A step-by-step guide to installing a S/MIME certificate and setting up hosted S/MIME in Gmail.

S/MIME encrypted email message

What is S/MIME?

The Secure/Multipurpose Internet Mail Extensions (S/MIME) is an internet standard that allows the sender of an email to protect the confidentiality of the message by encrypting its content with the public key contained in the recipient's S/MIME certificate.

The sender of a message usually also signs it with their own S/MIME certificate (private key), which allows the recipient to authenticate the sender.

With some versions of Gmail for work1 (part of Google Workspace, formerly known as G Suite and before that Google Apps), Google supports enhanced message encryption with S/MIME. Google provides hosted S/MIME, so although you have to entrust your S/MIME certificate's private key to Google, this allows you to read S/MIME encrypted emails and authenticate their sender with the Gmail web app on gmail.com (screenshot above), as well as with the Gmail mobile app.

If the version of Gmail you use doesn't support S/MIME or you don't want to upload your S/MIME certificate bundle to your Google account, you can still use S/MIME and read encrypted messages with your desktop email software and the iPhone Mail app (we haven't yet reviewed Android options), but you won't be able to read encrypted messages on gmail.com or with the Gmail app on your phone.

Get a S/MIME Certificate

You can buy a S/MIME certificate from a Certificate Authority (CA) or through a retailer, or get one free of charge from Actalis, an Italian CA.

Certificate authorities provide S/MIME certificate bundles either as a PKCS #12 file (.p12 or .pfx) if they generated the certificate for you or as a PKCS #7 (.p7b) file if you created the private key on your own computer and submitted a Certificate Signing Request (CSR) to the CA.

Enable S/MIME Encryption in the Admin Dashboard

Sign in to your Google Workspace admin dashboard and navigate to Settings for Gmail: Apps > Google Workspace > Gmail

Select User Settings. Change the Enable S/MIME encryption for sending and receiving emails option.

Enable S/MIME encryption in Google Admin dashboard

Check Enable S/MIME encryption for sending and receiving emails and Allow users to upload their own certificates.

Click Save button.

Enable S/MIME encryption and allow users to upload certificates

Install the S/MIME Certificate in Gmail

Sign in to your Gmail account and click the Settings button in the upper right-hand corner. Select See all settings.

In the Accounts tab, click the edit info link outlined in red below.

Accounts tab in Gmail Settings

Click Upload a personal certificate and upload your S/MIME certificate bundle.

Upload a S/MIME certificate to Gmail

Enter the password associated with the S/MIME certificate bundle. If you obtained the certificate as a .p12 or .pfx file from a certificate authority, they must have also given you the password.

The certificate's private key is encrypted with the password, so if you lost it, you won't be able to import the certificate.

Enter the certificate bundle password

Select Use this certificate and click Save Changes.

Gmail encryption settings

You should now be able to and send and receive encrypted messages on gmail.com and with the Gmail mobile app. Gmail should also automatically digitally sign outgoing mail.

The screenshot below shows the details of an encrypted message on the Gmail iOS app. The sender is marked as Verified because the message is digitally signed. A green padlock-and-plus-sign icon is displayed with the mention Enhanced encryption (S/MIME).

S/MIME Sign and Encrypt by Default

Interoperability of Gmail S/MIME with Other Email Clients

Due to mitigation efforts for a known vulnerability in the S/MIME protocol (Efail), Gmail currently only decrypts new S/MIME messages that have been “triple wrapped” per RFC 2634.

FormSmarts encrypted email delivery has a Gmail-compatibility mode that implements the required triple-wrapping so S/MIME messages can be decrypted in Gmail.

Add the Certificate to FormSmarts

Before you can receive online form submissions by encrypted email, you need to add the certificate to FormSmarts. Sign in from a device where you've installed the certificate and create a Certificate Addition Request (Step #4 in the set up instructions).

Create a S/MIME Certificate Addition Request

Send a signed email to the long email address returned when you submitted the request. You should receive an email within seconds confirming FormSmarts imported your S/MIME certificate successfully.

  1. At the time of writing, S/MIME is only supported in Google Workspace Enterprise.