Require S/MIME encryption for outgoing messages

Supported editions for this feature: Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education PlusCompare your edition

As an administrator, you can set up rules that require outgoing messages be sent with S/MIME encryption.

Set up rules to require S/MIME

As an admin, you can require that outgoing messages be signed and encrypted using S/MIME. To enforce S/MIME, set up compliance and routing rules in your Google Admin console.

For example, users can choose to turn off encryption, but you can set up a rule to override this action. You can also set up rules to encrypt messages that contain content that you define, for example credit card numbers.

When using rules to enforce S/MIME, Gmail signs and encrypts messages with a public key. Gmail enforce S/MIME before sending when messages:

  • Match expressions defined in your rules
  • Meet conditions defined in your rules
  • A message isn't already encrypted for recipients.

If Gmail can’t get the public key for recipients, messages are rejected or sent unencrypted, based on your rules.

Require S/MIME encryption

To use the encryption options in rules, turn on the S/MIME setting. If S/MIME is turned off, encryption options aren't available. If you set up a rule with encryption options and then turn off hosted S/MIME, a warning is displayed. In this case, you can uncheck the encryption options. You can't recheck them until you turn hosted S/MIME back on.

To require hosted S/MIME encryption, use the Modify message option in any of these rules:

When using the Modify message option with these rules, check the Encrypt messages if not encrypted (S/MIME) box. Optionally, also check the Bounce message if unable to encrypt box.

Use S/MIME for messages with specified content

You set up a rule that requires messages with specified content to be sent with S/MIME. Create a content compliance rule, and use the S/MIME encryption or S/MIME signature option. Then, you can select options that specify how matching messages are managed. For example, if an incoming message from the domain is not S/MIME signed, you can create a rule to send the message to the Admin Quarantine. From there, you can review the message before it's delivered to the recipient.

S/MIME signing verifies the sender’s email address

S/MIME provides a digital signature that confirms the sender's email address is legitimate. Verified email address indicates that the associated email address is validated by a digital signature. 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center