TL;DR: Email remains a high-value attack surface, with workers receiving 120 messages a day and phishing costing businesses more than 2,900 million dollars last year, according to GlobalSign. S/MIME addresses confidentiality, sender authentication, and message integrity, but its value depends on certificate lifecycle governance, private-key protection, and alignment with broader email security controls.
NHIMG editorial — based on content published by GlobalSign: S/MIME email security and digital certificates
By the numbers:
- Office workers receive an average of 120 emails per day.
Questions worth separating out
Q: What breaks when S/MIME certificates are not tied to identity lifecycle management?
A: When certificates are not tied to identity lifecycle management, encryption can remain active after the person who owns the mailbox has changed roles or left.
Q: Why do S/MIME and phishing controls need to work together?
A: S/MIME proves message authenticity, but it does not stop every phishing attempt.
Q: How should organisations handle private-key protection for email certificates?
A: Organisations should protect private keys as sensitive identity material, using managed devices, hardware-backed storage where possible, and strict export controls.
Practitioner guidance
- Map S/MIME to joiner-mover-leaver processes Track every certificate to a named mailbox owner, enforce revocation when roles change, and remove trust immediately when an employee departs.
- Protect private keys on managed devices Store private keys only in approved hardware-backed or operating-system protected locations, and prevent export where business requirements allow.
What's in the full article
GlobalSign's full blog covers the implementation detail this post intentionally leaves for the source:
- Step-by-step S/MIME setup guidance for organisation and client-side certificate deployment.
- Practical advice on revocation timing, certificate renewal, and key protection during employee turnover.
- Integration notes for combining S/MIME with TLS, anti-spam, and anti-phishing controls.
- Operational examples of where email audits and penetration tests can inform certificate policy.
👉 Read GlobalSign's analysis of S/MIME email security and certificate governance →
S/MIME certificates and email trust: are your controls keeping up?
Explore further
S/MIME is a certificate governance problem before it is an email encryption problem. The article describes cryptography correctly, but the real control boundary is lifecycle management for certificates, private keys, and mailbox ownership. If those controls are weak, encrypted email can still be sent by the wrong person or from the wrong device. Practitioners should treat S/MIME as part of identity governance, not as a standalone mail feature.
A question worth separating out:
Q: Who is accountable when a stale email certificate is still trusted after offboarding?
A: Accountability should sit with the teams that own identity lifecycle, email security, and certificate operations together. A stale certificate is not just a mail issue. It is an access governance failure because trust has outlived the identity it was issued to, so revocation and ownership controls must be auditable.
👉 Read our full editorial: S/MIME certificates are a governance control for email trust