S/MIME Certificates

An S/MIME certificate serves two purposes:

• It encrypts the email body and any attachments using the recipient’s public key, so only the recipient’s private key can decrypt it.
• It applies a digital signature using the sender’s private key, proving who sent the email and that nothing was altered after sending.

Recipients verify that signature with the sender’s public key.

This protection guards against phishing and man-in-the-middle attacks at the message level.

S/MIME works differently from TLS on your mail server. TLS secures the connection between servers while emails are in transit, but once a message lands in an inbox, it sits unencrypted on the server. S/MIME encrypts the message itself, keeping it protected from the moment it leaves your outbox until the recipient opens it.

The CA/Browser Forum’s S/MIME Baseline Requirements, effective since September 2023, define four validation types that determine what identity information a certificate contains:

• Mailbox-Validated (MV) confirms you control the email address. No identity checks beyond that. Best for personal email or a quick setup. SSL Dragon’s Sectigo Basic and Pro certificates fall into this category.
• Individual-Validated (IV) verifies the certificate holder’s real-world identity through government-issued ID. Suited for freelancers and professionals who need to prove who they are in correspondence.
• Organization-Validated (OV) verifies the organization’s legal existence and displays the company name in the certificate. A strong choice for businesses sending from shared or departmental addresses. Sectigo Enterprise uses this validation level.
• Sponsor-Validated (SV) is issued by an organization to its employees, confirming both the company and the individual representative. DigiCert Secure Email for Business uses sponsor validation, and it’s the standard for enterprise-wide deployments.

• Healthcare organizations handling protected health information (PHI) need email encryption to meet HIPAA requirements. An email certificate applied to clinician and admin accounts satisfies that obligation.
• Law firms and financial institutions face strict client confidentiality rules and growing exposure to Business Email Compromise (BEC) attacks. A digitally signed email lets clients confirm the message came from their actual attorney or advisor.
• Companies operating under GDPR must protect personal data in transit. Encrypting email with S/MIME provides a clear, auditable safeguard.
• FDA-regulated businesses that submit data through the Electronic Submissions Gateway (ESG) can use DigiCert’s secure email certificates, which meet FDA ESG compliance requirements. Related certificate types like code signing and document signing certificates cover other compliance scenarios.