Notifications
Clear all
Topic starter
25/06/2026 10:42 pm
TL;DR: A September 2025 study of more than 38 million S/MIME certificates found that over 90% of recent certificates still lack baseline policy identifiers, while many also fail linting checks or are accepted despite weak structure, according to DigiCert. Email certificate governance now hinges on visibility, not just issuance, because enforcement is finally catching up.
NHIMG editorial — based on content published by DigiCert: Why Most S/MIME Certificates Are Still Missing the Mark
By the numbers:
- In September 2025, researchers analyzed over 38 million certificates collected from public LDAP directories across the globe.
Questions worth separating out
Q: What breaks when S/MIME certificates do not meet baseline requirements?
A: When S/MIME certificates miss baseline requirements, organisations can lose reliable signing and encryption assurance even though mail appears to work.
Q: Why do S/MIME certificates create compliance risk in regulated environments?
A: S/MIME certificates create compliance risk because they carry identity and trust evidence that regulators, auditors, and partners may expect to be consistent and enforceable.
Q: How do security teams know whether S/MIME governance is working?
A: S/MIME governance is working when certificate inventories are current, linting is embedded in issuance and audit workflows, and email clients reject or flag noncompliant material instead of silently accepting it.
Practitioner guidance
- Inventory every active S/MIME certificate Build a current view of issued certificates, including source CA, policy identifiers, key usage, and trust-chain status.
- Run certificate linting before and after issuance Use linting in the issuance workflow and in periodic directory audits to catch missing policy identifiers, malformed fields, weak cryptography, and broken AIA values before they spread through the environment.
- Tie S/MIME review to lifecycle governance Add S/MIME certificates to access review, renewal, and offboarding processes so legacy profiles do not survive policy changes, partner changes, or organisational restructuring.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- How pkilint is used to scan certificates for BR violations, cryptographic weaknesses, and structural errors
- The specific examples of malformed fields and invalid values that the study found at scale
- How organisations can fold S/MIME checks into issuance workflows, directory audits, and partner assessments
- What DigiCert recommends for lifecycle management when legacy certificates need to be cleaned up
👉 Read DigiCert's analysis of why most S/MIME certificates still miss baseline requirements →
S/MIME certificates: is your email trust model keeping up?
Explore further
25/06/2026 11:21 pm
S/MIME baseline requirements have exposed a certificate lifecycle governance gap, not a standards problem. The article shows that the BRs exist, but many environments still operate with certificates that do not meet them. That means the weak point is governance follow-through across issuance, validation, and inventory control. Practitioners should read this as a lifecycle failure in email identity, not a cryptographic debate.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, which is a useful reminder that lifecycle control often fails before the breach does.
A question worth separating out:
Q: Who is accountable when noncompliant S/MIME certificates remain in production?
A: Accountability usually spans PKI operations, IAM or identity governance, and compliance teams because S/MIME is both an identity control and a communications control. The organisation is responsible for maintaining policy alignment, but operational ownership should be explicit so legacy certificates do not survive outside review cycles.
👉 Read our full editorial: S/MIME baseline requirements expose a certificate governance gap
