What Is S/MIME and How Can It Secure Email?

How many business emails do you send each day? Have you ever given any thought as to how secure they are?

If you haven’t, you’re not the only one. Nevertheless, in the modern world, we all have to take security seriously. This article will give you the low-down on everything you need to know about the S/MIME encryption protocol for email.

Let’s dive in.

What is S/MIME encryption?

The truth is that you may have the best business phone system around, but if you’re relying on unsecured email, your communications are as good as defenseless. That’s where S/MIME encryption comes in.

S/MIME Encryption (Secure/Multipurpose Internet Mail Extensions) is a security protocol that uses public encryption and signing data to secure email messages. It does this by providing digital certification of the identity of the individual sending the email.

It can help prevent email interception attacks using a number of different validation levels.

S/MIME validation levels

There are three validation levels for S/MIME certificates. However, there’s not a single universally accepted standard. The exact classification of these levels can vary slightly depending on which Certificate Authority (CA) you use, but broadly speaking, it looks like this:

Email/domain validation: This process checks that your email address and your domain are valid.

Individual validation: The goal here is to identify individual employees. It requires government-issued ID (e.g. a driver’s license) as well as a company email address.

Organizational validation: The procedure for this is similar to the one for acquiring an OV SSL certificate. The CA will contact the company and ask to speak to a representative. Once the existence of the company and its email domain have been verified, the certificate will be issued.

How does S/MIME encryption work?

S/MIME uses asymmetric cryptography to prevent unwelcome third parties from reading your emails. This means that it uses a public key to encrypt messages; these are then decrypted using the corresponding private key, held by the recipient of the email. With the S/MIME system, encryption is combined with a digital signature to secure an organization’s email.

A two-key system like this is made possible because the cryptography keys themselves are mathematically related. Evidently, key exchange between communication partners is a fundamental requirement in order to successfully encrypt email communication. (That’s something to bear in mind if your organization uses email capture for marketing purposes).

The way this works is that anyone can access an organization’s public key. The sender of the email encrypts the message using the freely available public key of the intended recipient. Then, the recipient decrypts the message using their own private key, which is known only to them. 

The digital signature element of S/MIME encryption has three functions:

Authentication: The digital signature validates the sender’s identity, which makes certain they are who they say they are.

Nonrepudiation: It also makes sure that neither party can deny their actions under that signature e.g. sending messages or using the digital signature itself.

Data integrity: This means that emails cannot be changed during the time they are in transit. If they are, the S/MIME protocol will show that the signature has been invalidated.

S/MIME encryption: who needs it & how to get it

Any organization that is concerned about email security should be considering implementing S/MIME. In practice, however, it can prove a little impractical for basic email use. That’s because the process of implementing it can be fairly expensive and time-consuming. S/MIME certificates have to be installed on all devices one by one, so for organizations without a large IT support section, this can be an intimidating barrier.

There’s also the potential issue that a staff member will get locked out of their own emails if they lose their private key. Resetting their account will mean retrieving the key securely. Or possibly even starting the process over again and generating a new certificate. Additionally, S/MIME can interfere with other security systems such as antivirus scanners since these won’t be able to scan an encrypted message.

When you add in the fact that emails using S/MIME encryption can only be sent to recipients who also use S/MIME, the upside/downside ratio may seem fairly balanced.

So it’s a judgment call. How large is your organization? How much privacy do you need in your business communications?

As a rough guide, here’s a list of organizations that would probably benefit from using S/MIME:

• Government agencies
• Businesses that employ a mostly remote workforce
• Businesses whose sphere of work includes countries that apply GDPR 
• Organizations that are legally obliged to maintain data privacy according to HIPPA 
• Companies that use email lists (regardless of whether they deploy a standard email list scrubbing protocol or not)
• Organizations that use enterprise-level security protocols
• Companies subject to PCI compliance

If you decide to implement S/MIME, you’ll be relieved to know the process for acquiring certificates is fairly straightforward. First, find a CA with a good reputation. All CAs are obliged to document their security features and certificate requirements and make them publicly available.

Benefits and disadvantages of S/MIME Encryption to your business

Let’s take a closer look at the upsides and downsides of implementing S/MIME encryption. After all, this isn’t like finalizing software contracts that can be renegotiated with relative ease. If you do decide to go the S/MIME route, you’ll want to be very sure before you start that you’re making the right decision.

Benefits

The combination of digital identity certificates and end-to-end encryption renders your email messages as secure as they can be. This means it:

Safeguards against cyberattacks: It makes it more difficult for cybercriminals to attack you through your email communications.

Increases general security: You can rest assured your email and important documents are as secure as possible.

Prevents unwanted third-party access: It stops unauthorized users from spying on your communications.

Disadvantages

It would be remiss of us not to mention the downsides. You’ll need to give these careful thought before you come to a decision.

Lack of universal adoption: Not everyone uses S/MIME. This poses a problem because using the S/MIME protocol isn’t like using MLOps software or a data analytics solution. Email by its nature is a two-way process. For S/MIME to work, both the sender and the recipient have to have the system installed. There are some workarounds, but no ideal ones as yet exist.

File size limits: Often, if you’re sending an attachment by email, the data included in it will be the most important part of the message. Encrypting this as well quickly adds to the overall encrypted file size, putting it beyond the limit allowed by many email clients.

Potential security flaws: S/MIME provides very good security, but it has a number of weaknesses:

• Use of static key pairs means that if a key is compromised, the system is useless until a new key can be generated.
• Metadata like the email subject line are sent unencrypted.
• The so-called “Efail” flaw – if in the unlikely event a cybercriminal can intercept and alter an encrypted email, it’s theoretically possible for them to send the decrypted message to a server they control with the help of any number of GUI-based email clients.

Lack of malware detection: Because the protocol is designed with end-to-end security in mind, S/MIME will just encrypt any malware in your email along with the content of the email and you’ll be sending both to the recipient.

PGP vs. S/MIME: which is better?

We thought we should include a quick note about PGP. It’s an alternative encryption protocol and tends to be cheaper than S/MIME.

The main difference is that PGP is more of a general-purpose solution than S/MIME, which is specialized for email. Aside from that, PGP uses a different kind of digital signature and is more commonly favored by individual users for encrypting all kinds of files. Your choice of which to use really depends on the purpose you have in mind.

S/MIME email protection from spear phishing attacks

To conclude, we’ll have a look at how S/MIME helps prevent phishing and spear phishing attacks. Spear phishing attacks focus on one individual and generally manifest in one of three ways:

Spoofed headers: Attackers spoof the “From” field of an email header, making it look as if the sender is within the recipient’s organization.

Impersonation: The email appears to come from a senior staff member, meaning the recipient is less likely to question its authenticity.

Fake email chain: an entire fake email chain with multiple messages is set up to make the email seem more legitimate.

If you’re using S/MIME, the recipient will know immediately that the email is fake. That’s because all they have to do is check the email signature to verify the sender. Easy. The same applies to standard phishing emails. And this is the great strength of S/MIME: if you can get over the deployment hurdles, it’s pretty easy to use.

Security in a box

In the end, only you know whether S/MIME will be the right choice for your organization. But if you decide it is, there’s no doubt it will give you great peace of mind. 

Keeping your business communications secure has never been more important. And just as you’d expect high security from the available cloud PBX features when selecting a phone system, so it goes with email. Maybe it’s time to consider a S/MIME solution for your business?

Keep Learning

• Improve your email security posture to protect against attacks and breaches by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.