Secure/ Multipurpose Internet Mail Extensions (S/MIME)

Zoho Mail is a secure email service that provides email encryption, both at rest and in transit. S/MIME is a standard that adds an additional layer of security and encrypts the data shared via email. S/MIME uses cryptography to digitally sign and encrypt your email to prevent unauthorized access to the data in the email. 

S/MIME includes two security features:

  • Email Encryption - It encrypts the content of the email sent between two S/MIME enabled users to make it unreadable to anyone other than the intended recipient. 
  • Digital Signature - It digitally signs the emails sent between two S/MIME enabled users to eliminate any risk of spoofing.

Note:

S/MIME is only available for users of the Zoho Mail Premium plan, Zoho Workplace Professional plan and the previously available Zoho Workplace Enterprise plan. It is also available as part of the Zoho One suite.

Pre-requisites for S/MIME

  • You need to have a valid S/MIME certificate. This certificate would include a public key and a private key mapped to your email address.
     
  • The sender and the receiver have to exchange their public key with each other. This process happens automatically when the sender and recipient exchange emails for the first time.

Note:

S/MIME has to be enabled by both the sender and recipient for the emails to be encrypted between the sender's and receiver's servers.

Email Encryption

Why is it needed?

S/MIME encrypts the content of an email when it is transported from the sender to the receiver. Encrypting your message ensures the following: 

  • Message Privacy - Encrypted emails are readable only by the intended recipient. This keeps your emails protected when an unauthorized person tries to read your emails. Any content or document that is part of the email is kept confidential between the sender and receiver. 
  • Message Integrity - The decryption process of the message involves verifying the contents of the encrypted message. A change in the content of the message would ensure the failure of the decryption process thus making it possible to verify its integrity. 

How does it work?

The process starts with the sender and receiver possessing each other's public key. The steps in Email encryption is as follows:

Encryption process

  1. Once the sender clicks on Send, the original unencrypted message is captured.
  2. The recipient's public key is used to encrypt the original message. At the end of the process, an encrypted version of the original message is produced. 
  3. The encryption message replaces the original message.
  4. The email is sent to the recipient.

Decryption process

  1. The recipient receives the email.
  2. The encrypted message is retrieved.
  3. The recipient's private key is used to decrypt the encrypted message.
  4. The original message is obtained and displayed to the recipient. 

Digital Signature

Why is it needed?

S/MIME digitally signs emails in order to validate the sender. Digital Signature provides the following advantages: 

  • Sender Validation - Digital signatures are unique to each user. Thus, it allows the recipient to verify if the email is actually sent by the person who it appears from. This eliminates the risk of anyone spoofing of your email address. 
  • Nonrepudiation - The uniqueness of the digital signature ensures that the author of the email will not be able to deny ownership of the emails. Claims of impersonation can easily be refuted. 

How does it work?

The process starts with the sender and receiver possessing each other's public key. Digital signing of an email works as follows:

Digital signing process

  1. Once the sender clicks on Send, the original message is captured.
  2. The message hash is calculated.
  3. The sender's private key is used to encrypt the hash value.
  4. The encrypted hash value is added to the email.
  5. The email is sent to the recipient.

Signature verification process

​​​

  1. The recipient receives the digitally signed email.
  2. The original message is obtained and its hash value is calculated.
  3. The encrypted hash is retrieved from the email.
  4. The encrypted hash is decrypted using the sender's public key. 
  5. The decrypted hash and the hash value calculated from the original message obtained are compared. If the values match, the signature is verified. 

Configuring S/MIME

You can configure S/MIME for your email address from the Send Mail As settings. To begin configuring S/MIME, you are required to possess a valid certificate mapped to the email account issued by an authenticated certifier.

  1. Login to Zoho Mail
  2. Click the Settings  icon.
  3. Go to Send Mail As setting.
  4. Choose the Configure S/MIME option next to the email address for which you want to configure S/MIME. The S/MIME encryption popup opens.
  5. Click on the Add certificate button and select the certificate to upload the S/MIME certificate of the relevant email account. 
  6. Enter the certificate password and click Save to complete the uploading process.
  7. Once uploaded, select the certificate. Click the OK button on the S/MIME certificate popup that appears to enable the certificate. 

The emails that are further sent using the associated email address will be encrypted using the selected certificate. You will be able to disable the certificate if you click on the selected certificate and click OK in the pop up that appears. 

Sending S/MIME encrypted emails

While composing an email, you are notified if the email you are about to send is S/MIME encrypted.

  • The icon displayed next to the recipient's name in the TO field indicates that the recipient has enabled S/MIME.
  • The icon next to the From address denotes that the email you send from this address will be digitally signed.

Receiving S/MIME encrypted emails

  • When you receive an email, the Encryption level indicator denotes the encryption status of the email. S/MIME encrypted emails are marked with S/MIME Encryption level indicator.
  • The icon next to the sender's name in the email preview indicates that the email has been digitally signed by the sender using S/MIME.

Note:

  • You will be able to configure S/MIME for your email address only if S/MIME has been enabled for your organization by the Administrator. If you do not see the S/MIME option, contact your administrator. To find out more about S/MIME Control Panel settings, refer this help page.
  • You can add multiple certificates but only one can be activated.

Frequently Asked Questions

  1. Does the Zoho Mail pricing include the S/MIME certificate cost?
    No, the pricing does not include the certificate cost. Zoho Mail does not provide the S/MIME certificates. You will have to purchase the certificate from a third-party service.
  2. Are S/MIME certificates user based or domain based?
    They are email address specific. ​S/MIME certificates are unique to each email address. 
  3. What are the requirements for S/MIME certificates trusted by Zoho Mail?
    The S/MIME certificate profile requirement by Zoho Mail is given here.
  4. Will S/MIME protection apply to emails sent from email clients like Outlook/ Thunderbird?
    Yes, once the S/MIME configuration is done, emails sent from email clients will also be encrypted and protected.
  5. What happens to S/MIME encryption when Outgoing Gateway is configured? 
    Outgoing Gateway is when the outgoing emails are routed to an intermediate server and then delivered to the final recipient. S/MIME encryption will apply to these emails as well.

Still can't find what you're looking for?

Write to us: support@zohomail.com