S/MIME is a long-established method of sending encrypted, signed email, based on public Internet standards. We regularly come across requirements for S/MIME, particularly from regulated industries such as banking, health, and finance. S/MIME often is required when communicating between businesses and government agencies, for example.

Another secure mail standard, PGP (amusingly named as “Pretty Good 隐私”), is used more for secure person-to-person communications. It’s less popular now because the consumer versions of popular web-based email clients such as Gmail and Outlook/Hotmail aren’t able to display encrypted mail. That’s one reason much person-to-person communication that requires privacy has moved to platforms such as WhatsApp (and many others) that offer native, end-to-end encryption.

Both PGP and S/MIME require a mail client that can use keys and certificates. Many desktop and mobile clients, including 苹果邮件, 微软Outlook, and 雷鸟 fit the bill, as do business versions of some web clients such as 微软Office 365. Setting up the keys takes work, but many organizations still consider it worthwhile, despite recent 漏洞披露 requiring 补救措施 to block loading of remote content.

S/MIME has been around since 1995 and gone through several revisions; the current version is covered by RFC 5751. It requires exchange of public keys, a non-trivial task that often requires the support of an IT team or similar resource. This is w这里 commercial solutions from companies such as SparkPost partners 维尔特鲁 and 怡红院（Echoworkx come in, making security easier for person-to-person business mailing (see our SparkPost/Echoworkx的方法 for more information).

也就是说，让我们更深入地挖掘普通的S/MIME，看看我们能用它做什么。

我为什么要关心？

简短的版本。

• 加密给你的信息隐私。

• 签名为你提供了（发件人的）认证、不可否认的来源和信息完整性检查。

• S/MIME的工作方式与DKIM和DMARC不同，可以与它们共存。

隐私
If your messages contain nothing personal, private, or legally important, then you probably won’t need to think about S/MIME. Modern email delivery systems such as SparkPost already use “机会主义的TLS” to secure the message transport from sending server to recipient server.

ǞǞǞ “opportunistic” part does mean however that if the sending server can’t negotiate a secure connection, we’ll send the mail in plain text. This isn’t suitable if you want to force the message to be secure all the way. You can take a peek at 哪些邮箱供应商声称支持TLS and which 实际上是这样的. Assuming the recipient’s server does support TLS, your message is secured 像这样:

TLS保证了邮件服务器之间对话的安全（这就是为什么它被称为传输层安全）。MIME（包括S/MIME）关注的是信息内容及其处理，可以被认为是 "表现层 "的一部分。

S/MIME secures the message content all the way (“end to end”) from the message origin 到 recipient mail client, encapsulating the message body.

S/MIME用收件人的公钥对邮件正文进行加密。没有收件人的私钥，邮件正文是无法被解码的，任何 "中间人 "如您的ISP，SparkPost，或收件人的邮件服务器都无法解码。

私人密钥永远不会公开，由收件人独自保管。加密信息通过互联网传送到收信服务器。当它进入收件人的inbox 时，就会使用他们的私人密钥进行解密（通常是自动解密），然后就可以阅读了。

有几个S/MIME的问题需要注意。

S/MIME加密有一个副作用，即防止基于服务器的传入信息扫描恶意软件，因为信息有效载荷是加密的，因此无法识别。

Note that the message 页眉 (From:, To:, Subject: etc) are not encrypted, so the subject-line content needs to be created with that in mind.

签署 - 认证
S/MIME also provides the recipient the ability to check that the identity of the message sender 是他们说的那个人.

ǞǞǞ sender’s email has a certificate attached, which, rather like the certificate on a secure website, can be traced back to an issuing authority. T这里’s a full description of the signing process 这里.

我们将采取先对邮件进行签名，然后再进行加密的方法，所以过程是这样的。

不抵赖
Another useful benefit of signing 到 recipient is non-repudiation of origin. Consider a situation w这里 an email message is used to approve a contract. The recipient gets the contract in a message from the sender. If the sender later tries to say, “Nope, I never sent that message to you”, then the received message shows that the sender’s certificate was in fact used.

信息完整性
The signing process creates a fingerprint of the plain source message (known as a message digest), encrypts the digest using the sender’s private key, and includes it in the delivered message. The recipient’s mail client can tell if the message body is tampered with.

Perhaps you might say, “I thought DKIM gives me message integrity checks!” Well yes, DKIM provides message body and message header integrity checks – anti-tampering guarantees. However, DKIM failure (or absence) will not usually cause the incoming message to be marked as completely invalid, …unless a DMARC policy of `p=reject` is in play (more on DMARC here). DKIM is one factor of many used by the ISP for reliable assignment of reputation to a domain and is, of course, an essential part of your messaging stack.

如果S/MIME邮件没有通过签名检查，你的邮件客户端会在显著位置显示。

摘要：端到端（S/MIME）与服务器到服务器（DKIM、DMARC、TLS）的对比
S/MIME is a presentation-layer capability that can work between two email end-users (with valid certificates/keys) without any action by the email admin. S/MIME provides encryption and signing and is personal to each user.

S/MIME is tied to the full sending address (local part and domain part), so, for example, alice@bigcorp.com and bob@bigcorp.com would need to have different certificates. In contrast, DKIM validates the email is coming from the signing domain. DKIM is a whole subject in itself; 本条 is a good place to start.

DKIM和DMARC的设置是由你的电子邮件管理员完成的（在邮件服务器和DNS记录上工作）。一旦设置好，它们就会对域名，而不是单个用户产生作用。

这与SparkPost有什么关系？

Mail systems for person-to-person messaging, such as Microsoft Exchange Server, have 长期支持S/MIME.

如果您使用SparkPost向特定的收件人发送可以读取S/MIME的邮件客户端，那么对您的邮件进行S/MIME签名可能是有意义的。S/MIME签名可以进一步保证信息确实来自你（或你的系统），并且没有被篡改，这在某些情况下可能是很有价值的。你所需要的只是你自己的密钥和一些免费的软件，我们将在本文的第二部分演示。

使用S/MIME加密是一个单独的选择。你将需要每个收件人的公钥。获得这一点可以像让他们给你（或你的应用程序）发送一封签名的电子邮件一样简单。我们将在后续文章中探讨通过SparkPost发送S/MIME签名和加密的邮件的实用工具。

哪些客户端支持S/MIME？

消费者Gmail
The ordinary Gmail web client displays incoming mail signatures (see below), but it’s not set up to hold your private key to read encrypted messages. Even if that were possible via third-party plugins, uploading your private key is not a great idea from a security standpoint.

我根本无法让雅虎邮箱解码邮件中的签名。

微软Outlook/Hotmail账户的消费者版本提醒你存在一个S/MIME签名，但不给你查看或检查证书的全部权限。

托管的商业邮件
For organizations with hosted mail, Microsoft Office 365 and G Suite Enterprise have S/MIME support.

Outlook邮件客户端
Client-based Microsoft Outlook (e.g. 2010 for Windows) works:

点击图标可以获得更多信息。

在Outlook 2010 / Windows中，可以通过文件/选项/信任中心/信任中心设置/电子邮件安全/导入/导出访问证书库。

雷鸟--跨平台且免费
If you’re looking for a free client, 雷鸟 fits the bill. It’s available on PC, Mac, and Linux, and supports S/MIME across all of these. Here’s how a message looks on Mac. The “sealed envelope” icon indicates the message is signed, and the padlock indicates it was encrypted.

点击信封/板锁会显示有关该消息的信息。

Thunderbird has its own key store, accessed in similar ways on each platform:
Mac via Preferences / Advanced / Certificates / Manage Certificates
PC: menu (“hamburger” top right), Advanced / Certificates / Manage Certificates
Linux: menu (“hamburger” top right), Preferences / Advanced / Manage Certificates

苹果邮件
Mac Mail also supports S/MIME. It relies on your Mac keychain to hold your keys.

iOS邮件
Firstly, import your email account’s certificate like this, then you can view S/MIME signed and encrypted emails. They don’t really look any different on the viewing screen.

安卓
一些 devices and apps support S/MIME; there’s a lot of variety out there. Samsung has a guide.

最后...

That’s our quick overview of the practical uses of S/MIME. If you want to get your own mail certificates, there’s a list of providers here. I found 科莫多 works well (free for non-commercial use – open this in Firefox, not Chrome).

在第二部分，我们将探讨如何将S/MIME签名和加密应用于您通过SparkPost传递的信息。

进一步阅读
Microsoft has a good introductory article on S/MIME here.

For more info on the EFAIL vulnerability and how it’s been addressed, this is the definitive site. Other easy-to-follow explanations are here and here.