Why Encrypt Email?
Standard email travels in plaintext. Anyone between you and the recipient -- ISPs, Wi-Fi snoopers, compromised mail servers -- can read it. Email encryption solves this using the same public/private key cryptography that protects HTTPS.
There are two main approaches:
- S/MIME -- uses X.509 certificates (the same kind used for SSL). Built into Outlook, Apple Mail, and Thunderbird.
- PGP/GPG -- uses its own key format. Popular with developers but not built into most email clients.
This guide covers S/MIME because it works with the certificates you can generate at getaCert.com.
How S/MIME Works
S/MIME does two things:
Digital Signing
You sign an email with your private key. The recipient verifies the signature with your public key (embedded in your certificate). This proves: - The email is really from you (authentication) - It wasn't modified in transit (integrity)
Encryption
You encrypt an email with the recipient's public key. Only their private key can decrypt it. This means: - Only the recipient can read it (confidentiality) - You need the recipient's certificate first (they must have sent you a signed email, or you need their cert from a directory)
You can sign without encrypting, encrypt without signing, or do both.
Getting an S/MIME Certificate
You need a certificate with your email address in the Subject or Subject Alternative Name.
Generate one at getaCert.com
- Go to Self-Signed Certificate
- Enter your email address in the Common Name or Email field
- Download the
.p12(PKCS#12) file -- this contains your certificate and private key
For trusted signatures (no "unknown signer" warnings), use a certificate from a recognized CA. Free options include Actalis and some enterprise CAs.
Certificate requirements for S/MIME
- Key Usage: Digital Signature, Key Encipherment
- Extended Key Usage: Email Protection (1.3.6.1.5.5.7.3.4)
- Subject Alternative Name: Your email address (RFC822 type)
Setup: Microsoft Outlook (Windows)
Import your certificate
- Double-click the
.p12file - The Certificate Import Wizard opens
- Enter the password (default from getaCert.com:
password) - Select "Automatically select the certificate store"
- Click Finish
Enable S/MIME
- Open Outlook > File > Options > Trust Center > Trust Center Settings
- Click Email Security
- Under "Encrypted email," click Settings
- Choose your signing and encryption certificates
- Click OK
Sign an email
- New email > Options tab > click Sign (envelope with ribbon icon)
- Or set "Add digital signature to outgoing messages" as default
Encrypt an email
- New email > Options tab > click Encrypt (lock icon)
- You must have the recipient's certificate (they must have sent you a signed email first)
Setup: Apple Mail (macOS)
Import your certificate
- Double-click the
.p12file - macOS Keychain Access opens
- Enter the password
- The certificate is added to your login keychain
Sign and encrypt
Apple Mail automatically detects S/MIME certificates:
- Open a new message
- Two icons appear next to the From field:
- Checkmark -- click to sign
- Lock -- click to encrypt (only available if you have the recipient's certificate)
If the icons don't appear, check that the certificate's email matches your From address in Mail preferences.
Setup: Mozilla Thunderbird
Import your certificate
- Settings > Privacy & Security > Certificates > Manage Certificates
- Click Your Certificates tab > Import
- Select your
.p12file and enter the password
Configure S/MIME
- Account Settings > select your email account > End-To-End Encryption
- Under S/MIME, click Select for both signing and encryption certificates
- Choose your imported certificate
Send signed/encrypted email
- Compose a message
- Click Security > select Digitally Sign and/or Encrypt
Setup: Gmail (Web)
Gmail's web interface supports S/MIME only on Google Workspace (paid) accounts with S/MIME enabled by the admin. Personal Gmail accounts don't support S/MIME natively.
Workarounds: - Use a desktop client (Thunderbird, Outlook) with your Gmail account via IMAP - Use a browser extension like Mailvelope (PGP-based, not S/MIME) - Use Google Workspace with S/MIME enabled by your IT admin
Signing vs Encryption: What to Use
| Scenario | Sign | Encrypt |
|---|---|---|
| Prove email is from you | Yes | Optional |
| Prevent tampering | Yes | Optional |
| Keep contents private | Optional | Yes |
| Recipient needs your cert? | No (cert included in email) | No |
| You need recipient's cert? | No | Yes |
| Regulatory compliance | Usually signing is required | Often both |
Start with signing only. It's simpler (no need for recipient certificates) and adds authenticity to every email you send. Add encryption when you need privacy for specific conversations.
Common Issues
"The signer's certificate is not trusted"
The recipient's email client doesn't trust the CA that signed your certificate. Self-signed certificates will always show this warning. Options: - Use a certificate from a publicly trusted CA (Actalis, Sectigo, DigiCert) - Have the recipient install your CA certificate - Accept the warning -- the signature still proves integrity
"Cannot encrypt: no certificate for recipient"
You don't have the recipient's S/MIME certificate. They need to send you a signed email first, or you need to obtain their certificate from a directory. This is the biggest friction point with S/MIME -- both parties need certificates.
Certificate expired
S/MIME certificates expire like any other cert. When yours expires: - Old signed emails remain verifiable (the signature is timestamped) - You can't sign new emails until you get a new certificate - Encrypted emails to you still work until you delete the old private key
Next Steps
- Generate a certificate with your email address for S/MIME testing
- Learn about certificate types to understand DV, OV, and EV
- Read about key types -- RSA 2048 works for most S/MIME use cases