Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition
As an administrator, you can set up rules that require outgoing messages be sent with S/MIME encryption.
Set up rules to require S/MIME
As an admin, you can require that outgoing messages be signed and encrypted using S/MIME. To enforce S/MIME, set up compliance and routing rules in your Google Admin console.
For example, users can choose to turn off encryption, but you can set up a rule to override this action. You can also set up rules to encrypt messages that contain content that you define, for example credit card numbers.
When using rules to enforce S/MIME, Gmail signs and encrypts messages with a public key. Gmail enforce S/MIME before sending when messages:
- Match expressions defined in your rules
- Meet conditions defined in your rules
A message isn't already encrypted for recipients.
If Gmail can’t get the public key for recipients, messages are rejected or sent unencrypted, based on your rules.
Require S/MIME encryption
To use the encryption options in rules, turn on the S/MIME setting. If S/MIME is turned off, encryption options aren't available. If you set up a rule with encryption options and then turn off hosted S/MIME, a warning is displayed. In this case, you can uncheck the encryption options. You can't recheck them until you turn hosted S/MIME back on.
To require hosted S/MIME encryption, use the Modify message option in any of these rules:
When using the Modify message option with these rules, check the Encrypt messages if not encrypted (S/MIME) box. Optionally, also check the Bounce message if unable to encrypt box.
Use S/MIME for messages with specified content
You set up a rule that requires messages with specified content to be sent with S/MIME. Create a content compliance rule, and use the S/MIME encryption or S/MIME signature option. Then, you can select options that specify how matching messages are managed. For example, if an incoming message from the domain solarmora.com is not S/MIME signed, you can create a rule to send the message to the Admin Quarantine. From there, you can review the message before it's delivered to the recipient.
S/MIME signing verifies the sender’s email address
S/MIME provides a digital signature that confirms the sender's email address is legitimate. Verified email address indicates that the associated email address is validated by a digital signature.