cannot send encrypted emails

Question

the encrypt option is available and i can select to encrypt however the email is not sent and I receive the following message: "there was a problem sending this email. Please try again later. An internal server occurred. The operation failed. Object reference not set to an instance of an object"

I have sent various test emails to external recipients as well to myself, each time I receive the above feedback.

Answer 1

Hi,

Thank you for sharing your question. I understand how frustrating it is when regular messages send normally, yet encrypted emails fail every time with an unexpected internal‑server error.

According to Microsoft’s documented guidance, encrypted email failures like the one you are seeing typically occur when Outlook cannot find or use the required encryption components, such as valid S/MIME certificates or the correct Microsoft Purview Message Encryption configuration. When the encryption process fails server‑side, Outlook returns errors such as the one you received: “An internal server occurred. The operation failed.” This often points to missing, invalid, or mismatched certificates for your mailbox or the recipients.

Microsoft also notes that a failure to send encrypted messages can occur if your Microsoft 365 account doesn’t have the required Purview Message Encryption license or if your tenant’s encryption configuration isn’t enabled correctly, even if the Encrypt button is visible. Verifying the license assignment and ensuring the encryption feature is properly enabled resolves these issues.

Are you using S/MIME certificates for encryption, or are you using Microsoft Purview Message Encryption through the “Encrypt” button?

If you can tell me which encryption method you use and whether the issue happens with all recipients or only specific ones, I’ll guide you through the exact next steps to get encrypted email sending successfully again.

 

I hope this helps.

Best Regards,

Noel

Answer 2

The error indicates a failure in the encryption process on the server side, most commonly because the required S/MIME certificates (digital IDs) are missing or not usable for the sender or one or more recipients.

Use these checks and steps:

1. Confirm a valid S/MIME certificate (digital ID) for the sending account
   • For S/MIME encryption, a valid digital ID must be installed and associated with the mailbox.
   • If no digital ID is available, obtain one and configure it for the account, then try sending again.
   • In OWA/Outlook on the web scenarios, if the certificate’s Subject or Subject Alternative Name does not contain an SMTP address that matches the mailbox, S/MIME operations will fail.
2. Verify that the sender certificate’s SMTP address matches the mailbox
   • The certificate used for S/MIME must contain an SMTP address that is listed on the account used to sign in.
   • If the certificate is issued to a different SMTP address than the one on the mailbox, the server will not use it for S/MIME, which can cause send failures.
   • In Exchange environments where this is enforced, the administrator can optionally enable the AllowUserChoiceOfSigningCertificate registry value on the Exchange server to allow manual selection of a certificate whose SMTP does not match the mailbox, then restart IIS. After that, the user can choose the correct signing certificate in OWA options.
3. Check recipient certificates and encryption method
   • For S/MIME encryption to specific recipients, their public keys must be available and valid.
   • If encrypting to external recipients, ensure their S/MIME certificates have been exchanged and installed.
   • If using S/MIME and some recipients have unsupported or conflicting certificates (for example, ECC vs RSA combinations), Outlook may show encryption warnings. In such cases, continuing with S/MIME encryption is supported when the warning is a known false positive.
4. Test sending non‑encrypted mail
   • Confirm that non‑encrypted messages send successfully to the same recipients. If non‑encrypted messages also fail, the issue is not specific to encryption and needs separate mail‑flow troubleshooting.
5. If using Outlook on the web with S/MIME
   • Ensure the S/MIME control or support is correctly installed and configured for the browser and that the correct certificate is selected under email security options.
   • If the certificate does not match the mailbox SMTP address and cannot be changed, involve an Exchange administrator to adjust the registry as described above or to issue a new certificate with the correct SMTP address.

If all of the above are correct and the error persists, the issue is likely a server‑side fault in the Exchange/OWA environment and requires review of server logs and configuration by the mail administrator.

---

References:

• Error when sending S/MIME encrypted mails from OWA: Outlook Web Access could not find your digital ID for encryption
• Send S/MIME or Microsoft Purview encrypted emails in Outlook
• "Conflicting or unsupported encryption" warning when sending an encrypted message
• Why can't I encrypt?

AI-generated content may be incorrect. Read our transparency notes for more information.