How to Add S/MIME

Problem

You want to add S/MIME (Secure/Multipurpose internet Mail Extensions) since it is a widely accepted protocol for sending digitally signed and encrypted messages.

Environment

  • Admin console
  • Supported editions for this feature:
    • Enterprise
    • Education Fundamentals
    • Education Standard
    • Teaching and Learning Upgrade
    • Education Plus

Solution

  1. In your Google Admin console.
  2. Go to Menu > Apps > Google Workspace > Gmail > User settings.
  3. Requires having the Gmail Settings administrator privilege.
  4. On the left, under Organizations, select the domain or organization you want to configure.
  5. Important: If you’re configuring advanced controls on S/MIME to upload and manage root certificates, you must select to enable SMIME at the top-level organization, typically your domain.
  6. Scroll to the S/MIME setting and check the Enable S/MIME encryption for sending and receiving emails box.
  7. (Optional) If you want to let users upload certificates, check the Allow users to upload their own certificates box.
  8. (Optional additional controls) If you want to upload and manage root certificates, use the S/MIME trusted certificates controls: 
    1. Next to Accept these additional Root Certificates for specific domains, click Add.
    2. Click Upload Root Certificate
    3. Browse to select the certificate file and click Open. A verification message appears for the certificate, which includes the subject name and expiration date. If there’s a problem with the certificate, an error message appears. 
    4. Under Encryption level, select the encryption level to use with this certificate.
    5. Under Address list, enter at least one domain that will use the root certificate when communicating. Domain names can include wildcards that meet the RFC standard. Separate multiple domains with commas. 
  9. Click Save.
  10. Repeat for additional certificate chains.
  11. Check the Allow SHA-1 globally (not recommended) box only if your domain or organization must use Secure Hash Algorithm 1 (SHA-1). Learn more.
  12. Click Save.  

Changes can take up to 24 hours but typically happen more quickly. Learn more Messages sent during this time aren't encrypted.