S/MIME is a protocol for sending digitally signed and encrypted emails to ensure the confidentiality, authenticity and integrity.

Set up S/MIME for outbound mails (signing and encryption)

You can use S/MIME for outbound mails for the following purposes:
  • Digital signature
  • Encryption
  • Digital signature and encryption
To set up S/MIME, the admin must have the following:
  • email_account_admin and sn_kmf.cryptographic_manager roles
  • Key pair (private key and public key)
  • CA certificate
  • Email certificate

Upload the instance email account key pair and email certificates, and enable outbound S/MIME properties. For more information, see Enable S/MIME.

If there are multiple recipients and some of the recipients do not have valid certificates, the email will be sent only to recipients with a valid certificate.

Set up S/MIME for inbound mails (sign verification and decryption)

S/MIME for inbound mails can be used for the following:
  • Signature verification
  • Decryption
  • Signature verification and decryption

For information about enabling inbound S/MIME properties, see Enable S/MIME.

If the system fails to decrypt a message, no inbound actions will run on the email and it is moved to the received-ignored status.

To set up the system to ignore inbound signed emails if the signature cannot be verified or is invalid, admins can create the email.inbound.smime.ignore_unverified_emails and set it to true.

For more information about key management and cryprographic module, see Key Management Framework Reference.