You are located in service: Public Key Certificates

Configure Outlook (to sign automatically)

Configure Outlook (to sign automatically)


Please note:

You should install your user (S/MIME or X.509) certificate in the certificate store of your Windows system before you begin the configuration of Outlook.

If you do not own a certificate, you can apply for one via the RA-Portal. For more information please visit "User certificates RA-Portal".

Digital signatures allow the recipient of an email to verify...

  • the identity of a sender
  • that an email has not been modified while being transmitted

You can configure Outlook to send digitally signed and/or encrypted e-mails. Old certificates can also be replaced with new certificates.



Configure Outlook to digitally sign outgoing e-mails

These instructions were created using Outlook for Microsoft 365 MSO (Version 2310)

You can configure Outlook to automatically sign emails in the Trust Center. To open the Trust Center settings, click FileOptionsTrust CenterTrust Center Settings.

Clicking "File" in Outlook

Selecting "Options"

Opening the Trust Center Settings

In the Trust Center, you can configure an automatic signature under the "Email Security" heading. With the settings shown below:

  • Per default all outgoing e-mails will be digitally signed.
  • Signed e-mails will be sent in plain text.

Click on "Settings" to continue.

Optional: If you have yet to import your certificate into Windows, you can do so with the "Import/Export" button. You must then search for your p12-File and enter the corresponding password.

Configuring an automatic signature


Replace an old certificate with a new certificate (Optional)

You can replace an existing certificate by selecting "Settings" in the Email Security menu in the step above.

If Outlook is already configured to use a certificate, you can replace it with a new certificate (e.g. if the old certificate is expiring).

The new certificate must have been imported into the Windows certificate store.

By selecting "Choose" you can respectively choose the new certificate as your signing certificate and encryption certificate.

If you have multiple email addresses, you can use the "New" Button, to create new Security Settings for a different email address. You can then switch between the settings using the "Security Settings Name" drop-down menu.

Choosing a new certificate


Choose stronger signature and encryption algorithms

Set the hash algorithm and encryption algorithm:

  • Tick the two boxes setting the default cryptography formats
  • Select the hash algorithm SHA256
  • Select the encryption algorithm AES (256-bit)
  • Tick the box "Send these certificates with signed messages"

Algorithm settings


Send a digitally signed e-mail (optional)

If you have configured Outlook to sign automatically, the "Sign" option will be selected by default when sending an email.

Sending an email with an automatic signature configured


Verify the digital signature on a signed email

You can verify the digital signature of a signed email by clicking on the signature icon

Signature icon

A "valid" signature means that the hash signature is correct, meaning that the content of the message was not modified in transmission.

A "trusted" signature means that the public RSA key of the sender was included in a user certificate issued by a certificate authority whose certificate chain is anchored in a root certificate included in Outlook's certificate store. It does not necessarily prove the identity of the sender!

You can view the identity of the sender by clicking on "Details..."

A valid signature

Select the signer and click "View Details".

Properties of a valid signature

You can view the certificate in the "General" tab. Click "View Certificate..." to take a closer look at the certificate.

Signature information

In the "Certification Path" tab, you can see the certificates in the certificate chain and the sender's certificate at the end of the chain.

  • T-TeleSec is the root certificate (preinstalled in Outlook)

  • DFN-Verein are the two intermediates

  • the sender's user certificate is at the bottom of the chain

In this example, the sender is using a group certificate, denoted by the "GRP" prefix. The field for their certificate displays the value for the Common Name in their certificate, this is the proof of identity part. This would usually be the sender's name.

Examining the sender's certificate



For more information:

last changed on 03/07/2024

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License