Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal Government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a Federal Government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Sign and Encrypt Email in Microsoft Outlook

Version History

Version Number Date Change Description
2.0 03/24/2026 Updated guidance for classic Outlook for Windows (Microsoft 365 Apps).
1.0 06/13/2023 Initial guidance for Microsoft Outlook 2016.

This guide was developed in collaboration with the United States Office of Personnel Management

Personal Identity Verification (PIV) cards contain cryptographic certificates that support S/MIME secure email. Secure email includes two protections:

  • Digital signatures, which verify who sent the message and prevent tampering
  • Encryption, which ensures only the intended recipient can read the message

These instructions apply to classic Outlook for Windows included with Microsoft 365.

Outlook requires that your account’s email address matches the email address encoded on your PIV certificates.

Before You Begin

Before configuring Outlook:

  • Confirm your organization supports S/MIME with third-party PKI certificates.
  • Ensure your PIV card, middleware, and smart card reader are functioning.
  • Browser-based Outlook requires a separate extension for S/MIME, which may not be enabled.

Configure S/MIME in Outlook

These steps reflect the current configuration experience in classic Outlook for Windows (Microsoft 365 Apps).

  1. Insert your PIV card.

  2. Open Outlook and go to File > Options > Trust Center > Trust Center Settings.

  3. Select Email Security.

  4. Under Encrypted Email, select Settings.

  5. Select New to create a new security configuration.

  6. Enter a name such as PIV Secure Email.

  7. Select Choose next to Signing Certificate.
    • Choose your PIV digital signature certificate, then select OK.
    • Set Hash Algorithm to SHA256.
  8. Select Choose next to Encryption Certificate.
    • Choose your PIV key management or encryption certificate, then select OK.
    • Set Encryption Algorithm to AES 256-bit.

  9. Enable Send these certificates with signed messages.

  10. Select OK to save.

Note: The following screenshot shows an example of a completed security preference configuration.



Security Preference Configuration.

Certificate Publication in Modern Microsoft 365

Many Microsoft 365 tenants no longer display the older Publish to GAL button. When this option is absent, certificate publication occurs in one of the following ways:

Automatic Publication (Default for Many Tenants)

Exchange Online automatically makes your certificate available internally after you send a digitally signed email.

Administrator-Managed Publication

Your organization may publish certificates centrally using Active Directory, Entra ID, or automated provisioning.

Certificate Sharing via Signed Messages

When you send a digitally signed message, Outlook includes your public signing and encryption certificates. This allows recipients to encrypt messages to you even without GAL publishing.

Send a Digitally Signed Email

  1. Compose a new message.

  2. In the ribbon, select Options.

  3. Select Sign (red ribbon icon).

  4. Send the email.

  5. Enter your PIV PIN when prompted.

Send an Encrypted Email

  1. Compose a new message.

  2. Select Options.

  3. Select More Options.

  4. Select Security Settings.

  5. Check Encrypt message contents and attachments.

  6. Select OK.

  7. Send the message.

Note: It is common to enable both encryption and signing so the recipient automatically receives your certificates.



Encrypt Email with S/MIME.

Import a Recipient’s Encryption Certificate Manually

Use this process when Outlook cannot locate a recipient’s certificate through your directory or a prior signed email.

  1. Obtain the recipient’s public encryption (key management) certificate.

  2. Open the Home tab.

  3. Select Address Book.

  4. Go to File > New Entry.

  5. Select New Contact, then OK.

  6. Add the recipient’s name and email address.

  7. Select the Certificates tab.

  8. Select Import and choose the certificate file.

  9. Select Save & Close.

Decrypt an Encrypted Email

Outlook can decrypt encrypted messages if the matching private keys are available from your PIV card or from Windows’s cryptographic key store.

  1. Open the encrypted message.

  2. Insert your PIV card when prompted.

  3. Enter your PIN.

If you cannot decrypt older messages, your organization may maintain historical key management keys separately. Contact your IT administrators for recovery if needed.

Other Helpful References

IDManagement.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov

This site is a collaboration between GSA and the Federal CIO Council. It is managed by the Federal Identity and Cybersecurity Division in the GSA Office of Government-wide Policy.

Edit this page