Encrypt every
email with S/MIME
Certificates

How S/MIME works

Email encryption ensures no one will read your message but the person you sent it to while signing the message so the recipient can verify the authenticity and origin of your email.

An S/MIME certificate provides you with a public and private key pair. Your secret private key signs messages you send and decrypts messages sent to you. The public key is shared so people receiving your messages can verify your signature, and it encrypts messages so only you can read them.

After installing the certificate, this process is transparent with most email providers like Apple, Google, Microsoft and Yahoo.

Signing emails for even more trust

Attaching a digital signature to an email adds an extra layer of security and trust to every message you send. Your digital signature (and the S/MIME certificate and public key it contains) originates from your validated digital identity, which serves as your unique digital fingerprint, locking the original message while it travels from your outbox to the recipient’s inbox to offer reassurance that the message is from you and that its contents haven’t been manipulated in any way.
 

The S/MIME authentication process

Identity is the backbone of S/MIME certificates. That’s why DigiCert protects you and your recipients by conducting a thorough validation and authentication process before issuing your certificate. DigiCert's validation and authentication process complies with official standards and is subject to regular
external audits.

Order overview

Ordering and collecting your certificate is a four-step process:

1. Order the certificate. At checkout, enter the registered domain of your email address (the part after the @) in the Primary Domain field. For example, if John Smith’s email address is John.Smith@example.com, John would enter example.com in the Primary Domain field.
2. Request the certificate. You must provide your personal details for the certificate, along with a Certificate Signing Request (CSR).
3. Download the certificate.
4. Install the certificate.

Note: Due to validation requirements, there may be a delay between placing your order and receiving your certificate. After submitting your order, the order status will show as Pending while DigiCert validates the order. When you receive an email notifying you that your order has been approved, you can proceed to creating the certificate request.

Frequently asked questions

Is an S/MIME certificate the same as a client certificate?

You’ll sometimes hear S/MIME certificates referred to as client certificates, but they’re actually two different things. Client certificates use client authentication to provide additional authentication and access control by checking client certificates at the server, preventing a client from obtaining a connection without an approved certificate.

What is client certificate authentication and how is it different from S/MIME?

Client certificate authentication generally describes the process that happens when a laptop or other user device uses a digital certificate to prove its identity to a server. Client certificates can also be used to encrypt network communication between two devices using TLS . Large organizations typically use this type of authentication to ensure only trusted devices are allowed to connect to the network.

S/MIME certificates are specific to email. Unlike a client certificate used for authentication and TLS encryption, S/MIME certificates encrypt email messages, ensuring they're only decrypted when viewed by the intended recipient.

The key difference is that the TLS encryption used in client certificate authentication only encrypts the communication between your email software and your email server, not between sender and recipient.

What industries require email encryption for compliance in communications?

Healthcare, insurance, retail and the defense industrial base are a few of the industries that commonly require the encryption of sensitive data in email. For example, PCI DSS requirement 3.4 states that cardholder data must be rendered unreadable wherever it’s stored. Encryption is one of the methods for meeting this requirement.

Under HIPAA, covered entities must have controls to ensure the confidentiality and integrity of protected healthcare information. HIPAA also includes a public breach disclosure requirement that organizations can avoid if the PHI was encrypted at the time of unauthorized access.

As a final example, information subject to U.S. export controls must be secured with end-to-end encryption such that only the intended recipient(s) can access it. Seek the advice of a qualified professional to assess your needs relative to any compliance obligations you have.

Does a client certificate meet the same compliance standards as S/MIME certificates?

A premium client certificate from DigiCert could be used to authenticate clients to servers, sign documents and secure email. But this isn't always the case, as these use cases are governed by different browser and CA/B Forum requirements.

How can my company help prevent email phishing?

Preventing phishing requires multiple layers of email security, including enabling S/MIME, enforcing DMARC, and taking advantage of brand indicators.

As part of phishing schemes, attackers often spoof company emails, sending malicious messages that appear to originate from the company or even from individual employees. Most companies don’t know when attackers are doing this. And when customers get scammed, it can erode customer loyalty and increase support costs and fraud losses.

By enforcing a DMARC policy at the company level, you can make it more difficult for attackers to spoof your domain. Using S/MIME to sign emails also provides tangible proof to the recipient that the message was not sent from a spoofed or impostor account.

Brand indicators like BIMI use Verified Mark Certificates (VMC) with DMARC enforcement to provide an added layer of assurance to customers. DMARC helps improve delivery of your emails, but a VMC can help your customers know that the email is actually from your company by displaying your logo next to the email in their inbox.