Email remains one of the most targeted attack vectors in the enterprise. S/MIME certificates let organizations sign and encrypt messages, proving sender identity and keeping content confidential, without relying on third-party platforms.
Despite the rise of messaging apps and collaboration platforms, email remains the backbone of business communication. It is how contracts get signed, how legal notices are served, and how sensitive financial data moves between organizations. Yet standard email (SMTP) was designed in the early 1980s with no built-in security. Messages travel in plaintext, headers can be spoofed, and there is no native way to verify who actually sent a message.
This gap has made email the primary attack vector for phishing, business email compromise (BEC), and data exfiltration. According to industry research, over 90% of cyberattacks begin with a malicious email. Organizations in finance, healthcare, government, and legal services face particular pressure because they handle data subject to regulations like GDPR that demand confidentiality and proof of origin.
S/MIME (Secure/Multipurpose Internet Mail Extensions) solves both problems at once. It uses digital certificates and public-key cryptography to let email users digitally sign messages (proving authorship and integrity) and encrypt them (ensuring only the intended recipient can read the content).
The mail client computes a cryptographic hash (typically SHA-256) of the entire message body and attachments. This hash is a fixed-length fingerprint that changes if even a single character is modified.
The sender's private key encrypts the hash, producing the digital signature. The signature and the sender's certificate (containing the public key) are attached to the message.
The recipient's mail client uses the sender's public key (from the attached certificate) to decrypt the signature, revealing the original hash. It then independently hashes the received message and compares the two values. If they match, the message is authentic and unaltered.
The mail client also checks that the sender's certificate was issued by a trusted CA, has not expired, and has not been revoked. Only when all checks pass does the client display a verified signature indicator.
The simplest level. The CA only confirms that the applicant controls the email address. The certificate contains the email address but no verified personal or organizational name. Suitable for individual users who need basic signing and encryption.
The CA verifies the individual's real name in addition to the email address. The certificate's Subject field includes the person's name, giving recipients stronger assurance about who sent the message.
The CA verifies the organization's legal identity and that the email domain belongs to it. The certificate displays the organization's name, which is the standard choice for enterprises deploying S/MIME at scale.
A variant where an enterprise sponsor vouches for individual users within the organization. This combines organizational trust with per-user identification, commonly used in government and defense contexts.
Automate S/MIME enrollment — Evertrust CLM integrates with Active Directory and identity providers to automatically issue S/MIME certificates when users are onboarded, and revoke them when they leave.
Centralized key escrow — Evertrust securely archives encryption keys so that encrypted emails remain recoverable even after an employee leaves or loses their device, all while keeping signing keys non-escrowed for legal integrity.
Issue from your own CA — Evertrust PKI lets you run an internal Certificate Authority that issues S/MIME certificates trusted across your entire infrastructure, without depending on commercial CA pricing per user.
Lifecycle monitoring — Track every S/MIME certificate across the organization from a single dashboard, with automated renewal alerts and policy enforcement to prevent lapses.
