We can enhance integrity and confidentiality of MDE Emails by enabling hosted Secure/Multipurpose Internet Mail Extensions (S/MIME). For S/MIME encryption to work, the sender and recipient must have:
- S/MIME Enabled
- A personal key
- A shared public key
- The ability to encrypt from their Email client
Since most (if not all) schools and districts use GSuite for Education, Office 365 or self hosted Microsoft Exchange, enabling secure Email exchange can be done without any external vendors or platforms.
Look at the picture above.
-
Sign in to your Google Admin console. Sign in using an administrator account, not your current account
-
From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenUser settings. On the left, under Organizations, select the domain or organization you want to configure. Important: If you’re configuring advanced controls on S/MIME to upload and manage root certificates, you must select the top-level organization, typically your domain.
Scroll to the S/MIME setting and check the Enable S/MIME encryption for sending and receiving emails box.
(Optional) If you want to let users upload certificates, check the Allow users to upload their own certificates box.
(Optional additional controls) If you want to upload and manage root certificates, use the S/MIME trusted certificates controls:
Next to Accept these additional Root Certificates for specific domains, click Add. Click Upload Root Certificate. Browse to select the certificate file and click Open. You should see a verification message for the certificate that includes the subject name and expiration date. If there’s a problem with the certificate, an error message appears. Under Encryption level, select the encryption level to use with this certificate. Under Address list, enter at least one domain that will use the root certificate when communicating. Domain names can include wildcards that adhere to the RFC standard. Separate multiple domains with commas. Click Save. Repeat for additional certificate chains. Check the Allow SHA-1 globally (not recommended) box only if your domain or organization must use Secure Hash Algorithm 1 (SHA-1). Click Save.
Important: It can take up to an hour to propagate the changes to all users accounts. Messages sent during this time—as well as when you disable and re-enable S/MIME—are not encrypted.
each sender and recipient must have it enabled. They also need to exchange information, called keys, to uniquely identify each other.
You can ensure that certain messages can’t be sent or received unless they are S/MIME encrypted or S/MIME signed. Learn about setting compliance and routing rules. Learn about enhancing message security with hosted S/MIME.