Latest S/MIME Baseline Requirements 2025: Email Security is Changing Forever

1 Star2 Stars3 Stars4 Stars5 Stars (10 votes, average: 5.00 out of 5)
Loading...
Published: August 14, 2025
New Industry Requirements for S/MIME

If you’ve been treating email security as a “set it and forget it” job, 2025 is your wake-up call. The rules are changing. The deadlines are real. And the way organizations issue and manage S/MIME certificates will never be the same.

In the last few months, the CA/Browser Forum’s S/MIME Certificate Working Group (SMCWG) pushed through two important ballots and a compliance deadline (SMC013 and SMC012) that will directly affect how secure email works for everyone using public Certification Authorities (CAs).

Here’s what’s coming:

  • Automation with ACME for S/MIME — No more manual mailbox validation.
  • Post-Quantum Cryptography (PQC) support — Preparing for a PQC world where quantum computers can break today’s encryption.
  • Mandatory Name Attributes in Certificates — A compliance change hitting every organization using public CAs by July 16, 2025.

This isn’t just technical housekeeping. This is a shift in how the email trust ecosystem operates. You must know what’s changing, why it matters, and exactly what you need to do to avoid getting caught unprepared.

TL;DR: The 2025 S/MIME Shake-Up

 SMC012 – ACME Automation for S/MIME  SMC013 – Quantum-Safe S/MIME (PQC)  
What It Is  ACME finally comes to S/MIME, automating mailbox & domain validationTwo NIST-approved quantum-proof algorithms land for CA testing
What the Ballot Does  Lets CAs & ACME clients validate via short-lived email tokens – fast, hands-freeEnables single-key PQC certs with zero reliance on old, quantum-vulnerable algorithms
When the Changes Will Take Place  Already live – July 2, 2025Post-IPR review: August 20, 2025
Why You Should Care  You ditch manual certificate checks for automation that scalesFirst real step toward quantum-proof email security on open networks

The Big Problem: Trust, Consistency, and the Quantum Threat

Email is still the world’s number one communication tool for business. And yet… The standards for verifying and securing those emails haven’t always been consistent.

Some CAs verified mailbox control using methods borrowed from TLS website validation. Others took more relaxed approaches. And in the absence of clear, universal requirements, identity assurance varied wildly from one provider to the next.

Add to that the slow crawl toward automation and the looming shadow of quantum computing, and you’ve got a system that needs a serious tune-up.

That’s What the July 2025 Updates are all about:

  • Standardising how mailbox validation works so that CAs, email clients, and organisations are all on the same page.
  • Adding automation so certificate issuance can keep up with scale and speed demands.
  • Preparing for the quantum era, where traditional encryption won’t cut it.
  • Making identity verification mandatory and visible, so email recipients can trust the sender.

Update 1: ACME Automation for S/MIME

Effective date: July 2, 2025

If you’ve worked with TLS/SSL certificates, you probably know ACME. It’s the protocol that powers automated certificate issuance at services. Now, for the first time, ACME is officially part of the S/MIME Baseline Requirements (Ballot SMC012).

CAs can now use ACME random tokens to verify that you control a specific mailbox or domain. These tokens are short-lived (up to 24 hours), unique to each request, and sent via SMTP to the address being validated.

You respond with the token, and the CA verifies receipt of that token, and the wait should be over. No longer just HTTP or DNS validation schemes of the TLS world.

Why this matters:

  • Speed: Certificates can be released within a few seconds rather than hours or days.
  • Scalability: When you deal with hundreds or thousands of mailboxes, getting automated is sustainable.
  • Future-readiness: PQC upgrades will need fast key rotation. They cannot be handled by manual procedures.

Stephen Davidson, chair of the CABF S/MIME Working Group, put it best:

The trend has been to deprecate older methods and emphasise automation options specific to the needs of S/MIME. This method is a good example.

If you want to survive the next wave of security upgrades, start automating now.

Update 2: Post-Quantum Cryptography Comes to S/MIME

Review Period Ends: August 20, 2025

Quantum computing might sound like sci-fi, but it’s not. When a cryptographically relevant quantum computer (CRQC) finally arrives, RSA and ECC, the algorithms behind most encryption today, will be breakable. That’s where Post-Quantum Cryptography (PQC) comes in.

Ballot SMC013 introduces two NIST-approved PQC algorithms into the S/MIME Baseline Requirements for testing purposes:

  • ML-DSA — A digital signature algorithm based on CRYSTALS-DILITHIUM.
  • ML-KEM — A key encapsulation mechanism designed for secure key exchange, even against quantum attacks.

These certificates won’t be generally available yet. They’re for CAs and clients to experiment with “single-key” PQC (no fallback to pre-quantum algorithms).

Why start now? Because switching the world’s encryption to quantum-safe standards isn’t going to happen overnight. It’ll take years, and testing is the first step.

Update 3: Mandatory Name Attributes in S/MIME Certificates

Compliance Deadline: July 16, 2025

This is the change that will catch unprepared organisations off guard. From this date forward, Sponsor-validated S/MIME certificates issued by public CAs must include:

  • Given Name (G={{GivenName}})
  • Surname (SN={{Surname}})

If these are missing, your certificate request will be rejected. The purpose is simple: to strengthen identity verification and make secure email more trustworthy. Without this, recipients might have no idea who’s sending that encrypted or signed email. With it, impersonation and fraud become much harder.

Also Read: New S/Mime Baseline Requirements – September 2023

Who’s Impacted?

If you use public CAs for S/MIME Certificates, you’re affected. This includes organisations issuing certificates through platforms like Microsoft Intune, ManageEngine Endpoint Central, VMware Workspace ONE, Jamf, Cisco Meraki, Ivanti, Scalefusion, BlackBerry UEM, or any other Unified Endpoint Management (UEM) or Mobile Device Management (MDM) solution.

You’re not impacted if you use only private/internal CAs or don’t use S/MIME for email security. However, no platform will automatically update your profiles. You must handle the updates manually.

What You Need to Do Now: Action Plan

1. Review Certificate Profiles

Check your SCEP or similar profiles used for S/MIME.

2. Add the Required Name Fields

Update the Subject Name format to include:

  • G={{GivenName}}
  • SN={{Surname}}

3. Test Before Full Rollout

Initially, assign the updated profile to a small group the updated profile. Verify the issuance and email capabilities.

4. Plan for Reissuance Costs

The reissuance of all users can be caused by editing the profiles. Make sure to liaise with your CA so as to avoid unwanted charges.

5. Communicate with Your CA Provider

Make sure that they are prepared to be automated and to have their name attributes changed.

6. Monitor for Further Updates

PQC and other ballot changes will keep coming. don’t get blindsided.

Benefits of Acting Early

If you treat this as just another compliance box to tick, you are wrong and you should think again.

By acting early, you:

  • Build Trust — Clear name identification reduces impersonation risk.
  • Improve Security — Standardised attributes make fraudulent certificates harder to obtain.
  • Simplify Troubleshooting — Uniform formats make it easier for IT teams to debug issues.
  • Prepare for the Quantum Shift — Automation now means faster adoption of PQC later.

When a deadline like July 16, 2025, hits, the scramble will be real. The companies that have already updated their profiles will be sipping coffee while the rest are drowning in urgent support tickets.

Here is how it affects you after the deadline: The “Certificate Chaos”

Your CEO tries to send an encrypted email to a client. The client’s email client rejects its certificate as invalid. Your helpdesk is flooded with calls. Your IT team scrambles to fix profiles, reissue certificates, and coordinate with the CA.

All because the Subject Name didn’t include two attributes you could’ve added in 10 minutes weeks ago.

Now picture the opposite. If you updated in June, tested in a sandbox, and rolled out changes without disruption. July 17 comes and goes, and your secure email runs like clockwork.

How This Fits Into the Bigger Cybersecurity Picture?

These changes aren’t happening in isolation. They’re part of a broader trend:

  • Automation everywhere — TLS, S/MIME, code signing, you name it.
  • Quantum preparedness — Moving the global infrastructure toward PQC.
  • Tighter identity standardsZero trust principles applied to certificates.

Don’t Just Comply, Leverage the Change

Yes, this is about compliance. But it’s also an opportunity. If you implement ACME automation now, you can:

  • Reduce manual admin work.
  • Speed up onboarding for new users.
  • Rotate keys faster when needed.

If you start experimenting with PQC now, you can:

  • Position your org as a leader in security innovation.
  • Avoid rushed, risky migrations later.

And by updating your certificate profiles ahead of the deadline, you:

  • Avoid outages.
  • Maintain client trust.
  • Keep your IT team sane.

Conclusion

2025 isn’t just another update for email security. It’s a full system upgrade for how trust, automation, and encryption work. The winners will be the organisations that move now, not the ones scrambling on July 16.

Update your profiles, embrace ACME, and start testing PQC. Do it early, do it right, and when the rest of the world is firefighting, you’ll be moving on to your next big project.

FAQs

What exactly is happening to Email Security in 2025?

Three big shifts are coming:

  • Automation with ACME for S/MIME – No more manual mailbox validation; issuance becomes faster and scalable.
  • Post-Quantum Cryptography (PQC) support – New quantum-resistant algorithms are being introduced for testing.
  • Mandatory name attributes in certificates – Given Name and Surname must be in every publicly issued S/MIME certificate.

Who’s affected by these Changes?

Any organisation using public CAs for S/MIME certificates.

What’s the deal with mandatory name attributes?

From July 16, 2025, public S/MIME certs must include a Given Name (G) and Surname (SN). Without these, issuance will fail.

What happens if we ignore these changes?

Worst-case scenario:

  • Certificates fail.
  • Emails bounce or get flagged as untrusted.
  • Your CEO can’t send an encrypted message to a client.
  • Your helpdesk is buried in tickets.
  • You’re paying emergency reissuance fees.
Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.