Share via

Graph API cannot get attachments from signed email

Mark Babayev 226 Reputation points
2020-08-03T19:43:53.757+00:00

When I'm getting attachments for email with electronic signature I receive only 1 attachment - the electronic signature itself.
File name: "smime.p7m"
Content Type: "multipart/signed" 

GET https://graph.microsoft.com/v1.0/users/[mailbox]/messages/[resourceId]/attachments

Is it a bug or a feature? Is there a way to overcome it?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. soumi-MSFT 11,831 Reputation points Microsoft Employee Moderator
    2020-08-04T10:46:22.88+00:00

    @Mark Babayev , Thank you for reaching out. It's not a bug, but its an expected behavior in case of 'multipart/signed' messages. 

    This format is a clear-signing format.  Recipients without any S/MIME or CMS processing facilities are able to view the message. It makes use of the multipart/signed media type described in [MIME-SECURE]. The multipart/signed media type has two parts. The first part contains the MIME entity that is signed; the second part contains the "detached signature" CMS SignedData object in which the encapContentInfo eContent field is absent.

    More details can be found in the RFC

    If the content is signed including any attachments, it gets stored inside the one smime.p7m attachment and it is up to you to extract it.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bankovní Výpisy 0 Reputation points
    2025-04-09T09:59:51.3166667+00:00

    ✅ Workaround: Extract Attachments from Signed Email via Microsoft Graph API

    If you're trying to get attachments from an S/MIME signed message using Graph API and only receiving a smime.p7m file — this is expected behavior. However, there's a simple trick to work around it without needing to parse the .p7m manually:

    🛠️ The Trick: Use createForward to Strip the Signature

    1. Call createForward on the signed message: 
         POST /me/messages/{message-id}/createForward

    This creates a draft message with the original body and attachments, but without the S/MIME signature.

    1. Get the attachments from the draft: 
         GET /me/messages/{draft-id}/attachments

    Now you’ll receive the actual attachments, like .zip, .pdf, etc. — not just smime.p7m.

    1. (Optional) Delete the draft to keep your mailbox clean: 
         DELETE /me/messages/{draft-id}
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.