S/MIME: How to encrypt and sign your emails?

When you send an email, you want the message to arrive safely in the desired recipient’s inbox and that they are the first to read it. When you receive emails yourself, you also want to be the only one to read the content and for it not to be manipulated in any way by any third parties. In addition, the specified sender should also be the actual sender of the email and not just pretend to be it. The only way to ensure this is to use encryption and electronic signatures, because without them, it makes it easier for cyber criminals to pounce, despite having spam protection and anti-virus software. A standard procedure that allows you to use both security features is S/MIME, defined in 1999.

In RFC 1847, two security enhancements were specified for the emmail standard MIME (Multipurpose Internet Mail Extension) in 1995: the format multipart/signed for signing messages, and multipart/encrypted for encrypting them. Four years later, the Internet Engineering Task Force (IETF) released the MIME extension, S/MIME , described in RFC 2633, a standard that supports the first mentioned signature format.

For the encryption, however, the process uses its own application/pkcs7-mime. With S/MIME, you can choose whether you want the email to either be encrypted or signed, or both.

S/MIME encryption and signing is possible across all popular email clients, such as Microsoft Outlook, Thunderbird, and Apple Mail. One well-known alternative that supports both multipart/signed and multipart/encrypted is OpenPGP, which was defined in 2007.

S/MIME is based on an asymmetric encryption method and therefore uses a key pair, which consists of a private key and a public key. While the public key is shared with all email contacts, the private key is only open for the user. On the one hand, it is needed to send encrypted emails in combination with the recipient’s public key, and, on the other hand, to decrypt received messages. An S/MIME certificate enables the email client to generate and exchange keys – this certificate can be obtained from various providers.

For email encryption to work, each S/MIME message is preceded by header data that provides the receiving client with the information needed to collect and process the content. Among other things, the content type – for encrypted data, for example, ‘enveloped data’ – the corresponding file name (i.e. smime.p7m for signed or encrypted data) or the coding form are specified for this purpose. For example, a possible header for an encrypted email could look like this:

The S/MIME signature, which can be automatically pinned to the email when composing it, is useful for several reasons: it provides the recipient with the public key for secure communication so that they can also send you messages with encrypted content. In addition, the signature proves to the recipient that you sent the email. Unlike PGP, adding a signature does not result in cryptic characters appearing. If the receiving email client encounters inconsistencies when checking the received signature, the legitimacy of the message won’t be confirmed, which could mean that the content has been manipulated.

As previously mentioned, using S/MIME requires a certificate (X.509). Basically, it is possible to create one yourself, however, you first need a root certificate, which also needs to be generated in this case. Furthermore, all communication partners must first import this root certificate before the actual key exchange can be initiated. The much simpler and less complicated solution is to purchase a certificate from an official certification authority where there are both paid and free versions available. Generally, the available certificates fall into the following three classes:

• Class 1: The certificate created by the certification authority ensures the authenticity of the specified email address.
   
• Class 2: The certificate assures the authenticity of the specified email address and the associated name. The company is also confirmed, if relevant. The verification of the information takes place via third-party databases or ID card copies.
   
• Class 3: These certificates differ from class 2 certificates since the sender needs to identify themselves personally.

If you want to encrypt your emails with S/MIME and look for a certificate, you should not lose sight of its core function: it should protect your email communication by preventing messages from being manipulated and stopping any that are. For this reason, it makes sense to put a lot of effort into choosing the most trustworthy provider.

A recommended service, whose certificates are claimed to be trusted by 99% of all email clients, is Sectigo (previously known asComodo). The certification authority, which is known for high-quality SSL certificates, offers a choice of certificates for private use with its ‘Free Secure Email Certificate’ (starting from $16.99 per year). ‘Secure Email Certificates’ (from $39.99 per year) provide a solution for businesses that want to implement a safe end-to-end email encryption with S/MIME. A reputable partner for creating free certificates is the Italian web hosting provider Actalis.

To incorporate the email security process into your email client, you’ll need the S/MIME certificate – so researching providers is the first step to getting a secure inbox. You then have to create a personalized certificate and install it. The exact procedure varies slightly, but it is generally similar for all providers. After installation, configure the respective email program in such a way that it uses S/MIME and the integrated certificate. In general, the setup process is completed by restarting the client, which then unlocks specific features for manual or automatic encryption or for signing messages.

The following sections provide detailed instructions for setting up S/MIME on Windows and macOS desktop systems as well as on iOS and Android mobile systems. The aforementioned free certificate service, Actalis, is used as the certification authority.

Apple devices already have a solution installed in the form of in-house client “Mail”, which enables you to encrypt and sign emails with S/MIME from the very beginning. If you have an email account, you can create a certificate directly with Actalis without having to install any further programs. The procedure is the same as for Windows: go to the Actalis website, click on “Sign Up Now” and then create the certificate based on your personal data. Then follow the instructions to install the certificate and set up S/MIME encryption:

1. Open the email sent by Actalis and download the certificate to any folder. The resulting file can be opened on macOS by double-clicking on it and adding it to the keychain administration. If you want to use S/MIME for your iPhone or iPad, you must first convert the certificate to the .p12 format. You can then send it to your mobile device by email.

2. After installation, all you need to do is start Apple Mail to integrate the encryption and signing process.
    
3. You can now test S/MIME by sending yourself an encrypted and signed message. To do this, you will find two corresponding buttons in the email window (lock for encryption, gear for signature). Both symbols are also found in an additional line under the subject of the rest message if the encryption and signature worked as planned.