Set up rules to require S/MIME signature and encryption

Supported editions for this feature: Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education PlusCompare your edition

As an administrator, you can set up rules that require outgoing messages be sent with S/MIME encryption.

Set up rules to require S/MIME

You can set up compliance and routing rules that require that outgoing messages be signed and encrypted using S/MIME.

For example, users can intentionally turn encryption off, but you can set up a rule that overrides this action. You can also set up rules that ensure messages are encrypted when certain patterns are detected, such as credit card numbers.

When using rules to force S/MIME behavior, Gmail fetches the public keys for the recipients and signs and encrypts the message before sending if the message:

  • Matches the expression or expressions.

  • Meets the condition or conditions, such as being an inbound or internal receiving message.

  • Isn’t already encrypted for one or more recipients.

If Gmail can’t fetch the public keys for any recipients, either the message is bounced for those recipients, or it’s sent unencrypted, depending on how the rule is configured.

You set up a content compliance, attachment compliance, objectionable content, or routing rule to require hosted S/MIME encryption using the Modify message action’s Encryption (onward delivery only) options. You check the Encrypt messages if not encrypted (S/MIME) box and, optionally, the Bounce message if unable to encrypt box.

Note: The S/MIME setting must be turned on to use the Encryption (onward delivery only) options. If it’s turned off, the options are disabled. If you set up a rule using these options and subsequently turn off hosted S/MIME, you’ll see a warning message. And although you can then uncheck the box or boxes, you won't be able to re-check them unless you turn hosted S/MIME back on.

Use S/MIME metadata attributes in expressions

You can make sure that certain messages can’t be sent or received unless they are S/MIME encrypted or S/MIME signed.

You do this by creating a content compliance expression using the S/MIME encryption or S/MIME signature metadata attributes. Then, you set up how messages are handled.

For example, you can specify that if an incoming message from envelope sender domain "" is not S/MIME signed, it’s sent to the Admin Quarantine.

S/MIME signing verifies the sender’s email address

S/MIME provides a digital signature to confirm that the sender's email address was actually the email address used to send it. Verified email address indicates that the associated email address is validated by a digital signature. 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center