I'm running into a problem with S/MIME signatures in emails from a specific domain. Users are seeing a banner indicating an issue with the signature, but I can't figure out how to resolve it. The situation seems complicated because the certificate could be expired, revoked, or untrusted, but verifying the problem isn't straightforward. I've looked through various guides, and they mention there should be a certificate icon somewhere in the email that can be clicked to view the signature. However, in New Outlook 1.2025.611.400, I can't find that icon. The banner itself is unresponsive, and while I can access the headers through the 3-dot menu, there's nothing related to the signature or certificate there. I'm confused and just want to get this figured out!
3 Answers
Another angle to consider is whether the signing certificate was issued by an untrusted root or if there might be a mismatch between the sender’s address and the ‘from’ field in the email. If it’s an alias or mailing list, that could definitely cause issues with S/MIME validation.
Let’s be honest here—sometimes you just have to blame the sender for certificate issues!
It sounds like switching back to the old Outlook (Outlook Classic) might be your best bet for troubleshooting. A common issue is that the signing certificate might not be trusted. If this is related to communications with the US military or contractors, you'll need to use the "Installroot" program from DISA to manage the required certificates. For the New Outlook, it seems like it doesn't recognize the local machine's certificates, so you'd have to upload them into your organization's setup via PowerShell before they will work. This might help with compatibility across Outlook, OWA, and mobile as well.
Totally agree! New Outlook is definitely lacking when it comes to S/MIME support. It's kind of a hassle.
Thanks for the tips! I’ll start with the Classic Outlook. Just to clarify, since the sender is an individual and their root certificate is trusted here, do we still need to add the sender's signing certificate to every endpoint?
Interesting point! The sender is indeed an individual, and the root certificate is already trusted on our machines.