Encryption
The ‘secrecy’ part of S/MIME is achieved through encryption. This is probably what most people typically think of when they hear ‘security’ or ‘secure email.’ Encrypting a message simply ensures that no one other than the intended recipient will be able to read its contents. To continue with the example above, suppose you wanted to include your account and social security numbers in the email, but didn’t want this information floating around in the clear on random Internet servers/routers. You would first want to encrypt this message using your broker’s public key before sending it out, ensuring that no one who intercepts the message will be able to read what’s inside. (Technically speaking, you’re not actually encrypting the message directly with the broker’s public key, but conceptually it’s easier to think of in this way.)
What can sometimes be confusing for some is that, like with digital signatures, encryption is an independent service. This means that solely sending an encrypted message provides no guarantee of origin (your identity). Again continuing with the example above, if you sent a request to your broker that was encrypted only, he/she would still have no way of validating that it really came from you. Anyone who possess the broker’s public key (and that could be anyone), can send the broker an encrypted message. So potentially, the message could still be spoofed, just with encryption added. To sum up: Encryption provides no authenticity – only secrecy. (Note: in a way, encryption also provides message integrity, since if someone changed certain bits in the message, the message wouldn’t decrypt properly. But integrity is still generally considered to be the function of the digital signature.)
Digital signatures and encryption are really independent cryptographic operations. And in many cases, either digitally signing or encrypting a message, alone, would be sufficient. However there may be situations (such as the example above) where you want to provide both secrecy from others and authenticity that you really sent the message. In these cases, you have the option of using both functions to produce a signed and encrypted message.