Email encryption - S/MIME protocol

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Email encryption - S/MIME protocol

    Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol designed for sending encrypted and digitally signed emails, ensuring data confidentiality, authenticity, and integrity. It requires administrative privileges for configuration and understanding of digital signatures, encryption, public keys, and digital certificates.

    Show full answer Show less

    Key Features

    • Digital Signatures: Verifies the sender's identity, ensuring that the message is authentic and unaltered.
    • Message Encryption: Protects email content, allowing only the intended recipient to decrypt and read it.
    • Public Key Infrastructure: Utilizes key pairs (private and public keys) for secure communication between senders and recipients.
    • Digital Certificates: Delivered by certification authorities, these credentials validate public keys and user identities, but must be obtained from third-party providers as ServiceNow does not issue S/MIME certificates.

    Key Outcomes

    Once S/MIME is activated and configured, users can send and receive secure emails within ServiceNow. Outbound emails are signed with the sender’s private key and encrypted with the recipient’s public key, while inbound emails can be verified and decrypted using corresponding keys. This guarantees that email communications remain confidential and authentic.

    Secure/Multipurpose Internet Mail Extensions (S/MIME) is an end-end encryption protocol for sending digitally signed and encrypted emails that support data confidentiality, authenticity, and integrity.

    Introduction to S/MIME

    An administrator with privileges can enable and configure S/MIME. Understanding of the following is required when using the full capabilities of S/MIME:
    • Digital signatures and signature verification
    • Message encryption and decryption
    • Public key
    • Digital certificates

    Digital signatures and verification

    With digital signature, S/MIME verifies the identity of the sender of the email. This verification ensures the following:
    • Message in the email is the exact message sent by the sender.
    • Message is received from the right sender and not someone pretending to be the sender.

    Message encryption and decryption

    S/MIME uses encryption to protect the content of the email, which ensures that only the receiver can decrypt the content. Encryption creates coded information so that it cannot be read or understood until it is decoded and readable. Message encryption helps with the two key security factors of confidentiality and data integrity.

    Public key

    S/MIME uses key pairs and asymmetric cryptography. A private key in a key pair belongs only to the sender. If the private key has been used, the owner of that key has used it.

    Public key cryptography ensures secure communication between the sender and the receiver. Both have a key-pair, with one being private and the other public​.

    Public keys are shared between the sender and the receiver. A public key is paired to only one private key. The corresponding public key is used to identify its paired private key and only its paired private key. A public key can be used by multiple recipients.

    A key pair can be used to
    • Sign and verify a signature
    • Encrypt and decrypt the content of an email

    S/MIME digital signatures and encryption require each sender and recipient to have it enabled. They also need to send or exchange public keys though digital certificates to identify each other.

    For more information about key management and cryprographic module, see Key Management Framework Reference.

    Digital certificates

    Digital certificates help in delivering the public key in the key pair. A digital certificate is a digital credential that provides information about the identity, validity, and any other required information. Digital certificates are issued by a certification authority (CA) and are valid for only a specific period of time.
    Note:
    ServiceNow® does not provide S/MIME certificates for ServiceNow mail infra users. Users should get their S/MIME certificates issued from the third party S/MIME certificate solution providers.

    S/MIME outbound emails

    Signing outbound​ mails

    The ServiceNow AI Platform uses the private key of the sender (instance email account)​ and the receiver uses the public key to verify signatures.

    Encrypting outbound​ mails

    The ServiceNow AI Platform uses public keys of the recipients to encrypt the emails and every recipient uses their private key to decrypt the email.

    S/MIME for inbound email

    Sign verification for inbound​ mails

    The sender uses a private key to sign the email and the ServiceNow AI Platform uses the public key of the sender to verify the signature.

    Decrypting inbound​ mails

    The sender uses the public key to encrypt the email and the ServiceNow AI Platform uses the private key to decrypt the email.