S/MIME Part 2: Signed, Sealed, and Delivered through SparkPost. Learn how to sign and encrypt emails using S/MIME with SparkPost, including step-by-step guides on installation, key generation, and message sending.

S/MIME Part 2: Signed, Sealed, and Delivered through SparkPost

Key Takeaways

Premise: Part 2 moves from S/MIME theory to practice — demonstrating how to digitally sign and encrypt emails using SparkPost as the delivery platform.
Goal: Equip developers with a lightweight, command-line workflow to sign outgoing messages, verify signatures, and (optionally) encrypt content for specific recipients.
**Highlights:**Setup: Install the open-source demo tools from GitHub (with automated Travis + pytest checks). The Pipfile handles all Python dependencies.
**Sender keys:**Create a self-signed or CA-issued certificate (.p12) for your email identity.
Split it into private (.pem) and public (.crt) files for use by the signing tool.
**Signing:**Use the included sparkpostSMIME.py script to sign test messages (e.g., tests/declaration.eml).
Confirm signatures visually in clients like Thunderbird (red dot icon).
**Encryption:**Obtain each recipient's public certificate (.crt).
Run the tool again to produce a signed + encrypted message.
Recipients can verify and decrypt using their private keys.
**Delivery via SparkPost:**Configure a valid sending domain and API key.
Send messages through SparkPost's API with tracking disabled to preserve integrity.
**Bonus utility – mimeshow:**Displays human-readable RFC822 MIME structure for debugging or inspection.

Q&A Highlights

Why use S/MIME signing?It authenticates the sender and ensures message integrity — clients like Thunderbird show a visual indicator when the signature is valid.
How do I get my sender certificate?Either self-sign via OpenSSL (for testing) or obtain a trusted certificate from providers such as Comodo (free for non-commercial use).
Can I encrypt messages for multiple recipients?Only if you have each recipient's public key. The demo script encrypts to the single To address by default.
What safeguards keep signatures from breaking in transit?The tool sets SparkPost API options for transactional sending and disables open/click tracking, so the payload passes through unchanged.
What's the role of mimeshow?It parses raw email files and prints their multipart structure — useful for inspecting S/MIME signatures, attachments, and headers.
What's next in the series?Part 3 extends these S/MIME capabilities to on-premises secure email platforms such as PowerMTA and Momentum.
What’s the role of mimeshow? It parses raw email files and prints their multipart structure — useful for inspecting S/MIME signatures, attachments, and headers.
What’s next in the series? Part 3 extends these S/MIME capabilities to on-premises secure email platforms such as PowerMTA and Momentum.

In part 1, we had a quick tour of S/MIME, looking at signing and encryption of our message streams across a range of mail clients. S/MIME messages can be signed (giving proof of sender's identity), encrypted (keeping the message body secret), or both.

In this installment, we'll:

Install some simple command-line tools for signing and encrypting email
Get your sender key / certificate for signing
Send a signed message via SparkPost, and look at the received message
Optionally, get your recipient certificate for encryption
Send a signed and encrypted message via SparkPost, and look at the received message
Try a handy standalone tool "mimeshow" to look at email file internals.

OK – let's get started!

Diagram illustrating email security layers showing the relationship between S/MIME signing, S/MIME encryption, and TLS connections in the email delivery process from message source through email server to recipient.

Bonus feature: displaying MIME parts with "mimeshow"

RFC822 MIME multipart file internals are quite complex to read for humans. The project includes a standalone tool to make this easier, called mimeshow.

This takes any email files you have (not just S/MIME ones) and shows the internal structure. Here's an example:

./mimeshow.py testcases/img_and_attachment.eml

1. Install the tools

The demonstration tools are available on GitHub, complete with installation instructions. You might notice the "build passing" logo – Travis and pytest automatically check the build status. Note these tools are not officially supported by SparkPost, but I've tried to make them robust and easy to use.

If you have some acquaintance with Python and pip, installation should feel pretty familiar. The Pipfile takes care of the external dependencies automatically for you. Once it's done, you can check everything's installed by running

./sparkpostSMIME.py -h

2. Get your sender key / certificate for signing

If you already have a key file for your sending identity, you can skip ahead. Otherwise here are two options to choose from:

a) Self-signed test key / certificate (not externally valid)

If you're just testing, you can make "self signed" certificates and keys for an email address using the command line tool openssl on Linux, following a procedure such as this one. At the end of that process, you'll have a smime.p12 file. Rename this file to match your sending identity, including the @ sign, for example, alice@example.com.p12 .

b) Externally valid keys / certificates

If you want to get externally valid keys / certificates that enable you to sign, there's a list of providers here. I found Comodo works well (free for non-commercial use), and it's easier than the self-sign procedure above. Follow the sign-up process, receive your validation mail, and be sure to open the link in Firefox. Go to Firefox Preferences / Privacy and Security. Scroll to Certificates / View Certificates:

Select your certificate, and use the "Backup" option to save as a file in PKCS12 format (add the file extension .p12 to your filename) which carries the private key and the public certificate chain.

Provide a password to secure the .p12 file:

Generate separate public (.crt) and private (.pem) key files

Whether you used a) or b), you'll now have a .p12 file for your sender identity. That's a big step forward – grab a coffee now!

Now we need to generate separate public and private key files like this – substituting in your own email address for the example one. (Mac OSX and Linux):

Firefox browser settings page showing certificate management options under the Privacy & Security section, with controls for how the browser handles personal certificate requests.

Certificate Manager window showing a list of software security device certificates from COMODO CA Limited, with details including certificate names and serial numbers.

Certificate backup password entry dialog with password fields and strength meter.

3. Send a signed message via SparkPost

Now let's use a real sending domain, set up as per the SparkPost New User Guide. We have the sender certificate and key files in the current directory:

steve@thetucks.com.crt steve@thetucks.com.pem

4. Encrypting messages

To encrypt a message, you need your recipient's public key in certificate form. This is a text file which looks like this:

Bag Attributes friendlyName: s COMODO CA Limited ID #2 localKeyID: 32 84 AB 9C 56 5C 80 C6 89 4D 40 46 DD D4 7C 71 E8 CD ED C1 subject=/emailAddress=bob.lumreeker@gmail.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Client Authentication and Secure Email CA -----BEGIN CERTIFICATE----- looks like random characters in here -----END CERTIFICATE-----

There's a dummy recipient certificate for bob@example.com in the tests directory, so you can practice with it before you have a real certificate:

cd tests ../sparkpostSMIME.py example_email1.eml --sign --encrypt

Further thoughts & things to be aware of

This tool takes a super-simple approach to pulling in the necessary keys – it just looks for named files in the current directory. More complex arrangements, such as holding all keys in a database could easily be added, but I wanted the code to be as simple as possible.

You can include other recipients with Cc: and Bcc: and they will be delivered; this could be useful for archival purposes. Signed messages are received and can be displayed by other recipients complete with the signature. The tool strips the Bcc: header from the delivered message (like a desktop mail client would do).

To ensure that messages pass through SparkPost unchanged (which could break signing), the tool sets API options for "transactional" mailing, with open and click tracking disabled.

If you use encryption, bear in mind that the tool picks up the single To: address for that. The other recipients can decode the message body only if they have the To: recipient private key. If you're just using secondary recipients as a record of deliveries made, for example, that may be OK anyway.

Signed, sealed delivered…I’m yours

That’s our quick overview of how to sign, seal, and deliver S/MIME messages through SparkPost. Quick reminder: the demo project is available on GitHub, and I’ve tried to make it easy to install and use.

Signed, sealed delivered…I'm yours

That's our quick overview of how to sign, seal, and deliver S/MIME messages through SparkPost. Quick reminder: the demo project is available on GitHub, and I've tried to make it easy to install and use.