encryptiongmailsmime

Gmail - Encrypt all emails with S/MIME


We're integrating with a third-party that requires all emails communication on a specific domain to be encrypted with S/MIME.

As well, the compliance policy states the importance of encrypting all emails, with no exceptions.

So is there a way to add one certificate for the whole domain @example.com instead of a certificate per employee.


Solution

  • The short answer is: No. S/MIME does not allow for using one S/MIME certificate for multiple email addresses.

    The long answer is:

    There is some practice that uses so-called 'domain certificates', which basically is an S/MIME certificate issued for a general email address of that domain - often referred to as gateway address - which can then be used to encrypt email to all recipients of that domain.

    However, since a normal email client would not use an S/MIME certificate that has been issued for another than the email's recipient address, special support for such usage outside the S/MIME standard is required on both on the sending and receiving end. Some companies use special gateway software for this purpose. Outgoing emails are then created in plain, sent through the gateway, encrypted there, and then delivered S/MIME encrypted to the recipients. Incoming emails are first decrypted by the gateway, then delivered to the recipients' mailboxes.

    Note that this solution does not provide end-to-end encryption as S/MIME actually does, because the emails would be stored unencrypted. It is therefore significantly downgrading S/MIME, and that's often not allowed by company guidelines.

    Also note that the gateway approach can only support S/MIME encryption somehow. It cannot provide digital signatures for authentication, message integrity, and non-repudiation with proof of origin.

    Also, I am not aware of any such solution that integrates with GMail.