Set up Outlook to use S/MIME encryption
Applies To
Outlook for Microsoft 365 Outlook 2024 Outlook 2021 Outlook 2019 Outlook 2016 Outlook on the web New Outlook for Windows Outlook on the web for Exchange Server 2016 Outlook on the web for Exchange Server 2019 Outlook Web AppWant to add a padlock to your email messages? You can use encryption and digital signatures in new Outlook, classic Outlook, and Outlook on the web for work or school accounts to increase the security of messages.
Encrypting an email message in Outlook means it's converted from readable plain text into scrambled cipher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key sees indecipherable text.
Digital signatures verify the identity of the sender of an email message. When you receive a message containing a digital signature, you can trust that the sender is who they say they are. If you want to insert a digital signature into an email, you need to install a digital ID (certificate), which is verified by a third party.
Before you can send and receive messages with encryption or digital signatures, or digital IDs, please follow the instructions to set up encryption in Outlook.
Important: Message encryption and digital signatures are only available to work or school accounts with a Microsoft 365 qualifying subscription. Encryption and digital signatures are not available on free or personal Microsoft 365 accounts.
There are two types of encryption options: S/MIME and Microsoft Purview Message Encryption using Information Rights Management (IRM).
When you have a Microsoft 365 qualifying subscription, Outlook supports message encryption based on Information Rights Management. To use message encryption, you must have Microsoft Purview Message Encryption, which is included in the Office 365 Enterprise E3 license.
You can also use S/MIME encryption (Secure/Multipurpose internet Mail Extensions), a widely accepted protocol for sending digitally signed and encrypted messages. To use S/MIME encryption, you and the recipient must have a mail application, such as Outlook, that supports the S/MIME standard.
S/MIME in Exchange provides the following services for email messages:
-
Encryption: Protects the content of email messages.
-
Digital signatures: Verifies the identity of the sender of an email message.
Administrators: Learn more about Microsoft Purview Message Encryption, Security and Compliance in Outlook for Windows, Configure S/MIME in Windows.
Instructions to set up Outlook for encryption and digital signatures
To set up Outlook for encryption and digital signatures, choose instructions based on the version of Outlook you're using. What version of Outlook do I have?
Configure S/MIME in new Outlook for encryption and digital signatures
Before you start this procedure and encrypt emails, you must first Get a digital ID, otherwise known as a digital certificate, and add it to the keychain on your computer.
Note: New Outlook doesn't automatically import digital certificates. You must install the certificate manually or ask your administrator to configure policies to automatically install certificates.
-
Select Settings > Mail > S/MIME.
-
Select Encrypt contents and attachment for all messages I send to automatically encrypt all outgoing messages.
-
Select Add a digital signature to all messages I send to digitally sign all outgoing messages.
-
Select Automatically choose the best certificate for digital signing.
-
This screen is where you'll also Import or Export your digital IDs (certificates). See Secure messages with a digital signature in Outlook.
See also: Send an Outlook message with S/MIME or Microsoft Purview encryption.
Set up classic Outlook for encryption and digital signatures
Before you start this procedure and encrypt emails, you must first Get a digital ID, otherwise known as a digital certificate, and add it to the keychain on your computer.
Configure your S/MIME certificate in classic Outlook
Once you have your S/MIME certificate set up on your computer, you can configure it in Outlook:
-
In Outlook, select File > Options > Trust Center > Trust Center Settings.
-
In the left pane, select Email Security.
-
Under Encrypted email, select Settings.
-
Under Certificates and Algorithms, select Choose and then select the S/MIME certificate.
-
Select OK.
See also: Send an Outlook message with S/MIME or Microsoft Purview encryption.
Set up Outlook on the web for encryption and digital signatures
Install the S/MIME control
-
Get a certificate, sometimes referred to as a key or digital ID.
The first step to use S/MIME is to obtain a certificate from your IT administrator or helpdesk. Your certificate might be stored on a smart card, or might be a file that you store on your computer. Follow the instructions provided by your organization to use your certificate.
-
Install the S/MIME control.
-
Go to Settings > Mail > S/MIME.
-
Find To use S/MIME, you need to install the S/Mime control. To install it, click here. Select Click here.
Note: If you receive an encrypted message before you've installed the S/MIME control, you'll be prompted to install the control when you open the message.
Note: To use S/MIME on Chrome, your computer must be joined to a Microsoft Active Directory domain and have a Chrome policy to include the S/MIME extension. Check with your IT administrator or helpdesk to confirm that your computer is joined to a domain and has the required policy. Instructions for IT administrators can be found in Configure S/MIME settings in Exchange Online for Outlook on the web.
-
When you're prompted to run or save the file, select Run or Open (the choice will vary depending on the web browser you're using).
-
You might be prompted again to verify that you want to run the software. Select Run to continue the installation.
-
Allow the Outlook on the web domain to use the S/MIME control
-
Edge and Chrome: You might see the following message the first time you try to use S/MIME in Outlook on the web on Edge or Chrome after you install the S/MIME extension:
-
S/MIME isn't configured to work with the current domain. You can add it in S/MIME Extension options page in the settings for your browser.
Select the link to go to the settings page, and allow your work or school domain to use S/MIME. The domain is usually the part after the @ sign in your email address. Check with your IT administrator if that doesn't work.
Note: You will have to close and reopen Outlook on the web before you can use the S/MIME control.
See also: Send an Outlook message with S/MIME or Microsoft Purview encryption.
See also
Send an Outlook message with S/MIME or Microsoft Purview encryption
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
