Gmail uses TLS, or Transport Layer Security, by default for all email communications, so all your emails will use standard encryption as long as the recipients also support TLS. But there is a way to add even more security to your Gmail emails, and you can use your iPhone’s Mail app to do that.
Apple has supported S/MIME, or Secure/Multipurpose Internet Mail Extensions, on iPhone since iOS 5 over a decade ago. S/MIME is a widely accepted cryptographic protocol for sending and receiving digitally signed and encrypted messages, and it works on top of Gmail’s TLS system. S/MIME is similar to PGP, or Pretty Good Privacy, which ProtonMail, FlowCrypt, and Silence.
The TLS used by Gmail encrypts the tunnel between mail servers, making it harder for hackers to eavesdrop or spy on communications en route. The connection between mail clients and mail servers is also encrypted. So as long as you’re communicating with someone whose email provider uses TLS, the route to and from is secure. Yet email remains vulnerable at either end.
Gmail can and does scan your emails for smart features like malware detection, calendar integration, and auto-complete. Therefore, if there is a particularly sensitive subject in the email, you may want to protect it further. Gmail’s servers could also one day be penetrated by attackers, possibly giving hackers access to all your data.
In addition to that, a hacker could physically access a user’s device to search for their emails, or they can install malware to view emails remotely. They can even attack the user’s email account directly via password cracking, social engineering, and other attack vectors for unhindered access.
With S/MIME, you and the recipient each use a CA certificate to encrypt your Gmail messages end-to-end. To send them encrypted email, you need their public key, and they need your public key to send you secure messages. To read the messages, each of you uses your own private key associated with the public key to decrypt the content.
Gmail directly supports S/MIME, but only for paid users. Google workspaces, and the workspace admin must enable it. You can’t use Gmail’s S/MIME support on your personal Gmail account, and that’s where a private S/MIME certificate comes in. In the iOS Mail app, it’s easy to set up S /MIME as long as you have the personal certificate for your email address.
Note that this example uses personal Gmail addresses for the sender and recipient. In an Exchange environment, things will be different unless you communicate with people who don’t use Exchange.
To use S/MIME, you need an S/MIME certificate from a certificate authority. Generally, S/MIME certificates cost money, but some companies offer demos or free versions that last for a limited time. If you like how it works, you can pay for a subscription. For example, GlobalSign Personal S/MIME Certificate costs $59 per year, but it offers a demo to try it out.
For this guide I am using Actalis as it is one of the few certificate authorities to offer a free one-year certificate for personal use. You can even reapply for a certificate once the year is up, according to its policy:
Certificates issued under this policy are provided free of charge (i.e. no charge). However, no more than one certificate request per year is accepted for each unique email address.
After you sign up for a personal S/MIME certificate, the company must give you a password for the certificate and email you the PFX file, also called PKCS#12, or a ZIP file containing the PFX. The PFX file is a password-protected certificate archive containing the complete certificate with public and private keys. Save it to your iPhone in the Files app for safe keeping.
Then unzip the file if necessary and tap on the PFX file, which will download the certificate as a profile on your iPhone. Press “Close” on the Profile uploaded fast. Next, open Settings and tap “Downloaded profile” at the top. (You can also find it via Settings -> General -> VPN & Device Management.)
Next, tap “Install”, enter your iPhone’s passcode and tap “Install” again.
Now click “Install” when prompted. However, before you can install it, you will need to enter the password that the CA gave you when you signed up for the certificate. Press “Next”, then “Done”. You should now see your email address listed as a configuration profile in VPN settings and device management.
Step 3: Enable S/MIME for your Gmail address
You can now activate the certificate for your Gmail email address with the downloaded certificate. Go to Settings -> Mail -> Accounts and select your Gmail account. Next, tap your account email address at the top and choose “Advanced”.
Here you’ll want to go to both “Sign” and “Encrypt by default” and turn them on. The first will add a verified signature to your email so the recipient knows it’s from you and no one else. The second will apply encryption where possible to all outgoing emails from the Gmail address in your Mail app. If you just want to let recipients know that the email is definitely from you, use signature but disable encryption.
Back in the advanced settings of the Gmail account, it should say “Yes” for both options, or at least one or the other, depending on what you want to get out of it.
It’s a two-way street, so you’ll never be able to use end-to-end encryption unless the person you’re communicating with also has a certificate. Once they have one, you both need to exchange public keys as they will encrypt the messages. The private key then decrypts and reads incoming messages from the associated public key.
Ask the person you want to use end-to-end encryption with to email you once they’ve set up their certificate in the Mail app. On the received email, tap their name in the From field, which should now have a blue tick next to it to let you know their signature is valid. On their contact page, tap “View Certificate”, then “Install”, followed by “Done”.
Then send them an email and ask them to do the same to add your public key to their device. If you see “Unable to encrypt” with a crossed-out red padlock, you’ll need to tap “Send anyway” after trying to send it. You can also tap the same lock icon to disable encryption, which will send it as a standard email with your public key certificate.
Each time you want to send an end-to-end encrypted message to the recipient, create a new draft and add their name in the To field. You should now see a blue padlock icon next to their name, indicating that encryption is enabled, and it should say “Encrypted” at the top of the window.
If you want to send a regular message, just tap the blue padlock icon on the right side of the To field, and the encryption will be disabled this time. You’ll know because “Encrypted” will disappear from the top and the lock icon will be crossed out.
You will know that encryption was successful for received messages if you see the lock icon next to their name in the From field. If you just see the check mark, it means it was signed but not encrypted. Replies will also be encrypted, unless disabled by message.
You can check the status of the email by tapping the other person’s name in the To or From field of the message, and you’ll see Signed, Encrypted, Both, or Neither on their certificate.
If you want to read your encrypted Gmail emails from Mail on your iPad or Mac, you won’t be able to because they can’t be decrypted. You must install the private key on all devices you use with Mail, which decrypts email. For iPadOS, the process is the same as above. macOS is a bit different but quite intuitive to set up.
You can also use S/MIME certificates for non-Gmail email addresses like Outlook, Yahoo, AOL, etc., so you’re not limited to secure Gmail-to-Gmail communications.
Keep your connection secure with no monthly bill. Obtain a lifetime subscription to VPN Unlimited for all your devices with a one-time purchase of new Gadget Hacks Store, and watch Hulu or Netflix without regional restrictions, increase security when browsing public networks, and more.
Other great deals to check out: