S/MIME Rules Configuration

Before certificates and email accounts can be used for S/MIME operations, your organization must create S/MIME Rules in the MXHero dashboard. These rules define when and how S/MIME operations are applied to email flows.

How S/MIME Rules Work

1. Select S/MIME Actions

For emails matching the flow, you can enable one or more actions:

• Validate: Verify digital signatures on incoming emails
• Sign: Add digital signatures to outgoing emails
• Encrypt: Encrypt outgoing emails
• Decrypt: Decrypt incoming emails

2. Define Email Flow Scope

Rules specify which emails are affected by defining the flow direction:

• From → To: Specific sender to specific recipient

3. Certificate Requirements

S/MIME operations will only apply to email accounts that meet these conditions:

• The email account must be registered via the API (as described in this guide)
• The account must have the appropriate certificates for the requested action:
  • Signing/Decrypting: Requires P12 certificate with private key
  • Encrypting/Validating: Can use PEM certificates (public key only)

Rule Processing Logic

Email Flow → Rule Match → Action Check → Certificate Availability → S/MIME Operation

Important: If an email account is not registered or lacks the required certificates, the S/MIME operation will be skipped for that account, even if a rule exists.

Example Rule Scenarios

Scenario 1: Sign All Outgoing Emails

• Flow: yourcompany.com → Anyone
• Action: Sign
• Result: All outgoing emails from registered accounts with P12 certificates will be signed

Scenario 2: Encrypt to External Partners

• Flow: yourcompany.com → partner-company.com
• Action: Encrypt
• Result: Emails to partner-company.com will be encrypted if recipient certificates are available

Scenario 3: Validate Incoming Signatures

• Flow: Anyone → yourcompany.com
• Action: Validate
• Result: Incoming signed emails will be validated against registered sender certificates

Scenario 4: Full S/MIME Protection

• Flow: yourcompany.com ↔ partner-company.com
• Actions: Sign, Encrypt, Decrypt, Validate
• Result: Complete S/MIME protection for bidirectional communication

Advanced Filtering

S/MIME rules support the same advanced filtering options available in other MXHero rules:

• Sender/Recipient (From/To) Exclusions
• Use filter policy

Rule Priority and Conflict Resolution

• Rules are processed in order of priority
• More specific rules take precedence over general rules
• Only one rule can be executed by organization on the same email
• Certificate availability is checked for each action independently

Configure S/MIME Rules (via Dashboard)

• Define email flows
• Select S/MIME actions
• Set filtering criteria

Email Processing (Automatic)

• Rules evaluate incoming/outgoing emails
• S/MIME operations applied based on available certificates
• Emails processed according to rule configuration

Best Practices for Rule Configuration

1. Start Simple: Begin with basic organization-wide rules before creating specific flows
2. Test Gradually: Deploy rules to small groups first, then expand
3. Monitor Logs: Check processing logs to ensure rules work as expected
4. Certificate Coverage: Ensure all users in rule scope have appropriate certificates
5. External Coordination: Coordinate with external partners for mutual S/MIME setup

Troubleshooting Common Issues