S/MIME Email Encryption (Paris or Quebec)

Go to solution
MGanon
Tera Guru

‎02-26-2021 09:33 AM

Has anyone successfully configured S/MIME email encryption with ServiceNow? Is it possible that this is new Paris or Quebec functionality?

We need all email traffic encrypted during the entire flow from the ServiceNow email queue to the receiver.

The Paris ServiceNow Basic email setup | ServiceNow Docs documentation indicates that, if a customer's mail servers send and receive messages via a TLS-encrypted channel, ServiceNow mail servers supports "opportunistic TLS" but Email and SMS notifications | ServiceNow Docs also indicates that "Instances cannot send or receive encrypted email messages."

Can anyone explain the difference between supporting TLS email encryption and cannot send or receive encrypted email?

Does the lack of encryption of al traffic apply only to email using ServiceNow servers? Can the email traffic be encrypted by using a customer's email server instead?

Advanced email setup | ServiceNow Docs does not directly address encryption when it referenced using customer SMTP, POP3, &/or IMAP server(s) to send or receive email.

 

This was submitted to the Idea Portal but no resolution posted.

Many others have asked similar questions, most recently:
Email Inbound Action with Encrypted Email messages
Outbound email encryption via Secure MIME ( S/MIME...

Labels:
  • 4,214 Views
1 ACCEPTED SOLUTION

Go to solution
jason45
Kilo Guru
In response to MGanon

‎03-10-2021 12:48 AM

Hi,

TLS encryption happens during transit, if the destination mail server supports it. The email itself isn't encrypted - when it arrives at it's destination, it will not be encrypted.

ServiceNow can't encrypt your emails.

The only encryption that ServiceNow provides is for fields and attachments within the instance, if an encryption context is applied to those fields. This hasn't got anything to do with emails, though.

You could pre-encrypt your emails before sending them to ServiceNow. If you did this, you would have to add a Business Rule to save your entire email as an attachment. The reason for this, is that email could only be decrypted after downloading it from the instance - ServiceNow could not decrypt it.

One important element here is that ServiceNow will always add the body of your email to the activity log for any task-related records (incident, problem, change, etc). If it's pre-encrypted, it won't be readable, hence having to store it as an attachment and then download it to decrypt it.

I hope that this helps.

 

Jason

View solution in original post

6 REPLIES 6

Go to solution
Susan Britt
Mega Sage
Mega Sage

‎03-01-2021 05:06 AM

My understanding of what appears to be a contradiction is the actual instance of ServiceNow does not encrypt, but it supports opportunistic TLS if your mail servers can send/receive messages using TLS.  ServiceNow will negotiate the encryption during the SMTP handshake.  If a secure channel/pathway cannot be negotiated, it will use plain text.

Go to solution
MGanon
Tera Guru
In response to Susan Britt

‎03-01-2021 06:12 AM

Since I am not an expert in "opportunistic" TLS encryption, the process is still unclear what is and is not encrypted, and what steps are necessary to implement.

Assuming the customer uses an Active Directory/Exchange server and not the native ServiceNow email services, what part of the traffice is not encrypted between the ServiceNow email outbound queue and the final receiver?

0 Helpfuls

Go to solution
jason45
Kilo Guru
In response to MGanon

‎03-10-2021 12:48 AM

Hi,

TLS encryption happens during transit, if the destination mail server supports it. The email itself isn't encrypted - when it arrives at it's destination, it will not be encrypted.

ServiceNow can't encrypt your emails.

The only encryption that ServiceNow provides is for fields and attachments within the instance, if an encryption context is applied to those fields. This hasn't got anything to do with emails, though.

You could pre-encrypt your emails before sending them to ServiceNow. If you did this, you would have to add a Business Rule to save your entire email as an attachment. The reason for this, is that email could only be decrypted after downloading it from the instance - ServiceNow could not decrypt it.

One important element here is that ServiceNow will always add the body of your email to the activity log for any task-related records (incident, problem, change, etc). If it's pre-encrypted, it won't be readable, hence having to store it as an attachment and then download it to decrypt it.

I hope that this helps.

 

Jason

Go to solution
Jorge Fernandez
Tera Expert

‎07-30-2021 12:25 PM

Hi @MGanon ,

Have you discovered anything else related to this topic?

I need to send encrypted emails via ServiceNow but I haven't been able to figure it out.

Is it a fact that this is not possible?

Thank you and I supported your Idea in the Portal.