Turn on hosted S/MIME for message encryption (2024)

Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compareyouredition

You can set up hosted Secure/Multipurpose Internet Mail Extensions (S/MIME) in your Google Admin console to help protect your people in your organization from phishing, harmful attachments, and other email threats. S/MIME improves email security by encrypting and adding a digital signature to messages. Messages are decrypted using the combination of a public key and a private key

When S/MIME is hosted, the organization using S/MIME for encryption stores the private key. Google Workspace Client-side encryption (CSE) also lets users send and receive encrypted S/MIME messages. But with CSE, private keys are managed by an external key service for increased privacy and data protection. Learn more about CSE.

You can also customize some Gmail settings to require S/MIME for certain messages. Learn more

Step 1: Turn on hosted S/MIME in your Google Admin console

  1. Sign in to your GoogleAdminconsole.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to MenuTurn on hosted S/MIME for message encryption (1)Turn on hosted S/MIME for message encryption (2)Turn on hosted S/MIME for message encryption (3)AppsTurn on hosted S/MIME for message encryption (4)Google WorkspaceTurn on hosted S/MIME for message encryption (5)GmailTurn on hosted S/MIME for message encryption (6)User settings.

  3. On the left, underOrganizations, select the domain or organization you want to configure.

    Important: To use advanced S/MIME controls to upload and manage root certificates, you must enableS/MIME at the top-level organization, typically your domain. Learn more about S/MIME and root certificates.

  4. Scroll to the S/MIME setting and check theEnable S/MIME encryption for sending and receiving emails box.

  5. (Optional) To let people in your organization uploadcertificates, check the Allow users to upload their own certificates box.

  6. (Optional additional controls) To upload and manage root certificates:

    1. Next to Accept these additional Root Certificates for specific domains, click Add.
    2. In theAdd root certificatewindow, click Upload Root Certificate.
    3. Browse to select the certificate file and click Open. A verification message appears for the certificate. This message includes the subject name and expiration.
    4. Under Encryption level, select the encryption level to use with this certificate.
    5. Under Address list, enter at least one domain that will use the root certificate when communicating. Separate multiple domains with commas. Domain names can include wildcards. To learn more about using wildcards in domain names, refer toRFC 6125.
    6. (Optional) To allow CSE keypairs with certificates associated with an email address other than a user's primary email address, select the certificate mismatch option (For these domains allow certificates with email addresses that don't match users current email address).

      For security reasons, this option is recommended only when required by your organization. This feature is supported with CSE. It's not supported with hosted S/MIME.To learn more about certificate mismatch, visitManage trusted certificates for S/MIME.

    7. Click Done.
    8. Repeat these steps to uploadmorecertificate chains.
  7. If your domain or organization must use Secure Hash Algorithm 1 (SHA-1), check the Allow SHA-1 globally (not recommended) box. To learn more about using SHA-1, visitManage trusted certificates for S/MIME.
  8. ClickSave.

Changes can take up to 24 hours but typically happen more quickly.Learn moreMessages sent during this time aren't encrypted.

Step 2: Have your users reload Gmail

After you enable hosted S/MIME in your Google Admin console, tell your users to reload Gmail. A lock icon appears in the message subject. If the message is encrypted with hosted S/MIME, the lock is green.

Step 3: Upload certificates

To use hosted S/MIME encryption, S/MIME end-user certificates must be uploaded to Gmail. The certificate should meet current cryptographic standards and use the Public-Key Cryptography Standards (PKCS) #12 archive file format.

Thislist of trusted certificates provided and maintained by Google applies only to Gmail for S/MIME.

We recommend that adminsupload certificates with the Gmail S/MIME API. You can also use the Gmail S/MIME API to manage tasks like viewing, deleting, and setting default user keys. Learn more about the Gmail S/MIME API.

You can also let users upload certificates in their Gmail settings:

  1. Go toGmail.
  2. Choose Settings Turn on hosted S/MIME for message encryption (7)Turn on hosted S/MIME for message encryption (8) See all settings.
  3. Selectthe Accounts tab.
  4. Next toSend mail as, selectEdit info.

    The Edit email address and encryption settings window appears. If you don't have this option, contact your administrator.

  5. ClickUpload a personal certificate.
  6. Select the certificate and click Open. You'll be prompted to enter a password for the certificate.
  7. Enter the password and click Add certificate.

Step 4: Have your users exchange keys

To start exchanging S/MIME messages, your users need to exchange keys with message recipients in one of these ways:

  • Send an S/MIME signed message to recipients. The message is digitally signed and includes the user's public key. Recipients can use this public key to encrypt messagesthey send to the user.
  • Ask recipients to send them a message. When they receive the message, it’s signed with S/MIME. The key is automatically stored and available. Going forward, messages sent to the recipient are S/MIME-encrypted.

Override sub-organization SMIME settings

By default, organizational units inherit SMIME settings from the top-level organizational unit. You can optionally override the inherited SMIME settings for organizational units. This feature is useful for disabling or customizing SMIME settings for organizational units.

To override SMIME settings:

  1. Sign in to your GoogleAdminconsole.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to MenuTurn on hosted S/MIME for message encryption (9)Turn on hosted S/MIME for message encryption (10)Turn on hosted S/MIME for message encryption (11)AppsTurn on hosted S/MIME for message encryption (12)Google WorkspaceTurn on hosted S/MIME for message encryption (13)GmailTurn on hosted S/MIME for message encryption (14)User settings.

  3. On the left, underOrganizations, select the organizational unityou want to configure.

  4. Scroll to the S/MIME setting, and click to expand it.

    The labelunder the S/MIME setting label will indicate either Inherited from (organization or domain name), or Overridden.

  5. Click Override to save changes to the sub-organization inheriting SMIME settings.

    Afterthe sub-organization's settings are saved, Overriddenis displayed under the SMIME settings label. A dotalso appears next to the overriding sub-organizations in the Organization Unit structure tree on the left.

Tip: If your sub-organization has overridden a higher level organization’s settings, you can use the Inherit button to inherit settings from the higher level organization.

Related topics

Manage trusted certificates for S/MIME (advanced)

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members Contact us Tell us more and we’ll help you get there

Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Turn on hosted S/MIME for message encryption (2024)
Top Articles
Latest Posts
Article information

Author: Cheryll Lueilwitz

Last Updated:

Views: 6753

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Cheryll Lueilwitz

Birthday: 1997-12-23

Address: 4653 O'Kon Hill, Lake Juanstad, AR 65469

Phone: +494124489301

Job: Marketing Representative

Hobby: Reading, Ice skating, Foraging, BASE jumping, Hiking, Skateboarding, Kayaking

Introduction: My name is Cheryll Lueilwitz, I am a sparkling, clean, super, lucky, joyous, outstanding, lucky person who loves writing and wants to share my knowledge and understanding with you.