• United States




The trouble with S/MIME e-mail encryption

Nov 06, 20094 mins
Data and Information SecurityEmail ClientsEncryption

With careful planning, S/MIME can be nearly effortless after the initial install -- until you need to scan, inspect, or search the encrypted messages

A few times a year, I recognize the need for a product where none exists because I hear multiple customers asking for it. This is one of those times. The products that an increasing number of my clients is looking for are e-mail scanning and archiving systems that can handle S/MIME-encrypted messages.

In a normal year, I visit 20 to 40 clients, ranging from small companies to Fortune 10, where I get to see what products they are using and how well these products work in a real-world scenario. Increasingly popular these days is the use of S/MIME and other e-mail encryption methods (such as PGP, proprietary Web mail portals, and so on) to protect e-mail both within the enterprise and externally. S/MIME isn’t necessarily the best method to use, but it’s a stable, open standard and probably the most common e-mail encryption method I’ve seen in use.

[ Die, unknown executable! Now that malicious programs outnumber legitimate ones, blocking the bad may give way to allowing the good. See “Test Center review: Whitelisting security offers salvation.” ]

Every S/MIME customer I have goes through a few phases. First, they need to understand how it works. How do you turn it on? Who gets what keys? How are the keys distributed? What training will end-users need? How to automate its use? It’s no small undertaking.

E-mailing in the dark

Often in the second phase, S/MIME ends up nearly crippling the company’s normal e-mail functionality. S/MIME involves encryption, and when you encrypt e-mail, it is no longer searchable. At the very least, users can no longer retrieve past e-mails based upon message text keyword searches, although the e-mail subject line and some other information, such as file attachment name, may remain visible.

This may sound merely bothersome at first, but it becomes mission critical when you need that one single e-mail for proof in a disagreement. Some users respond by turning their e-mail subject lines into more descriptive headings that can be more easily found using keyword searches, but at some point, the sender begins to reveal information that should probably be protected within the S/MIME body.

Worse for today’s computer security departments is the fact that S/MIME ends up defanging their anti-virus scanners, DLP (data loss prevention) tools, and e-mail archiving and retrieval systems. Outgoing S/MIME-encrypted e-mail can be anti-virus scanned before encrypting and sending, but it’s more difficult to scan incoming S/MIME messages, where the scanning is done on a gateway or by an external service provider. Most of the risk from e-mail malware isn’t from the stuff you send, anyway. It’s from the stuff sent to you. If you use S/MIME and don’t have client-side malware detection for e-mail, you now have a problem.

If you have or are thinking of using a DLP product, it won’t work so well against S/MIME e-mail. DLP products often look inside network packets for signs of leaking confidential data. Peering inside packets isn’t so easy when the e-mail is encrypted. As a matter of fact, it’s quite a big hole.

Further, today’s enterprises often use professional e-mail archiving systems to store and retrieve e-mail for later analysis. A good e-mail archiving system indexes stored e-mail and makes it easy to locate and retrieve specific messages based upon any field or keyword. And none of the e-mail archiving systems I’ve reviewed can handle S/MIME encrypted e-mail.

In search of S/MIME

Although the S/MIME standard implies that e-mail should be readable between only the sender and recipients, the owning enterprise often has the legal right to be an included party. Many of my customers are looking for an archiver that can store e-mail, along with the user’s S/MIME key (both private and public portions), so that messages can be indexed, searched, and retrieved at a later date. Every S/MIME customer I have is begging for this sort of functionality.

The administrators don’t even care if they have to copy the keys manually between the e-mail system and the archiving system, although automation would be better. They just want the archiving system, when supplied with the appropriate S/MIME keys, to perform its normal function.

So today, on behalf of dozens of customers, I ask: Is there an anti-virus scanner, a DLP solution, or an e-mail archiving system that can elegantly handle S/MIME messages? Users and vendors, if you know of such a product, please post the link in the comments section or send your information to If your product can fix this common problem, I’ll review it and post my results.

This story, “The trouble with S/MIME e-mail encryption,” was originally published at Follow the latest developments in information security and encryption at


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author