Let’s take a dive into the ins and outs of S/MIME certificates — what an S/MIME certificate is, what it does, how it helps, and what options you can choose from

We have come a long way since the dial-up connection sound was followed by a way-too-friendly voice telling us “you’ve got mail.” Since then, email has literally become the backbone of internal and external business communications. Who would have thought that picking up the phone and calling someone would become so infrequent? There are hundreds of billions of emails transmitting across the internet per day. Per day!

With so many emails traveling back and forth, it’s vital that we make the communication process as secure as possible. This importance jumps ten-fold when you’re a business owner, executive, or an employee who handles sensitive data. Some types of sensitive data that you want to protect could include:

  • Intellectual property,
  • Credit card numbers,
  • Customer contact info,
  • Personal employee data, and
  • Pretty much anything else you can think of.

And you don’t just have to worry about someone infiltrating your email, you also have to worry about cybercriminals using email to trick your employees into giving away data via phishing scams. The FBI reports that between June 2016 and July 2019, more than $26 billion dollars were loss due to business email compromise/email account compromise (BEC/EAC) scams. Yikes!

So, with all this talk about the dangers of email, we’re sure you are wondering how you can secure your email communications. One way is with S/MIME. What is S/MIME? So glad you asked…

What Is S/MIME?

S/MIME, which stands for secure multipurpose internet mail extension, is an email security protocol. Although S/MIME certificates are commonly known as email signing certificates and personal authentication certificates, their purpose is two-fold:

  1. To ensure the email recipient can confirm the sender’s identity (that they are who they claim to be and not an imposter).
  2. To prevent unintended parties from intercepting, reading, or compromising email contents in any way when in transit or while sitting on an email server.

S/MIME certificates are able to accomplish these two objectives with the use of a digital signature and end-to-end encryption. You apply the digital signature to the message and hash it before encrypting it to ensure the message’s integrity.

What is S/MIME graphic: An illustration of how the S/MIME email encryption process works
A visual depiction of how S/MIME encryption works. The sender uses the recipient’s public key to encrypt the message before sending the message to them to decrypt using their corresponding private key.

You can think of the digital signature as your personal identification stamp that only you can create. The concept is similar to using a unique wax seal to help seal letters to prevent people from tampering with your communications. You know who it’s from and whether someone has opened it. S/MIME certificates use public key encryption to accomplish this feat. The sender will use their private key to digitally sign their email. Then, a public key accompanies the email as its sent and is used by the recipient to authenticate your signature.

The end-to-end encryption is what ensures your email contents are not read or modified by unintended parties. It protects data both while it’s in transit and at rest. The emails are encrypted with the recipient’s public key and decrypted with the recipient’s private key. What’s great about this in particular is that it encrypts your communications before you even hit the “send” button!

S/MIME certificate graphic that illustrates how the S/MIME email encryption & decryption work with public and private keys
A visual depiction of the S/MIME process that shows how you can use it to encrypt and then decrypt data. The sender sends an encrypted email to the recipient who uses their private key to decrypt the message on their end.

An S/MIME certificate’s ability to provide this type of security accomplishes quite a bit:

  • Serves as a counter against spoofed phishing emails.
  • Helps you to avoid man-in-the-middle attacks.
  • Prevents your data from being exposed in data breaches and leaks.
  • Protects data for your customers, clients, employees, and anyone else you send emails to.
  • Helps you to avoid long-term damage done to your brand.
  • Helps you stay compliant with a variety of industry regulations (HIPAA, GDPR, CCPA, PCI DSS, etc.)

S/MIME is supported by most major email clients. This list of clients includes:

  • Apple Mail,
  • Gmail,
  • IMB Notes,
  • iPhone iOS Mail,
  • Microsoft Outlook, and
  • Mozilla Thunderbird.

What Is S/MIME? Breaking Down S/MIME Validation Levels

S/MIME certificates generally go by three different validation levels or sometimes they’re bunched in a “class.” This classification can vary from one certificate authority (CA) to the next, but the general guide below should put you in a position to select the best S/MIME certificate to meet your needs.

Email Validation and Domain Validation S/MIME Certificates

I’ve grouped these two together because there’s a lot of overlap between them. As the names imply, email validation and domain validation require you to get your email or domain validated. This usually results in a pretty quick turnaround time in terms of a CA issuing your certificate (often within minutes). Some CAs will want to validate both your email and domain.

Individual Validation S/MIME Certificates

This level of validation is geared towards a single employee or a freelance worker (something like an individual software publisher). That’s because individual validation typically requires some type of identification card and a company email during the process. Once again, this validation process takes only a few minutes for some CAs to complete.

Organization Validation S/MIME Certificates

This validation level is for organizations who want to validate their entire company. This validation process is a bit more involved and could take one to five days depending on the CA. The process usually involves a verification phone call as well as verifying the email address, domain, and the existence of the organization.

More on What S/MIME Is & What an S/MIME Certificate Comes With

The validation levels could affect what add-on features come with your S/MIME certificate. The add-on features below could be included with a DV or IV certificate, or a CA may designate them as special features that only come with an OV S/MIME certificate.

Document Signing

If you’re able to use your S/MIME certificate for document signing, it’s a nice added bonus for your purchase. Document signing functions in a way that’s similar to email signing in that it uses a digital signature for verification. You’ll use your private key to digitally sign a document before sending it off. The recipient will be able to verify the document was signed by you via your unique digital signature.

Your digital signature also acts as a seal over the document in that if someone tampers with the document and breaks the seal, your recipient will be notified with a warning message. One thing to pay attention to when purchasing an S/MIME certificate is what programs are compatible with the certificate. For example, your S/MIME certificate may be compatible with Microsoft Office suite but not Adobe. So, if you mainly use Adobe Acrobat/Adobe Reader, then you might want to get a document signing certificate that’s separate from your S/MIME certificate.

If you run into an issue like this, a great resource is the Adobe Approved Trust List which has a list of certificates that are trusted by Adobe.

Digital Signature vs E-Signature

As we mentioned earlier, an integral component of every S/MIME certificate is its digital signature. But many people are unsure of the differences between an e-signature and digital signature. So, we thought it would be good to take a moment to explain the difference between the two.

Contrary for what some people think, they’re not the same. An e-signature, or electronic signature, is really no more than a way to sign a person’s name on a digital document. A digital signature (used with a proper certificate), on the other hand, gives the recipient a way to verify the sender’s identity is legitimate and know if someone tampers with documents.

Client Authentication

Some S/MIME certificates includes a client authentication feature that enables you to use certificate-based two-factor authentication to better secure your servers, apps, and network.

With the client authentication feature, you have the power to ensure only authorized users can access your servers and all the important data they store. Basically, only users with the proper client certificate installed on their device can authenticate themselves and connect to the server or service. This is much more secure than just using a password to protect your server as passwords are easy to phish or crack via brute force attacks and other password cracking methods.

S/MIME Certificate Options

If you’re looking for a S/MIME certificate, you can find one right here on CheapSSLSecuirty.com. For example, our DigiCert S/MIME certificate is an OV certificate that comes with a document signing and client authentication feature. It takes two days (or less) for the validation process to complete and it’s coming from DigiCert — the world’s leading CA. And the best news is that our S/MIME certificates don’t break the bank!

What Is S/MIME & Why Do You Need It? A Final Word

As we wrap up our journey and answering the question “what is S/MIME?” it is important to remember a few key takeaways:

  • S/MIME protects email communications via digital signature and end-to-end encryption.
  • Recipients can verify who you are and if someone tampered with an email.
  • Validation levels include email validation, individual validation, and OV.
  • Validation levels can affect what features are included with your S/MIME certificate. Some email signing certificates offer document signing functionalities. This means that you can digitally sign Office documents and not just your emails!
  • There are plenty of good S/MIME certificate options out there to choose from!

Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.