Skip to content

Using S/MIME in Gmail

Eric Huber
18 min read

S/MIME is the most secure method to encrypt emails, and Gmail features a native integration for hosted S/MIME. This post walks you through the setup process step-by-step using SwissSign and Google Workspace.

You won't be able to set up S/MIME using the free version of Gmail!

This walkthrough is for Google Workspace, the paid business version of Google accounts. Additionally, you will need to upgrade to the Enterprise Plus plan in order to use S/MIME. You can subscribe to Google Workspace for personal use if you wish to do so.


In December of 2019, DHL, the logistics group from Germany, notified me via email about an upcoming parcel delivery. I was using Apple's Mail app at the time, which was displaying a "Twitter verified"-like check mark next to the sender's email address:

Picture of Apple Mail displaying an email header with a check mark icon next to the sender name
Email information in Apple Mail

What does the check mark mean?

Upon further inspection, I discovered that Gmail also labels this email with a check mark and even provides additional information:

Picture of an email from DHL opened in Gmail Web with a green check mark labelled "Verified email address, Sender info" under the sender name
Email information in Gmail

Once again we find a check mark, this time in green, alongside the label "Verified email address."

We are presented with even more information upon clicking "Sender info":

Picture of an open dialogue titled "Sender's Digital Signature" with a "Download certificates" link
Sender's Digital Signature pop-up in Gmail

The keywords here are "Download certificates," which saves a certificates.pem file to your computer. When you connect the dots you will find that this must be a S/MIME certificate that is used to encrypt & decrypt emails between recipients.

What's in the certificate?

Thanks to OpenSSL, we can have a closer look at the contents of this certificate via openssl x509 -in certificates.pem -noout -text:

        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = Nordrhein-Westfalen, L = Bonn, O = Deutsche Post, CN = DPDHL User CA I3
            Not Before: May  9 08:23:06 2018 GMT
            Not After : May  8 08:23:06 2020 GMT
        Subject: DC = com, DC = dhl, CN = "noreply, DHL, BN", emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
...$.....d..F   0-.%+.....7.....*...........i..7.
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, E-mail Protection
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Certificate Policies:

            S/MIME Capabilities:
            X509v3 Subject Key Identifier:
            X509v3 Subject Alternative Name:
                email:[email protected]
            X509v3 Authority Key Identifier:

            X509v3 CRL Distribution Points:

                Full Name:

            Authority Information Access:
                OCSP - URI:
                CA Issuers - URI:

    Signature Algorithm: sha256WithRSAEncryption

And we can learn a lot from this data!

For example, this certificate was issued on May 9th, 2018, and expired on May 8th, 2020. It was issued by Deutsche Post in Bonn, Nordrhein-Westfalen, and refers to [email protected] as its subject email, which, unsurprisingly, matches the email address from the parcel notification email.

More importantly, if you bring your attention to the X509v3 extensions, you will find that "E-mail protection" was added as an extended key usage. Additionally, "S/MIME Capabilities" is attached in the extensions.

How do I get ahold of a check mark myself?

Long story short:

  1. Obtain a S/MIME enabled certificate
  2. Add your certificate to all of your email clients
  3. Your email clients will begin to attach your public certificate to every outgoing email

However, I found myself facing a lot of roadblocks throughout this process.

For those who are interested in enabling hosted S/MIME with Google Workspace, keep reading to ensure this process goes smoothly and doesn't consume as much of your time as it did for me.

Hosted S/MIME in Google Workspace

Before you get started, I recommend you read the full post first to make sure you're up for the challenge and financial burden. All steps are listed in chronological order and must be completed in succession.

Upgrade your Google Workspace plan

To get started, you'll need to be an active subscriber of the Enterprise Plus plan as it is the only Google Workspace plan to support S/MIME encryption. This plan will run you about US$30/month/user at the time of writing.

Google Workspace Enterprise Plus

Manage subscriptions

Enable S/MIME encryption in Google Workspace

Once you've upgraded your Google Workspace plan to Enterprise Plus, you're going to have to manually enable S/MIME in Google Admin.

You can do so by navigating to Apps -> Google Workspace -> Settings for Gmail -> User Settings in Google Admin.

You should then be greeted by this screen:

Picture of Google Admin "Settings for Gmail" user settings with S/MIME options turned on
Google Admin S/MIME settings

All you'll have to do is tick these two boxes:

Hit the "Save" button to apply your changes!

Generate a CSR

The first step in your S/MIME journey is going to be generating a Certificate Signing Request. To do this, you'll need an RSA key—you may use an existing key if you already have one.

To generate a brand new RSA key, run this command:

$ openssl genrsa -aes256 -out 4096

Linux command to generate a new RSA key with 4096 bits

And now you can generate the CSR using your RSA key:

$ openssl req -new -key -out

Linux command to generate the CSR using your RSA key

You'll be prompted to enter some details about your CSR, but you can leave the fields blank by using a . in the appropriate fields. However, you're going to want to enter your email address in the Email Address prompt. Make sure to use the email address you want to create the S/MIME certificate for!

Finally, you'll be offered to enter a challenge password. You can leave this blank if you like, but I recommend entering a passphrase for extra security.

Your final output should look something like this:

Picture of Windows Terminal output of the RSA key and CSR generation commands
Windows Terminal output for RSA key and CSR generation

Purchase an S/MIME enabled certificate

Next up is the arguably most important step: purchasing a S/MIME certificate! Google maintains a list of trusted CA certificates that you can use to make your certificate authority decision.

I chose the SwissSign E-Mail ID Silver certificate with a validity of 1 year for 25 CHF, which is about US$27 at the time of writing.

SwissSign E-Mail ID Silver (DV)

Go to

We will be using SwissSign for the purposes of this step-by-step guide, but you can use any certificate authority of your choice. Keep in mind that your certificate must not be valid for more than 27 months, otherwise, Google Workspace will reject it.

Shortly after you've been billed by SwissSign you should be able to activate the code for your new S/MIME certificate under My account -> Certificates -> Activate code.

Because you'll be prompted for it later, make sure to copy the 18 characters long "Certificate voucher key" on this page.

Once you've done that, click the "Activate code" button to proceed:

Picture of the "Certificates" tab on the SwissSign website displaying a "Certificate voucher key" and "Activate code" button
SwissSign "Certificates" page

Activate your S/MIME certificate

This process is quite lengthy and can be tedious, so make sure you bring some time to follow the next steps very precisely. Mistakes might be irreversible once the certificate has been issued.

Upon clicking "Activate code", you'll be greeted by a login page. You can ignore this login page entirely and just click the "Proceed without account (for quick single certificate request)" button on the left-hand side.

SwissSign "Account logon" page

You'll be redirected to a search page. You can ignore this as well and just click the "New" button on the right-hand side.

SwissSign "Search" page

Now you're on the right track.

On this "Certificate voucher" page, you'll have to paste the 18 characters long "Certificate voucher key" you previously copied from the SwissSign website with the red "Activate code" button.

SwissSign "Certificate voucher (license)" page

You'll be asked to accept the "Subscriber Agreement" which I recommend you review before clicking the checkbox.

Once you're ready you may proceed by clicking the "I accept the above conditions" button.

SwissSign "Subscriber Agreement" page

It's time to paste the CSR you generated earlier. To do that, open the CSR file in a text editor of your choice, or print it with cat:

$ cat

Linux command to print your CSR to the console

Your CSR will look something like this:

This is a dummy CSR for demonstration purposes. Do not copy it!

Paste your CSR into the PKCS#10 field and click "Proceed" to continue.

SwissSign "CSR" page

SwissSign now needs to know the email address to which the S/MIME certificate should be registered. You're going to want to enter your email address here—make sure to double-check your input!

SwissSign "Email" page

This next step is intended for larger organizations where e.g. an IT department would issue a S/MIME certificate on behalf of someone else. Since you're issuing the S/MIME certificate for yourself you may leave all of these fields as they are and click "Proceed".

SwissSign "Contact" page

To wrap up the initial activation phase, you're presented with a final "Submission" page to make sure you entered all details correctly. Take a good minute to review all the entries. Use the "Back" button if you have to make any adjustments.

Once you're ready, hit the "Request certificate" button on the right-hand side.

SwissSign "Submission" page

Check your inbox! 📫

You should have received an email from SwissSign. Click the underlined "approve" link in the email to proceed. This step is necessary to verify that you are the owner of the email address to which the S/MIME certificate will be registered.

Email from SwissSign with an approval link

The link will redirect you back to SwissSign where you'll be given a last glance at what your certificate will look like. I recommend that you once again review the information. If there are any issues with the entries you can use the "withdrawing" link in the email to withdraw the certificate request and start anew.

Click "Confirm approve" to continue.

SwissSign "Confirm approve" page

Back to your inbox! 📫

You should have received a new email from SwissSign confirming that your certificate request has been approved. In the email, you'll also find a "Download certificate" link which you can go ahead and click to retrieve your certificate files.

Email from SwissSign with the download and revocation links
You should keep this email in a place where you know you'll find it again.

Towards the bottom of the SwissSign email, you'll find a revocation link that can be used if your S/MIME certificate gets in the wrong hands.

On the download page, you'll be offered several format options. You will need the .pem (certificate chain) format for the next steps, so make sure that's selected before clicking the "Download" button.

Picture of the SwissSign "Download / Attributes" page with .pem (certificate chain) selected as the download format
SwissSign "Download / Attributes" page

The downloaded file will have a name like [email protected] where [email protected] is your email address.

Upload your certificate in Gmail

Let's add your new S/MIME certificate to Gmail.

To get started, you'll need to convert your certificate to the PKCS#12 format. To do this, run the following command:

$ openssl pkcs12 -export -in [email protected] -inkey -out

Linux command to convert your PEM certificate chain into PKCS#12 format 

You will be prompted to enter an "Export Password" which you will have to enter every time this PKCS#12 is imported into an email client such as Gmail, so make sure you write it down somewhere—preferably in a password manager of your choice.

Once you've entered a passphrase, a .p12 file will be saved in your current directory.

Next, open up or reload your Gmail tab, go to the settings tab, and select the Accounts tab.

Picture of the Gmail settings "Accounts" tab listing added email addresses
List of added email addresses in Gmail

Find your email address in the "Send mail as" list, and click on "edit info" on the right-hand side. A yellow pop-up window will open.

Picture of the "edit info" pop-up in Gmail with the "Disable enhanced encryption" radio button selected
Gmail "Edit email address and encryption settings" pop-up window

Click on the "Upload a personal certificate" link. You will be prompted with a file select dialogue. Select the .p12 file you generated earlier and confirm.

You'll be prompted to enter a passphrase, which is the "Export Password" you selected in the PKCS#12 conversion process earlier.

Picture of the "edit info" pop-up in Gmail prompting the user for a certificate password
Gmail "Add a personal certificate" password prompt

Finally, hit "Add certificate" to complete the process. Your certificate should show up in the list as expected. Make sure its radio button is selected and close the pop-up window.

Picture of the "edit info" pop-up in Gmail with the newly added "SwissSign RSA SMIME" radio button selected
Updated Gmail "Edit email address and encryption settings" pop-up window with the certificate listed

Using hosted S/MIME in Gmail

Congratulations, your new S/MIME certificate is ready to be used! 🥳

Keep in mind that in order to benefit from the enhanced security provided by S/MIME, namely encrypting and decrypting emails, your recipient also needs to use S/MIME.

Otherwise, your email will still use your provider's default encryption technology as if you didn't use S/MIME.

Test your digital signature in Gmail

I've tested my own S/MIME certificate by sending a test email to my work email address:

Picture of an email from opened in Gmail Web with a green check mark labelled "Verified email address, Sender info" under the sender name
Email information in Gmail

And... there it is! The green check mark. Let's inspect the "Sender info" link once again:

Picture of an open dialogue titled "Sender's Digital Signature" with a "Download certificates" link
Sender's Digital Signature pop-up in Gmail

Perfect! Looks like we have a match.

Send emails without the digital signature

Because of the way S/MIME works, every time you send an email, Gmail will inject an attachment that is usually hidden in modern email clients.

Unfortunately for us, sometimes that hidden S/MIME attachment is not actually hidden. For example, if you reply to a support ticket, help desk platforms like Zendesk will add your digital signature as an attachment to the support ticket itself, which might confuse customer support agents.

Google must have considered this to be an issue and put settings in place so that you can temporarily disable attaching your digital signature, if necessary.

To access these settings, start by drafting up an email. Add a recipient and you'll get a little lock icon on the right-hand side, next to the "Cc" and "Bcc" buttons:

Picture of an email addressed to being drafted in Gmail
Message security lock icon in Gmail

Clicking the lock icon will present you with a pop-up summary of the message security methods used:

Picture of the message security pop-up being displayed with a green "Your message will be secure during delivery" header
Message security pop-up

To change the message security settings, click "View details":

Picture of the "Message security" pop-up in the "Settings" tab with the "Standard encryption" radio button selected
Message security settings

From here, all you have to do is click "Standard encryption" and you should be good to go. This will prevent Gmail from injecting your S/MIME certificate and force it to fall back to the default encryption method—most likely TLS.

You probably won't have to do this often, but it's handy to have it ready when necessary.

This option is also available in the Gmail app!

"This message could not be decrypted"

In very certain circumstances you might receive an encrypted email from a contact that Gmail "could not decrypt." The contents will be attached as a smime.p7m instead.

The displayed message gives some clues as to why that is:

Email with missing digital signature in Gmail

As you can tell from the very short and to-the-point error message, the sender did not supply their digital signature, which is why Gmail refuses to decrypt the email. It's not that it can't—Apple Mail does it without complaining—Gmail just doesn't want to.

I reached out to Google Workspace support in April of 2021 and was given this piece of information:

Hello Eric,


Be aware that you need to exchange keys with the email recipients to have Gmail encrypt/unencrypt the emails


Check if the recipient email address is saved on your contacts at
If the email address is there, remove the contact section “3.3 Update contact details” before exchanging keys.

The latter paragraph might be the solution for you, but I discovered that one of my contacts simply did not attach their digital signature to any outgoing emails.

This doesn't stop us from viewing the email though! You can use this command to decrypt the smime.p7m attachment:

$ openssl cms -decrypt -in smime.p7m -inform der -inkey

Linux command to manually decrypt an email using your RSA key

Publishing your SMIMEA DNS records

It is recommended to publish your certificate's SMIMEA (Type 53) DNS records. This has two major benefits:

  1. It allows recipients to verify the validity of your signed email against the DNS record
  2. If someone wants to send you an encrypted email, they can use the SMIMEA DNS record to get your public key without needing your certificate file


The SMIMEA DNS record is only valid if your domain is DNSSEC enabled to verify that the TLSA record has not been altered illegally.

You may refer to this table to find out whether your TLD offers DNSSEC. If it does you might want to contact your provider for set-up instructions.

This service was discontinued by ICANN in 2022. You can use SecSpider to determine DNSSEC availability per TLD.

If your TLD or provider do not offer DNSSEC you will not be able to use the SMIMEA DNS record, but your certificates will still work just fine.

Obtain your name prefix

First things first, you're going to need the SMIMEA DNS record name. It consists of two parts:

  1. Your email prefix
  2. The ._smimecert suffix

For example, if your email address is [email protected], your command would look like this:

$ echo -n eric | sha256sum | head -c 56

Linux command for the name prefix

Note that only the string eric is used in the echo command as opposed to the entire email address. It's very important that you only include anything before the @ symbol, otherwise, your name prefix will be incorrect.

Your output should look similar to this:



But that's only half the story. You're going to need to add ._smimecert right after your hashed email prefix, like so:


Hashed email prefix + ._smimecert = name prefix

And that's a wrap on your name prefix! ✨

Download your PEM certificates

To use the next set of commands, you'll need your PEM certificates. Navigate back to the SwissSign download page and check the .pem radio button in the "Format" section:

Picture of the SwissSign "Download / Attributes" page with .pem selected as the download format
SwissSign "Download / Attributes" page

Generate the hashes

Next up are the values.

There are two Selectors:

And three Matching types:

Lastly, we will be using Usage 3 for Domain-issued certificate because it is the only one that applies to our use case.

Each of the Usages, Selectors, and Matching types plays a different role, so you're going to want to publish as many combinations as possible to ensure maximum compatibility.

To obtain the values needed for your SMIMEA DNS records, run these commands:

$ openssl x509 -in -outform der | hexdump -e '" " /1 "%.2x"' -e '/65536 " "'

Linux command for Usage 3, Selector 0, Matching type 0

$ openssl x509 -in | openssl dgst -sha256

Linux command for Usage 3, Selector 0, Matching type 1

$ openssl x509 -in -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256

Linux command for Usage 3, Selector 1, Matching type 1

Publish your records

And finally, you can publish your records via your provider, which, in my case, is Cloudflare:

Picture of the Cloudflare Dashboard with two published SMIMEA DNS records showing their configurations
Cloudflare Dashboard with configured SMIMEA records
If you're a Cloudflare user like me, please keep in mind that you will not be able to publish your SMIMEA DNS record for Usage 3, Selector 0, Matching type 0 due to Cloudflare's value character limit which will return the error code 81041.

There's a feature request on their community site you can upvote to hopefully have this changed in the future.

Test your records

I highly recommend Tobias Bauer's SMIMEA Test website to test your SMIMEA DNS records for validity:

The website is published in German but the results are color-coded, and you can use Google Translate to retrieve more information if necessary. The green checkmark usually means that your SMIMEA DNS records have been deployed properly:

Picture of Tobias Bauer's SMIMEA Test website with's test results being validated
SMIMEA Test website used to verify the validity of published SMIMEA DNS record

Final thoughts

As you can tell from this elaborate walkthrough, the S/MIME set-up process can be very confusing and overwhelming for non-tech-savvy users who want to benefit from the extra layer of security and novelty of the check mark in email clients, which can make S/MIME rather undesirable to a large chunk of potential users. The added costs of Google Workspace Enterprise Plus and the periodic renewal of your S/MIME certificate can be a pain point as well.

In my opinion, S/MIME is a niche feature that's not going anywhere for now, after all, it is and will remain the standardized method for sending and receiving encrypted email. But in its current form, S/MIME's target audience will most likely not expand past high-profile companies and interested individuals.

Enjoy your brand new check mark!