Secure Encrypted Email (S/MIME)
With secure email, FormSmarts customers can keep the convenience of receiving form responses by email, while protecting the confidentiality of the data submitted via their online forms.
What Is Encrypted Email (S/MIME)?
Secure/Multipurpose Internet Mail Extensions or S/MIME is an Internet standard and technology that allows the sender of an email message (e.g. FormSmarts) to protect the confidentiality and security of the message by encrypting it with the recipient's public key.
The email software on the recipient's computer or phone can then decrypt the message with the recipient's private key. S/MIME is widely supported by the majority of modern email software on both desktop and mobile devices.
S/MIME ensures that a form response is encrypted in FormSmarts' backend and only decrypted in the customer's inbox1.
How is Secure Email Different from Standard Email?
Currently, FormSmarts standard email delivery uses opportunistic Transport Layer Security (TLS) to encrypt the connection with a form recipient's email provider when we deliver a message:
- We send email via a secure connection if the remote server supports TLS
- We deliver the message over a non-secure connection if the remote server doesn't support TLS
TLS encrypts the connection, not the message itself, and the connection is only encrypted if the form recipient's email provider supports TLS (most do).
Moreover:
- The message might not stay encrypted after it reaches the form recipient's email provider
- Anyone who gains access to the form recipient's email account can read the unencrypted message
- Anyone with access to the mail server can usually read the unencrypted message
FormSmarts encrypted email uses asymmetric encryption (also known as public-key cryptography) to encrypt a form submission (i.e. the email message) before it is sent in such a way that only the form recipient can decrypt it.
Asymmetric Encryption relies on two mathematically connected cryptographic keys to encrypt and decrypt the data:
- A public key that can be openly distributed without compromising security. The form recipient shares their public key with FormSmarts so we can use it to encrypt messages.
- A private key, which the form recipient does not share with FormSmarts or anyone else. The form recipient installs the private key on the devices on which they want to read form responses. The private key allows mail apps to decrypt messages2.
What Are the Benefits of S/MIME Encrypted Email?
- S/MIME protects form responses against unauthorized access with encryption
- The message itself is encrypted, not just the connection used to deliver it
- A form response is encrypted in FormSmarts' backend and only decrypted in your inbox
- Because email attachments are also encrypted (and due to the premium nature of Encrypted Email), e-signatures and the files uploaded through a form3 are attached to the notification email instead of being available via links.
- S/MIME is an Internet standard supported by most desktop email software and mobile email apps. We've independently tested some of them with FormSmarts Encrypted Email.
How Can I Receive Form Responses by Secure Email?
- Get a S/MIME certificate from a Certificate Authority (CA)
- Install the S/MIME identity file delivered by the CA (links to installation guides in the next section)
- If you would like to set up secure email for a form that has more than one destination email address, repeat steps 1 and 2 for each email address
- Use the API Console to submit a Certificate Addition Request
- The response will show a verification email address like
cert+yBf4LjgsqmoOtK0vzJ7sqYLKO2iMNvj-vyEVXE3F2aM@formsmarts.com
. Please send an email to that address within 8 hours, making sure the message is digitally signed with your S/MIME certificate. Check the documentation of your email software to find out how to do that. This will allow FormSmarts to import your S/MIME certificate, which we'll then be able to use to encrypt emails. - Once you've gone through Step 4 for each email address, edit each of the forms you want to receive by secure email and toggle on Send by secure email (S/MIME) in the Submit Actions tab, as shown on the screenshot above.
If you have any questions, contact Support for assistance.
Encrypted Email Compatibility with Email Apps
S/MIME is an internet standard that is supported by most desktop email clients and many mobile apps. In addition, we have independently tested FormSmarts S/MIME encrypted email implementation with a number of applications and providers:
- Microsoft Outlook on Windows
- Microsoft Outlook on Mac OS
- Microsoft Outlook iPhone app
- Gmail iPhone app
- gmail.com webmail
- Mac OS Mail
- iPhone Mail app
- Thunderbird
S/MIME Frequently Asked Questions
1. Do I need to get a S/MIME certificate to use encrypted email?
Yes, S/MIME relies on a S/MIME “identity”, “profile” or simply “S/MIME certificate” that is associated with your email address, and optionally with your personal and corporate identity.
S/MIME certificates are available from a number of providers (called Certificate Authorities, CA) at various prices ranges, including one Certificate Authority offering S/MIME certificates free of charge.
2. My online form has more than one destination email address, can I use the same S/MIME certificate for all of them?
No, you need to get a separate S/MIME certificate bundle for each email recipient, install it on the respective email software or device, and set up each one on FormSmarts.
3. What are the considerations for choosing between offers from S/MIME Certificate Authorities?
S/MIME certificate issuance process
The S/MIME certificate issuance process varies between certificate authorities.
- Some (e.g. DigiCert, SSL.com) allow you to generate the private key on your own computer and upload a Certificate Signing Request (CSR) 4, so you don't need to share your private key (which should ideally never leave your computer) with them.
- At the time of writing, one certificate authorities (Sectigo/Comodo) requires their clients to use an obsolete browser to generate the private key.
- A number of other CAs (Entrust, Actalis) generate the private key on their servers, so you have to trust they don't keep it.
Validity period
S/MIME certificates are (at the time of writing) valid for up to three years. Purchasing a S/MIME identity valid for a longer period reduces how often and the total amount of time you need to spend to renew and install new S/MIME certificates. Free S/MIME certificates from Actalis are only valid for one year.
Certificate authorities offer various levels of identity verification, from basic email address ownership verification, to personal identity verification and organization validation. Personal and organization verification involve manual labor and command higher prices. These differentiators are mostly relevant to applications of S/MIME involving digital signatures. FormSmarts only uses the encryption aspect of S/MIME 5 and will work equally well with any valid certificate.
4. Is secure email end-to-end encryption?
Not quite, because the message is only encrypted once in FormSmarts servers, before we send it to form recipients. End-to-end encryption would need to happen in the browser of the person submitting a form. This, however, would prevent FormSmarts from inspecting the data to filter out spam. Note that although the message is only encrypted once in FormSmarts servers, the connection is encrypted with TLS when someone submits a form, so the data is still encrypted at all times.
- Encrypted Email (S/MIME) is only supported with Business Max accounts and higher.
- FormSmarts does not have a form recipient's private key and therefore cannot decrypt the messages we send.
- When possible, depending on the number and size of form attachments and the number of form recipients.
- Macs and Linux users can generate a private key and CSR with Openssl.
- FormSmarts digitally signs encrypted notification emails with our own S/MIME certificate.