Skip to content

S/MIME settings

You can turn on secure S/MIME encryption and manage certificates.

This option is only available with an Email Advanced license.

To make emails more secure, you can encrypt and decrypt emails with Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME works with inbound and outbound email.

To read S/MIME encoded messages, users must create and exchange digital certificates. Digital certificates verify ownership of a user or computer over the internet and are issued by a certificate authority (CA).

To use S/MIME, you must turn it on and create your local certificate authority (CA) Then you create or upload certificates for your users.

After you've created or uploaded certificates for your users, you can download them to send them to third parties. You may have to do this if an organization you are communicating with doesn't have a system that automatically extracts certificates from secure emails, or your certificates aren't signed by a publicly recognized authority.

The downloaded file only contains the public key for the user's certificate, not the private key. The file is encrypted in PKCS#12 format.

After you've set up S/MIME, use Secure Message policies to manage how S/MIME protection interacts with your users. See Secure Message policy.

If you have issues with your S/MIME setup you can click Reset to remove your local CA and the certificates you've added. You can then set up S/MIME again.


If you click Reset, you delete your CA record and all local and third-party certificates, and turn off S/MIME protection. If you've configured S/MIME settings in any policies, the settings are retained.

To find out how to set up S/MIME, see S/MIME email encryption setup

S/MIME implementation

Be aware of the following implementation details:

  • If you've uploaded a sender's certificate, and they get a new certificate later, the first message they send with the new certificate is rejected. The new certificate is successfully extracted and stored, so their next message, and all subsequent messages, are accepted.

    Only the first message sent with the new certificate doesn't work. We're working to resolve this.

  • When you download a certificate, the downloaded file contains the public key for the user's certificate, not the private key. The file is encrypted in PKCS#12 format.

  • When you send an outbound email, Sophos Email Security attaches the certificate to the message, not the CA certificate used to sign that certificate.
  • You can only upload certificates that conform to S/MIME Version 3 Message Specification or later.
  • We don't upload certificates with weak keys. For RSA/DSA keys, the minimum length is 1024 bits. For EC keys, the minimum length of the curve is P-224, and the minimum allowed digest length is 244 bits.
  • We don't support revoking of S/MIME certificates.
  • Signed messages sent between Sophos Email Security and Sophos UTM can't be verified if the SMTP mail From: and rfc822 From: fields are different.
  • If an outgoing message doesn't conform to the MIME specification, it may not be processed by S/MIME.