During the WWDC 2011 keynote, Apple announced that iOS 5 was going to have the capabilities of S/MIME. With that new feature announcement, it becomes a perfect topic to kick off my Foundations segments. In this article, I will describe what S/MIME is and why people should use it, interest everyone to use it now, and once iOS 5 comes out you will appreciate the fact that S/MIME email is now available.

From my two years of using S/MIME email, I’ve identified that there are two types of individuals who are using this feature: a) Government b) tech geeks. I can understand the lack of participation of S/MIME for general email usage as there are many hurdles to overcome to make S/MIME possible. But first the main question, what is S/MIME and Why should I be using it?!


S/MIME stands for Secure/Multipurpose Internet Mail Extensions and is a standard for public key encryption and signing of MIME data (an email message)1]. What it allows you to do is two things:

  1. Ensure to your email recipients that YOU actually sent the email
  2. Allows the possibility of sending and/or receiving email encrypted

Example Story of Bad Email

Everyone has experienced the email from a family member or friend where the subject line seems a little… odd. Upon opening the email you notice is SPAM (ARG! they got me to open SPAM!)! Somehow a spammer was able to use your friends email address (termed spoof) which, understandably, made you feel comfortable enough to open and read the message. There are worse scenarios other than spoofing an address such as a trojan or actually “hacking” an account… but the concept is still the same; you opened an email that wasn’t really from your friend or family member. This experience fostered the need for having a more secure form of email.

First Signing. I like to relate the process of signing an email to putting a wax seal on a letter back when email or a government operated post office didn’t exist. Individuals would understand that a letter with a particular wax seal was the stamp of a sender, and thus knew it was authentic and should be trusted; same thing for sending a signed S/MIME email. If you don’t see the “signed” icon in Apple’s Mail (or any other Mail application), then you would be concerned that the email wasn’t from the sender.

So how do you encrypt email?

Question: If you send a letter through the post office do you simply print a piece of paper and drop off in a mailbox, or do you put it in an envelope. Why put it in an envelope? So people won’t read the contents of inside the envelope! If you are worried about people reading your letter, why do you send an email without a virtual “envelope”? As an email passes through every router and switch… and from one mail server to another… without it being inside a virtual “envelope” (thus encrypted), anyone could look at your letter. Yes it’s a little dramatic, but it is possible.

Now that I have piqued your interested in sending signed and/or encrypted email messages, how is it possible? Well, it first deals with certificates. Certificates don’t have to be hard, but it takes a bit to get used to and there are several complications when dealing with certificates:

  1. Certificates must come from a “Third-Party”.
  2. Certificates must be shared in some fashion (Fortunately email makes this simple).
  3. Certificates expire.
  4. Certificates require a email application (not a browser).

So why do certificates have to come from a “Third-Party”? The easiest way to explain this is with another analogy. If you buy a used car do you trust the dealer or do you get a Car Fax or send the car to your own mechanic to check things out? A third-party performs the necessary process of checks and balance to ensure the person sending an email is the person who should own the certificate (e.g. make sure they are the one with the correct wax seal). The other issue is most certificates only last for one year, so you have just begun the never ending cycle of annually renewing your email certificate. An item to note, with something being an annual process (vs. monthly, weekly, or daily) you may have to re-learn each year how to obtain your certificate each year so I would suggest to take notes.

So what about the second bullet? It needs a little more description about certificates and how they are created with your third-party. When you make a request to get your email certificate, you need to send a “password” to generate two items: A Private Key and Public Key. Your Private Key should be kept private and safe! This is how you de-crypt messages from your family and friends, and is the only way you can read messages if someone send you an encrypted email. If you lose your private key, you will never be able to get it back, thus you will never be able to open any messages that are encrypted! The way you send an encrypted message is by using your Public Key which is automatically sent every time you “sign” an email message.

Let’s put this exchange in a more real life scenario. I want to have my taxes done by a CPA thus I need to send all of my tax documents. Now I could FAX the documents or simply use USPS, but since this is 2011 let’s use email… secure email, via S/MIME! I would send a signed email to my CPA and simply state “Please reply with a signed email message so I can send my tax information”. Upon my CPA’s reply, his Public Key is passed to me which I use to encrypt my next email that contains all of my tax information. The CPA has his Private Key which de-crypts my email automatically and is able to download my tax information.2

The nice thing is once you have your certificate, most email applications make the process of sending signed email and/or encrypted emails simple. Where doesn’t S/MIME work? Any web-based platform such as Gmail, Hotmail, Yahoo, etc. Now you could configure your mail application to use their service via IMAP or POP, then S/MIME would work… you just cannot use the webmail version of their service. If someone sends you an encrypted mail to your email account and you are not using your Mail application… it will not open.


  1. S/MIME info by Wikipedia 

  2. Most email applications allow you to encrypt an email message by a simple button. Screenshots of Mail and iOS pending on future posts. 


Grischa Wolf

Idont thinbk you can download free S/MIME certs. As there is a vetting process included to ensure your identity, it might come at a cost. My personal favorite is GlobalSign, pricey, but fast and secure.

Isaias M Solorio Lopez

Hi i haven’t been able to get on my Facebook Account because of the Login Code that i need and ive lost it because i have bought me a new phone and got a new number with it. I really need to get back into my account.


Hello Diane,

My guess is the person that you are trying to send an email has not sent a “signed” email. This would then provide you with their public key which would allow you to encrypt your email.


When security is a primary concern, S/MIME is a good thing. This article is pretty old as it was originally written in 2011, but it is still valid.

I’m sure there are other options today that allow you to securely send data that may fit users needs better than generating certificate keys, but this still used.

Jeremy Easter

I’m wondering if it’s possible to (not simply being nice when I can say you seem to be a smart guy withwell written, easily understood emails) just to ask what’s the simplest way to have those settings (bar slidden on or off) in email?


Hello GNBritt,

I don’t think this would reduce the spam, but it would recude the number of messages that you would need to focus on. If the message wasn’t encrypted for you, you can assume that person is not a “known” person.

Alejandro Guerrero

Hello Justin,

I hope you are still reading these comments. I stumbled into this page because I’m trying to understand what S/MIME offers over regular SSL/TLS. If you are already sending encrypted email with SSL/TLS, why would you use S/MIME? Doesn’t SSL/TLS already ensures authentication, integrity and confidentiality?


Hello Alejandro,

Think of this the same way you are doing encryption. True encryption security of data being transferred from one party to the other requires two levels: encryption over the wire, and encryption at rest.

Encryption over the wire is your TLS connection. This establishes your Handshake so the two parties can pass data to each other in a secure fashion. However, once the file is on the server… a generic email will be in plain text. While an S/MIME email is going to be a bunch of text garbage unless it can be decrypted by your private S/MIME key.

Hope this helps.


PGP/GPG is a different application than S/MIME, but functionally it does the same thing. What makes PGP/GPG different is you have to have that installed vs. only using certificates on your machine.

Comments are closed. If you have a question concerning the content of this page, please feel free to contact me.