What S/MIME actually does
S/MIME (Secure/Multipurpose Internet Mail Extensions) encrypts the body and attachments of an email message using a public/private key pair anchored in an X.509 certificate issued by a Certificate Authority. The sender's mail client encrypts the message using the recipient's public key. Only the recipient's private key can decrypt it. Neither your email provider nor any server in transit can read the content.
S/MIME also signs outbound messages. A digital signature lets the recipient cryptographically verify that the message came from you and was not modified in transit — stronger than SPF/DKIM header checks, which only authenticate the sending domain.
This is fundamentally different from TLS-in-transit. Standard Gmail already uses TLS between mail servers, which protects messages on the wire. TLS ends at the server. S/MIME protects the message itself, mailbox to mailbox. Both sender and recipient must have valid S/MIME certificates for encryption to work end-to-end.
When you actually need it
The honest answer: most organizations don't need S/MIME. The ones that do are usually driven by a specific regulatory trigger or contractual obligation:
- HIPAA — Protected health information (PHI) transmitted over email may require encryption at rest and in transit. S/MIME satisfies the in-transit encryption requirement between mailboxes when TLS-only delivery isn't sufficient.
- SOX and financial controls — Some financial services compliance frameworks require encrypted communication for sensitive board-level or M&A correspondence.
- FedRAMP / CJIS — Government contractors working with controlled unclassified information (CUI) often face explicit certificate-based encryption mandates.
- Attorney-client privilege — Law firms handling highly sensitive matters sometimes deploy S/MIME to establish a technical paper trail supporting privilege claims.
- M&A and IP-sensitive work — Deal teams and R&D groups where a single leaked email has outsized consequences.
If your legal or compliance team has never raised S/MIME in a risk assessment, you probably don't need it. One common misconception: Gmail's Confidential Mode is not a substitute. Confidential Mode sets an expiry on access and prevents forwarding — it does not encrypt the message body. It is a UI restriction, not cryptographic protection.
What tier of Workspace you need
S/MIME is not available on Business Starter, Business Standard, or Business Plus. It is an Enterprise-tier feature. Specifically, it requires Workspace Enterprise Standard, Enterprise Plus, Education Plus, or Frontline.
This matters when you're doing a compliance-driven SKU evaluation. If S/MIME is a hard requirement, it pushes you to Enterprise Plus at roughly $30/user/month — versus Business Plus at $18. For a 100-seat org, that gap is $14,400/year. That number belongs in any compliance cost analysis alongside the cost of a data breach.
The license uplift is often the first objection in a deployment project. Address it early. If the regulatory or contractual requirement is real, there's no workaround — you need the Enterprise tier.
Hosted S/MIME vs. traditional
This is the trade-off most documentation glosses over. When you enable S/MIME in Google Workspace, the default mode is Hosted S/MIME. Google holds your users' private keys in its key management infrastructure. When an encrypted message arrives, Google decrypts it on the server, scans it for malware and spam, and re-encrypts it for delivery to the client.
That breaks the strict definition of end-to-end encryption. Google — and by extension, any valid legal process served to Google — can access the plaintext. The payoff is that Workspace features continue to work: Gmail search indexes the content, Vault retains the messages for eDiscovery, malware scanning catches threats before delivery.
Traditional S/MIME keeps private keys on the user's device and never exposes them to the server. Messages are encrypted by the client before sending and decrypted by the client after receiving. The server never sees plaintext. This is true end-to-end encryption.
The cost is significant: Vault cannot see encrypted message content, Gmail search doesn't index it, malware scanning is blind to the body, and mobile clients have inconsistent support. For most regulated organizations, the Hosted S/MIME compromise is the right operational choice — the regulatory requirement is for encryption in transit between mailboxes, which Hosted S/MIME satisfies. Understand the trade-off explicitly before committing.
Setup at a glance
Enabling S/MIME in Google Workspace involves four parallel workstreams. None of them are complicated individually, but coordinating them across a mid-size org takes time.
- Enable in Admin Console: Apps → Google Workspace → Gmail → User settings → S/MIME. Enable for the relevant organizational unit. You can also enable extra CA roots here.
- Obtain certificates: Get user certificates from a public CA — DigiCert, GlobalSign, and Sectigo are the common choices — or issue from an internal PKI if your organization already runs one. Each user needs a certificate tied to their email address.
- Upload root and intermediate CA certificates: Upload the CA chain to Workspace so Gmail trusts the certificates. Admin Console → Apps → Google Workspace → Gmail → S/MIME CA certificates.
- Distribute user certificates: For small teams, manual upload via the Gmail settings page works. For any org over 20 users, use the Gmail API's
keypairsendpoint to push certificates programmatically.
Plan for six to twelve weeks end-to-end for a first deployment at a 50-plus-seat organization. Certificate procurement alone takes two to three weeks if you haven't worked with a CA before. Build in time to train users on what the lock icon in Gmail means and what to do when a message can't be encrypted because the recipient lacks a certificate.
What goes wrong
S/MIME deployments that start well often drift into problems six to eighteen months later. The most common failure modes:
- Certificate expiry: S/MIME certificates typically expire after one or two years. Renewal is not automatic by default. When a certificate expires, the user loses the ability to decrypt messages encrypted to their old public key — and previously encrypted archived messages may become unreadable if the expired cert is not preserved.
- Recipient doesn't have S/MIME: If the recipient's domain or mailbox has no certificate, Gmail falls back to TLS-only delivery — or in strict modes, may refuse to send. Users need to understand when a message is and isn't being encrypted, and why.
- Mobile Gmail inconsistency: The Gmail iOS and Android apps support Hosted S/MIME for reading and composing encrypted messages, but the experience has historically been less reliable than desktop. Test your rollout on mobile before going live.
- Certificate rotation without re-encryption: When a user's certificate is rotated (new key pair issued), old messages encrypted to the previous public key can only be decrypted with the old private key. If the old key isn't archived correctly, those messages are permanently unreadable.
- eDiscovery gaps: In Hosted S/MIME mode, Vault can search and export encrypted messages because Google holds the keys. In traditional S/MIME mode, Vault cannot see message content — only metadata. This surprises legal teams who assumed Vault covered everything.
Bottom line
S/MIME is the right answer when a regulatory requirement, government contract, or explicit legal obligation demands certificate-based encryption. You accept the operational cost: PKI management, certificate lifecycle work, a license uplift to Enterprise tier, and ongoing support tickets from users who can't read encrypted messages on a new device.
It is the wrong answer when leadership wants "more encryption" in a general sense. If the goal is reducing data risk broadly, a combination of DLP rules, Google Vault retention policies, strong 2-step verification, and endpoint verification delivers more risk reduction per dollar than an S/MIME deployment for a team that doesn't face a hard regulatory mandate.
Spend the S/MIME conversation answering one question first: does your compliance framework explicitly require encrypted email between mailboxes? If yes, you need S/MIME. If no, build your security stack from cheaper, higher-leverage controls first.