S/MIME: how to encrypt and sign your e-mails

When you send an e-mail, you want the message to arrive safely in the desired recipient’s inbox and that they are the first to read it. When you receive e-mails yourself, you also want to be the only one to read the content and for it not to be manipulated in any way by any third parties. In addition, the specified sender should also be the actual sender of the e-mail and not just pretend to be it. The only way to ensure this is to use encryption and electronic signatures, because without them, it makes it easier for cyber criminals to pounce, despite having spam protection and anti-virus software. A standard procedure that allows you to use both security features is S/MIME, defined in 1999.

What is S/MIME?

In RFC 1847, two security enhancements were specified for the e-mail standard MIME (Multipurpose Internet Mail Extension) in 1995: the format multipart/signed for signing messages, and multipart/encrypted for encrypting them. Four years later, the Internet Engineering Task Force (IETF) released the MIME extension, S/MIME (RFC 2633), a standard that supports the first mentioned signature format.

For the encryption, however, the process uses its own application/pkcs7-mime. With S/MIME, you can choose whether you want the e-mail to either be encrypted or signed, or both.

S/MIME encryption and signing is possible across all popular e-mail clients, such as Microsoft Outlook, Thunderbird, and Apple Mail. One well-known alternative that supports both multipart/signed and multipart/encrypted is OpenPGP, which was defined in 2007.

How do S/MIME encryption and signing work?

S/MIME is based on an asymmetric encryption method and therefore uses a key pair, which consists of a private key and a public key. While the public key is shared with all e-mail contacts, the private key is only open for the user. On the one hand, it is needed to send encrypted e-mails in combination with the recipient’s public key, and, on the other hand, to decrypt received messages. An S/MIME certificate enables the e-mail client to generate and exchange keys – this certificate can be obtained from various providers.

For e-mail encryption to work, each S/MIME message is preceded by header data that provides the receiving client with the information needed to collect and process the content. Among other things, the content type – for encrypted data, for example, 'enveloped data' – the corresponding file name (i.e. smime.p7m for signed or encrypted data) or the coding form are specified for this purpose. For example, a possible header for an encrypted e-mail could look like this:

Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7m

The S/MIME signature, which can be automatically pinned to the e-mail when composing it, is useful for several reasons: it provides the recipient with the public key for secure communication so that they can also send you messages with encrypted content. In addition, the signature proves to the recipient that you sent the e-mail. Unlike PGP, adding a signature does not result in cryptic characters appearing. If the receiving e-mail client encounters inconsistencies when checking the received signature, the legitimacy of the message won’t be confirmed, which could mean that the content has been manipulated.


If no digital signature is used, the public key can also be passed on in other ways, for example, by publishing it on a key server, or on your own website, or by passing it on in file form on an external storage medium.

How do you obtain an S/MIME certificate for your own e-mail communication?

As previously mentioned, using S/MIME requires a certificate (X.509). Basically, it is possible to create one yourself, however, you first need a root certificate, which also needs to be generated in this case. Furthermore, all communication partners must first import this root certificate before the actual key exchange can be initiated. The much simpler and less complicated solution is to purchase a certificate from an official certification authority where there are both paid and free versions available. Generally, the available certificates fall into the following three classes:

  • Class 1: The certificate created by the certification authority ensures the authenticity of the specified e-mail address.
  • Class 2: The certificate assures the authenticity of the specified e-mail address and the associated name. The company is also confirmed, if relevant. The verification of the information takes place via third-party databases or ID card copies.
  • Class 3: These certificates differ from class 2 certificates since the sender needs to identify themselves personally.

If you want to encrypt your e-mails with S/MIME and are looking for a certificate, you should not lose sight of its core function: it should protect your e-mail communication by preventing messages from being manipulated and stopping any that are. For this reason, it makes sense to put a lot of effort into choosing the most trustworthy provider.

A recommended service, whose certificates are claimed to be trusted by 99% of all e-mail clients, is Comodo. The certification authority, which is known for high-quality SSL certificates, offers free certificates for private use with its 'Free Secure Email Certificate'. 'Secure Email Certificates' (from £12.00 per year) provide a solution for businesses that want to implement a safe end-to-end e-mail encryption with S/MIME.

How to set up S/MIME in your e-mail program

To incorporate the e-mail security process into your e-mail client, you’ll need the S/MIME certificate – so researching providers is the first step to getting a secure inbox. You then have to create a personalised certificate and install it. The exact procedure varies slightly, but it is generally similar for all providers. After installation, configure the respective e-mail program in such a way that it uses S/MIME and the integrated certificate. In general, the setup process is completed by restarting the client, which then unlocks specific features for manual or automatic encryption or for signing messages.

The following sections provide detailed instructions for setting up S/MIME on Windows and macOS desktop systems as well as on iOS and Android mobile systems. The aforementioned service, Comodo, is used as the certification authority.

Setting up S/MIME on Windows – how it works

If you want to use S/MIME technology on a Windows PC, but do not want to pay for Outlook or Microsoft Office, you can opt for the free alternative: Thunderbird, which descends from Mozilla, just like the Firefox browser. If you have not yet installed the client and set up an account, you should do so in the first step. Follow these steps to enable S/MIME encryption and signatures for this account:

  1. Go to the Comodo website and click on 'Sign up now'.

  2. You will then be presented with a form where you can enter your contact information that is to be associated with the certificate (name, e-mail address, and country). You can also choose to encrypt the private key to a greater or lesser degree. Then enter a secure 'Revocation password' (this is required to invalidate a certificate in the event of an emergency) and confirm the terms of use before you start the next step in creating your certificate by clicking 'Next'.
  1. Comodo then sends you a message to the specified e-mail address, which includes a button for downloading the certificate ('Click & Install Comodo E-mail Certificate'). If you click on it, a page opens automatically as well as the download window for the S/MIME certificate. If you use Chrome or Firefox, it will be automatically downloaded and installed locally in the browser.

  2. To be able to use the certificate in Thunderbird, you must first export the certificate in the browser (Chrome is used in this example). To do this, open the advanced settings and click on the 'Manage Certificates' button, which you will find under 'Privacy and security'.

  3. The Comodo certificate can be found in the pop-up window either under the 'Own certificates' tab or alternatively under 'Other People'. Select the appropriate choice and click on 'Export'. The export wizard that opens will guide you through the process – it is important to specify that you also want to export the private key.

  1. Now start Thunderbird and open the account settings. Under the menu item 'Security', you will find the 'Manage Certificates' button, which will take you to the corresponding menu.
  1. Select the 'Your certificates' tab and import the previously saved certificate by clicking 'Import' and selecting it. You then need to enter your password to complete the process.

  2. In the security menu, you can now select the S/MIME certificate for encryption and signatures. In addition, you can set the digital signature as the default and make encryption mandatory by selecting 'Required' under the default encryption settings. If you compose an e-mail, you can also select or deselect the procedures individually using the S/MIME button in the toolbar:

How does the S/MIME setup work for macOS and iOS?

Apple devices already have a solution installed in the form of in-house client 'Mail', which – unlike the standard Microsoft program – enables you to encrypt and sign e-mails with S/MIME from the very beginning. If you have an e-mail account, you can create a certificate directly with Comodo without having to install any further programs. The procedure is the same as for Windows: go to the Comodo website, click on 'Sign Up Now' and then create the certificate based on your personal data. Then follow the instructions to install the certificate and set up S/MIME encryption:

  1. Open the e-mail sent by Comodo and download the certificate to any folder by clicking on the 'Click & Install Comodo E-mail Certificate' button. The resulting file can be opened on macOS by double-clicking on it and adding it to the keychain administration. If you want to use S/MIME for your iPhone or iPad, you must first convert the certificate to the .p12 format. You can then send it to your mobile device by e-mail.
  1. After installation, all you need to do is start Apple Mail to integrate the encryption and signing process.
  2. You can now test S/MIME by sending yourself an encrypted and signed message. To do this, you will find two corresponding buttons in the e-mail window (lock for encryption, gear for signature). Both symbols are also found in an additional line under the subject of the rest message if the encryption and signature worked as planned.

How to configure S/MIME for your Android device

Like Windows, Android does not have its own client for integrating S/MIME. However, there are several applications that support the process and can be downloaded from the Google Play Store. One of the free solutions is the MailDroid application, developed by Flipdog solutions, although you have to pay if you want the ad-free version. Just like with setting up S/MIME encryption and signatures on Windows and macOS, you will first need a valid certificate, which you can generate as described above. The next steps are as follows:

  1. MailDroid has integrated buttons for encrypting and signing your e-mails as default settings. To use these functions, however, you need the free FlipdogSolutions Crypto plugin, which can be downloaded in the first step.
  1. You can import your generated certificate with the help of a plugin. To do this, open the menu item 'Import Certificate' and select the corresponding file.

  1. Go back to MailDroid and open the settings menu. Under the menu item 'Encryption plugin', you can now specify the certificate and the desired S/MIME configuration. By checking the box, you can decide whether encryption and signing should be carried out by default or whether the encryption should not be used if the party doesn’t have the key they require.
  1. If you compose messages from now on, encryption and the signature will be added automatically – as long as you have chosen this as an option in the previous step. Otherwise, you can use the buttons at the end of the message window to activate the protection mechanisms. If coding and signing do not work because the certificate or a key is invalid or has expired, for example, MailDroid will clearly display this: