Require S/MIME encryption for outgoing messages

Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education PlusCompare your edition

As an administrator, you can set up rules that require outgoing messages be sent with S/MIME encryption.

Set up rules to require S/MIME

As an admin, you can require that outgoing messages be signed and encrypted using S/MIME. To enforce S/MIME, set up compliance and routing rules in your Google Admin console.

For example, users can choose to turn off encryption, but you can set up a rule to override this action. You can also set up rules to encrypt messages that contain content that you define, for example credit card numbers.

When using rules to enforce S/MIME, Gmail signs and encrypts messages with a public key. Gmail enforce S/MIME before sending when messages:

  • Match expressions defined in your rules
  • Meet conditions defined in your rules
  • A message isn't already encrypted for recipients.

If Gmail can’t get the public key for recipients, messages are rejected or sent unencrypted, based on your rules.

Require S/MIME encryption

To use the encryption options in rules, turn on the S/MIME setting. If S/MIME is turned off, encryption options aren't available. If you set up a rule with encryption options and then turn off hosted S/MIME, a warning is displayed. In this case, you can uncheck the encryption options. You can't recheck them until you turn hosted S/MIME back on.

To require hosted S/MIME encryption, use the Modify message option in any of these rules:

When using the Modify message option with these rules, check the Encrypt messages if not encrypted (S/MIME) box. Optionally, also check the Bounce message if unable to encrypt box.

Use S/MIME for messages with specified content

You set up a rule that requires messages with specified content to be sent with S/MIME. Create a content compliance rule, and use the S/MIME encryption or S/MIME signature option. Then, you can select options that specify how matching messages are managed. For example, if an incoming message from the domain is not S/MIME signed, you can create a rule to send the message to the Admin Quarantine. From there, you can review the message before it's delivered to the recipient.

S/MIME signing verifies the sender’s email address

S/MIME provides a digital signature that confirms the sender's email address is legitimate. Verified email address indicates that the associated email address is validated by a digital signature. 

Was this helpful?
How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center