S/MIME
What is S/MIME?
S/MIMEAn IETF standard for end-to-end signing and encryption of MIME email messages using X.509 certificates issued by a public or enterprise CA.
Secure/Multipurpose Internet Mail Extensions (S/MIME), currently at version 4.0 and specified in RFC 8551 (with the certificate profile in RFC 8550), provides cryptographic signatures and CMS-based encryption (RFC 5652) for email. Each user obtains an X.509 certificate bound to their email address from a CA, then their mail client signs outgoing messages and encrypts to recipients' public keys. Modern profiles use RSA-2048 or higher, ECDSA P-256+, SHA-256, and AES-128/256-GCM, with hybrid PQC drafts emerging. S/MIME is built into Outlook, Apple Mail, and Thunderbird and is widely used in enterprises and government. Operational challenges include certificate distribution, key escrow for decryption of stored mail, and interaction with secure email gateways.
● Examples
- 01
An enterprise issues S/MIME certificates via its internal CA so employees can sign and encrypt internal email.
- 02
An external partner exchanges public-key certificates with the user to send encrypted contracts via Outlook.
● Frequently asked questions
What is S/MIME?
An IETF standard for end-to-end signing and encryption of MIME email messages using X.509 certificates issued by a public or enterprise CA. It belongs to the Network Security category of cybersecurity.
What does S/MIME mean?
An IETF standard for end-to-end signing and encryption of MIME email messages using X.509 certificates issued by a public or enterprise CA.
How does S/MIME work?
Secure/Multipurpose Internet Mail Extensions (S/MIME), currently at version 4.0 and specified in RFC 8551 (with the certificate profile in RFC 8550), provides cryptographic signatures and CMS-based encryption (RFC 5652) for email. Each user obtains an X.509 certificate bound to their email address from a CA, then their mail client signs outgoing messages and encrypts to recipients' public keys. Modern profiles use RSA-2048 or higher, ECDSA P-256+, SHA-256, and AES-128/256-GCM, with hybrid PQC drafts emerging. S/MIME is built into Outlook, Apple Mail, and Thunderbird and is widely used in enterprises and government. Operational challenges include certificate distribution, key escrow for decryption of stored mail, and interaction with secure email gateways.
How do you defend against S/MIME?
Defences for S/MIME typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for S/MIME?
Common alternative names include: Secure/Multipurpose Internet Mail Extensions.
● Related terms
- network-security№ 819
PGP
Pretty Good Privacy, an end-to-end encryption and digital signature scheme for email, files, and messages, originally created by Phil Zimmermann in 1991.
- network-security№ 446
GnuPG (GPG)
The GNU Privacy Guard, a free software implementation of the OpenPGP standard (RFC 4880, RFC 9580) used to sign, encrypt, and decrypt data, including emails and software packages.
- network-security№ 330
DKIM
An email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered.
- network-security№ 984
Secure Email Gateway
A perimeter or cloud service that filters inbound and outbound email for spam, phishing, malware, data leakage, and policy violations before it reaches user mailboxes.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- network-security№ 878
Public Key Infrastructure (PKI)
The combined system of policies, software, hardware and trusted authorities used to issue, distribute, validate and revoke digital certificates that bind identities to public keys.
● See also
- № 831PKCS#7