Email is still the most common attack channel against companies. Impersonating the CEO, invoices with a swapped account number, intercepted correspondence. S/MIME does not solve everything, but it closes two real gaps: it lets you confirm who really sent a message and encrypt its content so that only the recipient can read it.
What S/MIME gives you
S/MIME works in two ways that are worth separating.
- Digital signature: confirms the sender’s identity and that the content was not changed along the way. The recipient sees that the email really comes from your domain, and not from someone impersonating it.
- Encryption: the content and attachments are readable only to the recipient. Even after a mailbox is taken over or the network is eavesdropped, the message stays useless to the attacker.
In practice the signature alone gives the most. It cuts off attempts to impersonate management, which are the basis of most wire-transfer fraud.
Where to get certificates
S/MIME requires a certificate for each user, issued by a trusted certification authority.
- Public certificates from commercial providers, recognised everywhere without extra configuration.
- Certificates from your own certification authority, cheaper with many users, but requiring distribution of trust across the organisation.
The choice depends on whether you encrypt mainly inside the company or also with external partners.
How to deploy it in Microsoft 365
In the Microsoft 365 ecosystem, S/MIME plugs into existing tools, which simplifies management.
Deployment steps
- Issue or buy certificates for users.
- Distribute the certificates and keys to devices, preferably automatically through Microsoft Intune.
- Enable S/MIME support in Outlook and the web app.
- Decide when the signature is the default and when we apply full encryption.
- Ensure secure storage of private keys and a copy in case a device is lost.
Automatic distribution through Intune is key here. Manually loading certificates onto dozens of computers ends in chaos and the project being abandoned.
The most common mistakes
- Losing the private key without a copy: without it, previously encrypted emails become unreadable. Plan key recovery before you deploy encryption.
- Encrypting everything by force: some recipients do not support S/MIME. Start with a default signature, and apply encryption where it makes sense.
- No procedure for new and departing people: certificates must be issued on hiring and revoked on departure, like any other access.
Is S/MIME enough
No, and that is not its role. S/MIME is one layer. It works best together with correct domain authentication, multi-factor authentication and data loss control. Only together do they form sensible email protection.
If you want to deploy S/MIME without chaos over certificates, we will do it alongside a Microsoft 365 deployment or as a separate project, tied to data protection.