to the recipient with a digital signature that includes the user’s public key. This can then be used to send S/MIME-encrypted emails.
- Asking recipients to send a message. The S/MIME signed message will allow the encryption key to be automatically stored so future messages will be encrypted.
The above steps should allow your organization to set up S/MIME online encryption with relative ease.
How to Send an S/MIME-Encrypted Email
So, how can you make sure that the emails you send apply S/MIME encryption? First, you need to make sure that your organization has set up S/MIME as per the steps outlined above.
Then, you need to:
On Outlook Web App/Outlook on the Web:
- Get a Certificate. Obtain a certificate/digital ID from your organization’s administrator.
- Install the S/MIME Control. If you don’t have the control installed, and receive an S/MIME encrypted message, you’ll be prompted to install the control. Or, you can start composing a new message, select Message options and click on Encrypt this message (S/MIME). You’ll then get a prompt to install the S/MIME control.
- Run the File. When prompted, hit the Run command in the download menu. You may be prompted to verify that you want to run the software.
- Close and Reopen the App. You will need to close your Outlook Web App (Outlook on the web) to refresh the app and ensure that S/MIME encryption is enabled.
- Got to the “Gear” Menu. From the menu, select S/MIME Settings. Here, you’ll find the options you need for the next two steps.
- Set Encryption for Content and Attachments of All Messages. To ensure all Outlook communications are encrypted, simply select Encrypt contents and attachment of all messages I send.
- Sign Messages with S/MIME. Wondering how to sign an email with S/MIME? Simply select Add a digital signature to all messages I send to apply a blanket digital S/MIME email signature to all outgoing emails.
Encrypting Individual Messages with S/MIME in Outlook:
If you want to pick and choose the emails you want to encrypt and/or sign with S/MIME in Outlook on the web, you can:
- Follow Steps 1-4 of the Previous Instruction. You’ll need to download and install a certificate/digital ID for your organization.
- In the Message, Select More Options. Go to the more options “…” menu and select Message options.
- Select “Encrypt This Message (S/MIME).” This will turn on S/MIME for this particular message. This can also be used to disable S/MIME for a message. You may receive a warning if some recipients aren’t able to decrypt the S/MIME message.
- Select “Digitally Sign This Message (S/MIME).” This will turn on the S/MIME signature for the current email, or turn it off if you already had it enabled.
Sending S/MIME Encrypted Emails in Gmail
Gmail will automatically display the level of encryption available for each sender you add to an email when you compose it. To check if a message you’re sending in Gmail is encrypted, you can:
- Start composing a message.
- Add recipients to the “To” field.
- Check the icons to the right of each recipient’s name. A lock icon should appear that shows the level of encryption that is supported by that recipient. If multiple recipients have different levels of encryption, the lowest common encryption status will be shown.
- Click on the lock and select View details to check or change your S/MIME settings.
You can also check the encryption status of an incoming message by opening it. The steps for checking may vary slightly based on your browser/device:
- On Android Devices: Tap View details and go to View security details.
- On an iPhone/iPad: Simply tap View details.
You should see a color-coded lock icon that shows you what level of encryption the email is using. Green locks indicate strong encryption suitable for sensitive data (like S/MIME), gray locks indicate encryption suitable for common messages (like Transport Layer Security [TLS]), and red icons indicate a lack of encryption.
Does My Company Need S/MIME?
Is S/MIME an absolute necessity for your organization? Theoretically, you can conduct business perfectly fine without S/MIME email or other online encryption. You could also theoretically cross a narrow rope bridge over the Grand Canyon without a handrail, but why would you want to?
S/MIME encryption offers a few key advantages for keeping your email communication secure from attackers, including:
- Verifying Sender Identities. By signing emails with S/MIME, you can add an extra layer of sender identity verification to your digital communications. This can help to thwart certain email phishing techniques, as your staff can easily filter out unencrypted and unsigned emails as fake.
- Preventing Man in the Middle Hijacking. Say an employee is working remotely at a coffee shop, and the communications between their devices and the shop’s Wi-Fi network are intercepted by a hacker. With end-to-end encryption methods such as S/MIME, the attacker will have to decrypt the email before they can use the stolen information—assuming they can break the encryption in the first place. This helps to reduce risk by providing time to discover the interception and take fraud prevention measures.
- Ensuring Message Integrity. Because S/MIME requires the contents of the whole email to be checked and matched to decrypt the email, the smallest change will trigger a warning message. This helps to prevent and/or detect tampering. It also helps make email messages non-refutable—a sender cannot later deny the contents of the message, which can be useful for enforcing transparency and accountability.
New S/MIME Requirements in 2023
A recent survey by Abnormal Security found that 92% of participants had experienced one or more email-related security breaches over the past year. With that in mind, in January of this year, industry leaders adopted new S/MIME Baseline Requirements to increase consistency regarding publicly trusted email signing certificate management.
In general, industry leaders agree that the two most important factors for preventing cybercrime and network breaches are first, adequate employee training, and right behind that, digital signatures on all outbound emails with encryption on messages that contain sensitive information. One of the industry’s governing bodies, the CA/Browser (CA/B) Forum has issued some new Baseline Requirements (BRs) for guidance on S/MIME certificates.
The new BRs cover:
- Appropriate and inappropriate certificate uses
- Subject identity verification
- Subject identity validation
- Operational practices
They also identify four types of email signing certificates:
- Individual-validated S/MIME
- Mailbox-validated S/MIME
- Organization-validated S/MIME
- Sponsor-validated S/MIME
The new guidelines further break each of these categories down into profiles that may be legacy, multipurpose, or strict. The legacy profile will eventually be phased out as new requirements are imposed. The multipurpose profile is valid for document signing purposes and email purposes, and can be valid for as long as 2.25 years. Finally, the strict profile is the long-term target profile for S/MIME certificates.
Need help setting up online encryption solutions for your organization? Have questions about S/MIME or other cybersecurity tools? Reach out to the Compuquip team now! We’ll be happy to help you out.