How to Set Up S/MIME in Gmail
A step-by-step guide to installing a S/MIME certificate and setting up hosted S/MIME in Gmail.
What is S/MIME?
The Secure/Multipurpose Internet Mail Extensions (S/MIME) is an internet standard that allows the sender of an email to protect the confidentiality of the message by encrypting its content with the public key contained in the recipient's S/MIME certificate.
The sender of a message usually also signs it with their own S/MIME certificate (private key), which allows the recipient to authenticate the sender.
With some versions of Gmail for work1 (part of Google Workspace, formerly known as G Suite and before that Google Apps), Google supports enhanced message encryption with S/MIME. Google provides hosted S/MIME, so although you have to entrust your S/MIME certificate's private key to Google, this allows you to read S/MIME encrypted emails and authenticate their sender with the Gmail web app on gmail.com (screenshot above), as well as with the Gmail mobile app.
If the version of Gmail you use doesn't support S/MIME or you don't want to upload your S/MIME certificate bundle to your Google account, you can still use S/MIME and read encrypted messages with your desktop email software and the iPhone Mail app (we haven't yet reviewed Android options), but you won't be able to read encrypted messages on gmail.com or with the Gmail app on your phone.
Get a S/MIME Certificate
Certificate authorities provide S/MIME certificate bundles either as a PKCS #12 file (.p12 or .pfx) if they generated the certificate for you or as a PKCS #7 (.p7b) file if you created the private key on your own computer and submitted a Certificate Signing Request (CSR) to the CA.
Enable S/MIME Encryption in the Admin Dashboard
Sign in to your Google Workspace admin dashboard and navigate to Settings for Gmail: Apps > Google Workspace > Gmail
Select User Settings. Change the Enable S/MIME encryption for sending and receiving emails option.
Check Enable S/MIME encryption for sending and receiving emails and Allow users to upload their own certificates.
Click Save button.
Install the S/MIME Certificate in Gmail
Sign in to your Gmail account and click the Settings button in the upper right-hand corner. Select See all settings.
In the Accounts tab, click the edit info link outlined in red below.
Click Upload a personal certificate and upload your S/MIME certificate bundle.
Enter the password associated with the S/MIME certificate bundle. If you obtained the certificate as a .p12 or .pfx file from a certificate authority, they must have also given you the password.
The certificate's private key is encrypted with the password, so if you lost it, you won't be able to import the certificate.
Select Use this certificate and click Save Changes.
You should now be able to and send and receive encrypted messages on gmail.com and with the Gmail mobile app. Gmail should also automatically digitally sign outgoing mail.
The screenshot below shows the details of an encrypted message on the Gmail iOS app. The sender is marked as Verified because the message is digitally signed. A green padlock-and-plus-sign icon is displayed with the mention Enhanced encryption (S/MIME).
Interoperability of Gmail S/MIME with Other Email Clients
Due to mitigation efforts for a known vulnerability in the S/MIME protocol (Efail), Gmail currently only decrypts new S/MIME messages that have been “triple wrapped” per RFC 2634.
FormSmarts encrypted email delivery has a Gmail-compatibility mode that implements the required triple-wrapping so S/MIME messages can be decrypted in Gmail.
Add the Certificate to FormSmarts
Before you can receive online form submissions by encrypted email, you need to add the certificate to FormSmarts. Sign in from a device where you've installed the certificate and create a Certificate Addition Request (Step #4 in the set up instructions).
Send a signed email to the long email address returned when you submitted the request. You should receive an email within seconds confirming FormSmarts imported your S/MIME certificate successfully.
- At the time of writing, S/MIME is only supported in Google Workspace Enterprise.