Enhancing message security with hosted S/MIME
This feature is only available with G Suite Enterprise.
As a G Suite administrator, you can set up rules that require outgoing messages be sent with S/MIME encryption.
Set up rules to require a S/MIME signature and S/MIME encryption
You can set up compliance and routing rules that require that outgoing messages be signed and encrypted using S/MIME.
For example, users can intentionally turn encryption off, but you can set up a rule that overrides this action. You can also set up rules that ensure messages are encrypted when certain patterns are detected, such as credit card numbers.
When using rules to force S/MIME behavior, Gmail fetches the public keys for the recipients and signs and encrypts the message before sending if the message:
Matches the expression or expressions.
Meets the condition or conditions, such as being an inbound or internal receiving message.
Isn’t already encrypted for one or more recipients.
If Gmail can’t fetch the public keys for any recipients, either the message is bounced for those recipients, or it’s sent unencrypted, depending on how the rule is configured.
You set up a content compliance, attachment compliance, objectionable content, or routing rule to require hosted S/MIME encryption using the Modify action’s Encryption (onward delivery only) options. You check the Encrypt messages if not encrypted (S/MIME) box and, optionally, the Bounce message if unable to encrypt box.
Note: The S/MIME setting must be turned on to use the Encryption (onward delivery only) options. If it’s turned off, the options are disabled. If you set up a rule using these options and subsequently turn off hosted S/MIME, you’ll see a warning message. And although you can then uncheck the box or boxes, you won't be able to re-check them unless you turn hosted S/MIME back on.
Use S/MIME metadata attributes in expressions
You can make sure that certain messages can’t be sent or received unless they are S/MIME encrypted or S/MIME signed.
You do this by creating a content compliance expression using the S/MIME encryption or S/MIME signature metadata attributes. Then, you set up how messages are handled.
For example, you can specify that if an incoming message from envelope sender domain "example.com" is not S/MIME signed, it’s sent to the Admin Quarantine.