S/MIME: Encrypt and sign emails securely

Email is still the most important means of communication in the digital world. However, the email correspondence of over 4.5 billion users worldwide is exposed to attacks on a daily basis. This makes reliable solutions for encryption and digital signatures all the more important. In this article, you will learn how to protect your email communication with S/MIME, ensure the authenticity of your correspondence and use S/MIME at mailbox.

mailbox: Der sichere digitale Arbeitsplatz. Ein junger Mann sitzt am Schreibtisch und blickt zufrieden in das Notebookdisplay vor ihm.

What is S/MIME?

S/MIME stands for Secure/Multipurpose Internet Mail Extensions and is an internationally recognised standard for email encryption and digital signatures for emails. MIME (Multipurpose Internet Mail Extensions) is the standard for the transmission of various file types via email – S/MIME extends this with security functions.

S/MIME is based on public-key encryption, also known as asymmetric encryption. This technology enables the secure transmission of confidential emails over the internet. S/MIME is supported by mailbox and most other email clients, fulfils high data protection requirements and offers legal security through trusted certification authorities.

How does S/MIME encryption and signing work with S/MIME?

With public-key encryption, each user has a key pair consisting of a public key and a private key. The public key is passed on to communication partners and is used to encrypt messages. The private key remains secret and is used to decrypt received messages and to create digital signatures.

S/MIME works with X.509 certificates, which are issued by trustworthy certification authorities. These digital certificates contain the user's public key and make it possible to verify the identity of the sender and encrypt the messages.

How S/MIME encryption works explained step by step:

In order to encrypt an email before sending and decrypt it after receiving it, the communication partners must set up S/MIME before the first encrypted email.

One-time setup:

The communication partners request an S/MIME certificate from a certificate authority. The certificate contains the sender's private key.
The communication partners set up their certificates for encryption and signing.
The sender requires the recipient's public key or S/MIME certificate. This is usually done easily and automatically by email: The public key is attached to a message and the mail client on the recipient's side automatically saves the key.

The encryption process with S/MIME:

The sender encrypts the email. The mail client generates a random symmetric session key for this individual message.
This session key is in turn encrypted asymmetrically by the mail client using the recipient's known public key. Both the content of the message and the session key are now encrypted.
The encrypted message is transmitted.
The recipient's mail client recognises the S/MIME-encrypted message.
The recipient uses their private key to decrypt the session key.
The recipient uses the session key to decrypt the content of the email.

How S/MIME signing works explained step by step:

The S/MIME signature is used to prove that the sender is actually the sender of the message. The signature alone does not encrypt the message.

The signing process with S/MIME:

The sender signs the email digitally with their private key. The mail client calculates a hash – a kind of fingerprint – of the content and generates the digital signature.
The signed message is transmitted.
The recipient's mail client recognises the S/MIME signature of the received message and checks the certificate.
The mail client then calculates the hash of the received content and verifies the signature with the public key from the sender's certificate.
This allows the recipient to confirm the identity of the sender and recognise whether the message is unchanged.

Email security with S/MIME: The three pillars

S/MIME offers three essential security functions that together ensure a high level of protection for your email communication. This combination of encryption and digital signature makes S/MIME the preferred solution for secure business correspondence.

1. Confidentiality through email encryption

Encryption ensures that only the intended recipient can read the content of the email. This provides protection against unauthorised access to confidential information during transmission. S/MIME encryption is carried out using the recipient's public key, which can only be decrypted using the recipient's private key. This asymmetric encryption ensures maximum security for personal data in accordance with the requirements of the GDPR.

2. Integrity through digital signature

The digital signature enables the recipient to check whether the message has been manipulated during transmission. Any change to the content, no matter how small, renders the S/MIME signature invalid. The digital signature is created using the sender's private key and can be verified by the recipient using the public key. This guarantees message integrity.

3. Authenticity and email authentication

The digital signature confirms the identity of the sender and ensures that the email actually comes from the person specified. This protects against phishing and spoofing attacks. In addition, the sender cannot deny having sent the message – an important aspect for legally compliant email communication in a business context.

Interaction with TLS

S/MIME can be used simultaneously with other security technologies such as Transport Layer Security (TLS). TLS encrypts the connection between email servers during transmission. So while TLS protects the transport routes, S/MIME provides end-to-end encryption of the message itself – from sender to recipient. This combination ensures maximum email security at all levels of transmission.

Important to know: With S/MIME, the subject line and metadata – i.e. sender, recipient, timestamp and routing information – are not encrypted. For maximum confidentiality, subject lines should therefore not contain any sensitive information.

S/MIME certificates: classes and sources

S/MIME certificates are divided into different classes, which differ in the scope of identity verification by the certificate authority:

Class 1 certificates: Only the email address is verified. This is automated and is usually free of charge. Suitable for basic email security.
Class 2 certificates: In addition, the name and, if applicable, the organisation are verified. Ideal for companies and secure business correspondence.
Class 3 certificates: Comprehensive identity verification based on ID documents or extracts from the commercial register. Highest level of trust for confidential emails.
Class 4 certificates: Personal identity verification with mandatory identification at the certification authority. Maximum email authentication.

Digital certificates for S/MIME can be obtained from various trusted certification authorities. Established providers include Thawte, VeriSign and DigiCert.

Important note on certificate security: Certificates that you create yourself are not classified as trustworthy by most email clients and should not be used as they jeopardise secure email communication and do not provide reliable email authentication. For example, mailbox does not accept self-generated certificates.

S/MIME vs PGP: Differences in email encryption

In addition to S/MIME, PGP (Pretty Good Privacy) is another established standard for email encryption. Both encryption methods pursue the same goal – secure email communication – and both use asymmetric encryption with public and private keys.

Both standards offer strong email encryption and digital signatures, but they differ in important aspects of implementation and certificate management. mailbox supports both encryption methods and allows users to choose the appropriate method for email encryption depending on the communication partner.

S/MIME with mailbox: Encrypt and sign emails

mailbox supports S/MIME encryption in the webmailer for all customers on the Premium, Standard and Light tariffs. This email security function is particularly relevant for business customers, as not only encryption but also digital signatures play an important role in GDPR-compliant communication.

mailbox offers the option of using S/MIME certificates from over 100 reliable certification authorities with mailbox Guard. For security reasons, mailbox does not accept self-created certificates. Find out more about the certificates supported by mailbox.

In mailbox, you can encrypt and sign emails with S/MIME using a button. Only supported certificates are recognised and the digital signature is automatically verified when S/MIME-signed emails are received. This is how S/MIME ensures secure email communication with authentication.

S/MIME step-by-step guide: In our knowledge base you can find out everything you need to know about setting up and using S/MIME at mailbox.

Conclusion: S/MIME for secure email communication

S/MIME is a proven and widely used standard for email encryption and digital signatures. The integration into common email clients makes email security particularly easy to use, while the certification authorities ensure trust and reliability in email authentication. In the business environment in particular, S/MIME offers comprehensive protection for confidential emails and GDPR-compliant communication thanks to digital signatures and end-to-end encryption.

mailbox's support for S/MIME enables both private and business customers to secure their email communication with professional email encryption. With the correct setup of an S/MIME certificate and the choice of a trustworthy certification authority, nothing stands in the way of secure and authenticated email communication. In a time of increasing cyberattacks, encrypting confidential information with digital signatures is no longer an option, but a necessity for secure email communication.