When do public agencies tend to use S/MIME?

Across the DACH region, S/MIME dominates among public agencies, banks and insurers — usually via Sectigo, T-Systems or D-Trust. Outlook supports S/MIME natively without a plugin, which simplifies rollout.

When is PGP the better choice?

In tech-savvy communities (open source, activism, journalism). PGP uses a web of trust instead of a Certificate Authority and is not tied to commercial providers.

Can I use both in parallel?

Yes, both standards can coexist. Outlook users may use S/MIME, Thunderbird users PGP. For a single address, however, pick one solution pragmatically.

Which algorithm is secure?

Both standards support modern algorithms. RSA 2048 or higher, or ECC P-256, for keys; AES for content. PGP today commonly uses Curve25519 instead of RSA.

What does an S/MIME cert cost?

Mailbox-validated from ~30 EUR/year (Sectigo 794), strict from ~45 EUR (795), organisation-validated from ~120 EUR (796). PGP is always free of charge (self-signed).

S/MIME vs. PGP — Mailantis Learn

The fundamental difference

Both approaches solve the same problem, but with opposite philosophies:

S/MIME builds on certificates from official CAs — like HTTPS. You buy a certificate, and an authority vouches for your identity.
PGP relies on a web of trust — users sign each other's keys; trust emerges from the network, not from a central authority.

Side-by-side

	S/MIME	PGP / OpenPGP
Trust	Certificate Authority (CA)	Web of Trust
Key distribution	Automatic (signature contains cert)	Manual or keyserver
Client support	Outlook, Apple Mail, Thunderbird natively	Thunderbird natively; Outlook/Apple Mail via plug-in
Mobile	iOS / Android natively	Additional apps required
Central management	Very good (certificate rollout via MDM)	Cumbersome
Key recovery	Possible (CA / escrow)	Difficult to impossible
Cost	Certificate (~40–200 EUR / user / year)	Free
Use	Enterprises, public agencies	Tech-savvy community, IT security

When S/MIME is the better choice

We recommend S/MIME for:

Enterprises with centralised IT / MDM.
Communication with public agencies (many use S/MIME).
Users who do not want to install additional software.
Compliance requirements that mandate a trust anchor.

When PGP is the better choice

PGP fits:

Individuals and small teams who do not want to trust a commercial CA.
Communication with journalists, activists, the open-source community.
Technically experienced users who manage keys themselves.

What neither delivers

Neither S/MIME nor PGP prevents phishing or protects metadata. The subject line, sender and recipient remain visible. Only content and attachments are encrypted. To protect against forged senders you need DMARC.

Can they run in parallel?

Technically yes — a mail client can support both approaches. In practice this is rarely sensible: users often do not know which approach they are currently using, and key management doubles. It is better to roll out a single solution consistently.

Lose the key, lose the data. Anyone who loses their private key can no longer read old mail. Set up a documented backup strategy from day one.

S/MIME vs. PGP — which fits you?