You are located in service: Certificates

Configure Outlook (to sign automatically)

Configure Outlook (to sign automatically)


You can configure Outlook to send digitally signed and/or encrypted e-mails.

These instructions were created using Outlook 2016 on Windows 10 (Latest update 23.04.2020).


Please note:

You should install your user (S/MIME or X.509) certificate in the certificate store of your Windows system before you begin the configuration of Outlook.

If you have used a browser other than the Internet Explorer when applying for the certificate, you should first export your user certificate and the RSA keypair into a .p12 file and then import this into your Windows certificate store.

If you do not own a certificate, you can apply for one at the DFN-PKI website. For more information please visit "Applying for User Certificate".

Configure Outlook to digitally sign outgoing e-mails

 E-Mail signieren 1

E-Mail signieren 2

E-Mail signieren 3
E-Mail signieren 4
  • Per default all outgoing e-mails will be digitally signed.

  • Signed e-mails will be sent in clear text.


Choose stronger signature and encryption algorithms

E-Mail signieren 5

Please note:

If you want to add a user certificate for another mail address, you can di it using the button "New" ("Neu").

By clicking this button you empty all the fields and can add a new security setting.


Send a digitally signed e-mail (optional)

E-Mail signieren 6

Verify the digital signature on a signed e-mail

E-Mail signieren 7

Click on the signature icon.

Note: a digital signature is not the footer Outlook allows you to append at the end of each e-mail (e.g. Name, Department, Address, Phone, etc).

A digitally signed e-mail (and the corresponding digital signature) is based on cryptographic algorithms and allows the recipient of your e-mail to: 

  • verify your identity (because of your DFN-PKI user certificate)
  • be sure the e-mail wasn't changed on the way.
E-Mail signieren 8
  • "gültig" is valid and means that the hash value of the electronic signature was computed correctly (this is crypto jargon and basically means the e-mail wasn't changed on the way).

  • "vertrauenswürdig" is trustworthy and means that the public RSA key of the sender was included in a user certificate issued by a certificate authority whose certificate chain is anchored in a root certificate included in Outlook's certificate store (even more crypto jargon, but it doesn't prove the sender's identity, you need to look into the certificate itself to see that).

E-Mail signieren 9
E-Mail signieren 10

If you click on "Details" you get to see more crypto stuff, e.g. message hash value.

We choose to stay under "Allgemein" and have a closer look at the sender's user certificate.

E-Mail signieren 11

This is the certificate chain:

  • T-TeleSec is the root certificate (preinstalled in Outlook)

  • DFN-Verein are the two intermediates

  • the sender's user certificate is at the bottom of the chain

  • "Erika Mustermann" is the Common Name in the user certificate, this is the proof of identity part.


For more information:

last changed on 04/21/2022

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License