Configure S/MIME for Windows
- Windows 10
- Windows 11
S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
About message encryption
Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate is not available, the app will prompt you to remove these recipients before sending the email.
About digital signatures
A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they’re using an email client that supports S/MIME.
S/MIME is enabled for Exchange accounts (on-premises and Office 365). Users can’t use S/MIME signing and encryption with a personal account such as Outlook.com.
Valid Personal Information Exchange (PFX) certificates are installed on the device.
Choose S/MIME settings
On the device, perform the following steps: (add select certificate)
Open the Mail app.
Open Settings by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
Tap Email security.
In Select an account, select the account for which you want to configure S/MIME options.
Make a certificate selection for digital signature and encryption.
- Select Automatically to let the app choose the certificate.
- Select Manually to specify the certificate yourself from the list of valid certificates on the device.
(Optional) Select Always sign with S/MIME, Always encrypt with S/MIME, or both, to automatically digitally sign or encrypt all outgoing messages.
The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
Tap the back arrow.
Encrypt or sign individual messages
While composing a message, choose Options from the ribbon. On phone, Options can be accessed by tapping the ellipsis (...).
Use Sign and Encrypt icons to turn on digital signature and encryption for this message.
Read signed or encrypted messages
When you receive an encrypted message, the mail app will check whether there is a certificate available on your computer. If there is a certificate available, the message will be decrypted when you open it. If your certificate is stored on a smartcard, you will be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate.
Install certificates from a received message
When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
Open a signed email.
Tap or click the digital signature icon in the reading pane.