Turn on hosted S/MIME for message encryption

You can set up hosted Secure/Multipurpose Internet Mail Extensions (S/MIME) in your Google Workspace account to increase the security of your organization's email.

S/MIME improves email security by encrypting messages and adding a digital signature. Using S/MIME helps protect your users from phishing, harmful software, and other email threats. S/MIME requires that both the sender and recipient have it enabled. You can set up S/MIME so that that certain messages must use S/MIME to be sent or received.

Step 1: Turn on hosted S/MIME in your Google Admin console

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  AppsGoogle WorkspaceGmailUser settings.
3. On the left, under Organizations, select the domain or organization you want to configure.

   Important: If you’re configuring advanced controls on S/MIME to upload and manage root certificates, you must select to enable SMIME at the top-level organization, typically your domain.

4. Scroll to the S/MIME setting and check the Enable S/MIME encryption for sending and receiving emails box.

5. (Optional) If you want to let users upload certificates, check the Allow users to upload their own certificates box.

6. (Optional additional controls) If you want to upload and manage root certificates, use the S/MIME trusted certificates controls: 

   1. Next to Accept these additional Root Certificates for specific domains, click Add.
   2. Click Upload Root Certificate. 
   3. Browse to select the certificate file and click Open. A verification message appears for the certificate, which includes the subject name and expiration date. If there’s a problem with the certificate, an error message appears. 
   4. Under Encryption level, select the encryption level to use with this certificate.
   5. Under Address list, enter at least one domain that will use the root certificate when communicating. Domain names can include wildcards that meet the RFC standard. Separate multiple domains with commas. 
   6. Click Save.
   7. Repeat for additional certificate chains.
7. Check the Allow SHA-1 globally (not recommended) box only if your domain or organization must use Secure Hash Algorithm 1 (SHA-1). Learn more.
8. Click Save.  

Changes can take up to 24 hours but typically happen more quickly. Learn more Messages sent during this time aren't encrypted.

Step 2: Have your users reload Gmail

After you enable hosted S/MIME in your Google Admin console, tell your users to reload Gmail. After reloading, a Lock icon appears in the Subject line of email messages. If the message is encrypted with hosted S/MIME, the lock is green.

Step 3: Upload certificates

To use hosted S/MIME encryption, S/MIME end-user certificates must be uploaded to Gmail. The certificate should meet current cryptographic standards and use the Public-Key Cryptography Standards (PKCS) #12 archive file format. 

This list of trusted certificates provided and maintained by Google applies only to Gmail for S/MIME. 

We recommend that admins upload certificates with the Gmail S/MIME API. You can also use the Gmail S/MIME API to manage tasks like viewing, deleting, and setting default user keys. Learn more about the Gmail S/MIME API.

You can also let users upload certificates in their Gmail settings:

1. Go to Gmail.
2. Choose Settings   See all settings.
3. Select the Accounts tab. 
4. Next to Send mail as, select Edit info.

   The Edit email address and encryption settings window appears. If you don't have this option, contact your administrator.

5. Click Upload a personal certificate.
6. Select the certificate and click Open. You'll be prompted to enter a password for the certificate.
7. Enter the password and click Add certificate.

Step 4: Have your users exchange keys

To start exchanging S/MIME messages, your users need to exchange keys with message recipients in one of these ways: 

• Send an S/MIME signed message to recipients. The message is digitally signed and includes the user's public key. Recipients can use this public key to encrypt messages they send to the user.
• Ask recipients to send them a message. When they receive the message, it’s signed with S/MIME. The key is automatically stored and available. Going forward, messages sent to the recipient are S/MIME-encrypted.

Override sub-organization SMIME settings

By default, organizational units inherit SMIME settings from the top-level organizational unit. You can optionally override the inherited SMIME settings for organizational units. This feature is useful for disabling or customizing SMIME settings for organizational units. 

To override SMIME settings:

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  AppsGoogle WorkspaceGmailUser settings.

3. On the left, under Organizations, select the organizational unit you want to configure.

4. Scroll to the S/MIME setting, and click to expand it.

   The label under the S/MIME setting label will indicate either Inherited from (organization or domain name), or Overridden.

5. Click Override to save changes to the sub-organization inheriting SMIME settings.

   After the sub-organization's settings are saved, Overridden is displayed under the SMIME settings label. A dot also appears next to the overriding sub-organizations in the Organization Unit structure tree on the left.

Tip: If your sub-organization has overridden a higher level organization’s settings, you can use the Inherit button to inherit settings from the higher level organization.

Related topics

Manage trusted certificates for S/MIME (advanced)