Email encryption is a must-have in today’s digital world, especially for growing companies and global enterprises. 300 billion emails travel the internet every day, and most are completely exposed to anyone interested in stealing information, manipulating messages or monitoring senders and recipients.
S/MIME, which stands for Secure/Multipurpose Internet Extensions, is a security standard supported by all major email applications, including Apple Mail, Microsoft Outlook and Exchange, mobile OS email apps and more. DigiCert S/MIME certificates for business validate your senders, email addresses and organization, ensuring every email is signed and encrypted to prevent phishing and tampering.
Cyberattacks are growing more sophisticated, but that doesn’t stop individuals and small-business owners from hitting send on sensitive messages like financial contracts, tax documents and medical information. Email privacy has never been more important than it is today—and transparent email encryption with S/MIME makes it possible.
By securing your personal or small-business email with a DigiCert S/MIME certificate (also known as an email signing certificate or personal authentication certificate), you can easily encrypt and digitally sign every message to protect yourself against phishing, spoofing and man-in-the-middle attacks.
Ideal for individuals and small businesses
Emails encrypted end-to-end
Prevent email fraud with digitally signed emails
Digitally sign Microsoft Office files (.docx, .pptx, .xlsx, etc.)
Supported by popular email clients like Apple Mail and Microsoft Outlook
Validates sender’s email address
Free standard support
Ideal for medium to large organizations
Emails encrypted end-to-end
Prevent email fraud with digitally signed emails
Digitally sign Microsoft Office files (.docx, .pptx, .xlsx, etc.)
Supported by popular email clients like Apple Mail and Microsoft Outlook
Validates sender’s name
Validates email address
Validates the organization or company
Free standard support
Email encryption ensures no one will read your message but the person you sent it to while signing the message so the recipient can verify the authenticity and origin of your email.
An S/MIME certificate provides you with a public and private key pair. Your secret private key signs messages you send and decrypts messages sent to you. The public key is shared so people receiving your messages can verify your signature, and it encrypts messages so only you can read them.
After installing the certificate, this process is transparent with most email providers like Apple, Google, Microsoft and Yahoo.
Attaching a digital signature to an email adds an extra layer of security and trust to every message you send. Your digital signature (and the S/MIME certificate and public key it contains) originates from your validated digital identity, which serves as your unique digital fingerprint, locking the original message while it travels from your outbox to the recipient’s inbox to offer reassurance that the message is from you and that its contents haven’t been manipulated in any way.
Identity is the backbone of S/MIME certificates. That’s why DigiCert protects you and your recipients by conducting a thorough validation and authentication process before issuing your certificate. DigiCert's validation and authentication process complies with official standards and is subject to regular
external audits.
Desktop or laptop computer
Chrome, Firefox, Opera, Safari or
other modern browser
Use same system to order and
collect certificate in the PKCS 12
format
When ordering a secure email
certificate, submit a Certificate
Signing Request (CSR/PKCS 10) you
created or one generated for you on
the DigiCert website during the order
process
Ordering and collecting your certificate is a four-step process:
Note: Due to validation requirements, there may be a delay between placing your order and receiving your certificate. After submitting your order, the order status will show as Pending while DigiCert validates the order. When you receive an email notifying you that your order has been approved, you can proceed to creating the certificate request.
You’ll sometimes hear S/MIME certificates referred to as client certificates, but they’re actually two different things. Client certificates use client authentication to provide additional authentication and access control by checking client certificates at the server, preventing a client from obtaining a connection without an approved certificate.
Client certificate authentication generally describes the process that happens when a laptop or other user device uses a digital certificate to prove its identity to a server. Client certificates can also be used to encrypt network communication between two devices using TLS . Large organizations typically use this type of authentication to ensure only trusted devices are allowed to connect to the network.
S/MIME certificates are specific to email. Unlike a client certificate used for authentication and TLS encryption, S/MIME certificates encrypt email messages, ensuring they're only decrypted when viewed by the intended recipient.
The key difference is that the TLS encryption used in client certificate authentication only encrypts the communication between your email software and your email server, not between sender and recipient.
Healthcare, insurance, retail and the defense industrial base are a few of the industries that commonly require the encryption of sensitive data in email. For example, PCI DSS requirement 3.4 states that cardholder data must be rendered unreadable wherever it’s stored. Encryption is one of the methods for meeting this requirement.
Under HIPAA, covered entities must have controls to ensure the confidentiality and integrity of protected healthcare information. HIPAA also includes a public breach disclosure requirement that organizations can avoid if the PHI was encrypted at the time of unauthorized access.
As a final example, information subject to U.S. export controls must be secured with end-to-end encryption such that only the intended recipient(s) can access it. Seek the advice of a qualified professional to assess your needs relative to any compliance obligations you have.
A premium client certificate from DigiCert could be used to authenticate clients to servers, sign documents and secure email. But this isn't always the case, as these use cases are governed by different browser and CA/B Forum requirements.
Preventing phishing requires multiple layers of email security, including enabling S/MIME, enforcing DMARC, and taking advantage of brand indicators.
As part of phishing schemes, attackers often spoof company emails, sending malicious messages that appear to originate from the company or even from individual employees. Most companies don’t know when attackers are doing this. And when customers get scammed, it can erode customer loyalty and increase support costs and fraud losses.
By enforcing a DMARC policy at the company level, you can make it more difficult for attackers to spoof your domain. Using S/MIME to sign emails also provides tangible proof to the recipient that the message was not sent from a spoofed or impostor account.
Brand indicators like BIMI use Verified Mark Certificates (VMC) with DMARC enforcement to provide an added layer of assurance to customers. DMARC helps improve delivery of your emails, but a VMC can help your customers know that the email is actually from your company by displaying your logo next to the email in their inbox.