You are located in service: RWTH-E-Mail

Configure Outlook (to sign automatically)

Configure Outlook (to sign automatically)


You can configure Outlook to send digitally signed and/or encrypted e-mails. Old certificates can also be replaced with new certificates.

These instructions were created using Outlook 2016 on Windows 10 (Latest update 23.04.2020).


Please note:

You should install your user (S/MIME or X.509) certificate in the certificate store of your Windows system before you begin the configuration of Outlook.

If you have used a browser other than the Internet Explorer when applying for the certificate, you should first export your user certificate and the RSA keypair into a .p12 file and then import this into your Windows certificate store.

If you do not own a certificate, you can apply for one at the DFN-PKI website. For more information please visit "Applying for User Certificate".

Configure Outlook to digitally sign outgoing e-mails

 E-Mail signieren 1

E-Mail signieren 2

E-Mail signieren 3
E-Mail signieren 4
  • Per default all outgoing e-mails will be digitally signed.

  • Signed e-mails will be sent in clear text.


Replace an old certificate with a new certificate (Optional)

Choosing a new certificate

If Outlook is already configured to use a certificate, you can replace it with a new certificate (e.g. if the old certificate is expiring).

The new certificate must have been imported into the Windows certificate store.

By selecting "Choose" you can respectively choose the new certificate as your signing certificate and encryption certificate.


Choose stronger signature and encryption algorithms

E-Mail signieren 5

Please note:

If you want to add a user certificate for another mail address, you can di it using the button "New" ("Neu").

By clicking this button you empty all the fields and can add a new security setting.


Send a digitally signed e-mail (optional)

E-Mail signieren 6

Verify the digital signature on a signed e-mail

E-Mail signieren 7

Click on the signature icon.

Note: a digital signature is not the footer Outlook allows you to append at the end of each e-mail (e.g. Name, Department, Address, Phone, etc).

A digitally signed e-mail (and the corresponding digital signature) is based on cryptographic algorithms and allows the recipient of your e-mail to: 

  • verify your identity (because of your DFN-PKI user certificate)
  • be sure the e-mail wasn't changed on the way.
E-Mail signieren 8
  • "gültig" is valid and means that the hash value of the electronic signature was computed correctly (this is crypto jargon and basically means the e-mail wasn't changed on the way).

  • "vertrauenswürdig" is trustworthy and means that the public RSA key of the sender was included in a user certificate issued by a certificate authority whose certificate chain is anchored in a root certificate included in Outlook's certificate store (even more crypto jargon, but it doesn't prove the sender's identity, you need to look into the certificate itself to see that).

E-Mail signieren 9
E-Mail signieren 10

If you click on "Details" you get to see more crypto stuff, e.g. message hash value.

We choose to stay under "Allgemein" and have a closer look at the sender's user certificate.

E-Mail signieren 11

This is the certificate chain:

  • T-TeleSec is the root certificate (preinstalled in Outlook)

  • DFN-Verein are the two intermediates

  • the sender's user certificate is at the bottom of the chain

  • "Erika Mustermann" is the Common Name in the user certificate, this is the proof of identity part.


For more information:

last changed on 03/27/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License