My last company used S/Mime, but it required a dedicated appliance on both ends and a key server to provide the public key from the sending appliance to the receiving one. It's complicated and not practical for most people, but it worked quite well and is used by some big orgs.
That said, the bigger issue is how messages are stored at rest. Basically all the major email providers support and use TLS at this point, which is plenty strong enough for most mail in transit if you're only worried about the body of the message.
I think we need to worry about mail at rest before trying to make in transit encryption stronger. What's the point of anything stronger than TLS in transit if GMail can just read the full unencrypted message?
In normal encrypted email usage (without appliances at both ends) the emails are encrypted at any point after creation. They are only decrypted when someone wants to look at a particular message. So encrypted archiving comes for free. This is actually a significant and helpful feature here. I don't see the point of giving this feature up and then working to create a secure archiving system to make up for it.
which is probably not going to tell them anything useful.
That seems pretty useful to me. Sure, they still get to see the subject, the sender, and the recipient list so they get important metadata about my communications. But most of the time my communications are with people that I'm already known to communicate with, and the subject just reveals that the message is about some topic that I'm already known to communicate with them about. All the stuff that would actually be new and interesting to a third party is in the body.
On the other hand I seem to recall tptacek saying that just encrypting the message body is worthless, and when it comes to cryptography that guy's smart. I mean like fuck-a-guy smart. Know what I'm saying? So it is possible I'm overlooking something.
Not entirely worthless, but there are a bunch of things that are left unprotected and may thus pose an issue. Certainly not up to the same standards of your average EE2E IM platform, but it kinda doesn't have to be to be useful.
That said, the bigger issue is how messages are stored at rest. Basically all the major email providers support and use TLS at this point, which is plenty strong enough for most mail in transit if you're only worried about the body of the message.
I think we need to worry about mail at rest before trying to make in transit encryption stronger. What's the point of anything stronger than TLS in transit if GMail can just read the full unencrypted message?