Exchange Hosting - Digitally Sign & Encrypt Email Using S/MIME


Active Exchange Email services, see Add Hosted Services.


This article will list additional consideration when migrating to hosted exchange servers.


S/MIME allows digitally signed and encrypted messages to be sent to and from Exchange mail servers. It provides secure email between sender and recipient providing verification of identity, and message tampering prevention. A digital security certificate must be purchased and the certificate installed before S/MIME can be configured. Please view Microsoft's list of recommend third party companies that provide this service:

The security certificate purchased must match that of the email address hosted with ITSN to work properly. To verify the certificate is installed correctly, in Outlook go to:

Outlook 2010: File > Options > Trust Center > Trust Center Settings > Email Security.

Outlook 2007: Tools > Trust Center > Email Security

Both the sender and recipient will need a certificate for S/MIME to function properly.


1. Both parties will need to send a signed email to enable the other to decrypt their encrypted emails. To do this in Outlook open a new email message then:

Outlook 2010: Options > More Options > Click the small box in the corner.

Outlook 2007: Options> then click on the envelope and bell icon.


2. Click the Security Settings box.


3. In the security properties window select both:

  • Add digital signature to this message
  • Send this message as clear text signed.

Then click OK.


4. Send out an email to the other party that will be included in the encrypted communication. After the recipient receives the email, the message will need to be opened. Then in the From  field right click on the senders name and select Add to Outlook Contacts.


5. In the Contact section the certificate and the contact will be displayed. Verify the certificate, then click Save & Close.


6. Encrypted email transmission is now enabled between the two parties. To enable an encrypted click on the Sign (envelope & ribbon), and Encrypt (envelope & lock) icons located in the Options section.


Outlook Web Access (OWA) Integration

1. The next step in email security would be to connect the digital certificate to Outlook Web Access. Just as in Outlook, OWA must have a certificate installed to enable signed and encrypted emails. This can be accomplished by publishing the certificate to the organizations Global Address List (GAL). To do so in the respective Outlook programs:

Outlook 2010: File > Options > Trust Center > Trust Center Settings > Email Security.

Outlook 2007: Tools > Trust Center > Email Security

From within email security, click the Publish To GAL... button


2. Click OK to confirm and allow Outlook to publish the certificate to the GAL.



3. Shortly thereafter a notification window will appear confirming a successful publication, click OK. With the certificate published it will now be necessary to access webmail and enable the certificate there.


4. In a web browser navigate to the Outlook Web Access portal (, and login using the full email address and password.


5. On the top right of the screen below the mailbox name, locate, and click on Options. This will redirect the browser to the OWA options screen


6. The left side of screen will feature a column with the various OWA option categories. Click on the last category listed, Settings. Next click on the lock icon entitled S/MIME. In the center of the screen will be a click able link, click Download the S/MIME control.


7. Internet explorer will display a warning window asking to run or save owasmime.msi from, click Run.


8. After the download completes, User Access Control (UAC) will ask for permission to run the S/MIME download. Click Yes.


9. Back in OWA the browser will prompt to run the add-on, MIME Edit binary behaviour, click Allow.


10. Click again on the S/MIME icon. Options will now be available to enable S/MIME in OWA, click the following options:

  • Encrypt contents and attachment of all messages I send
  • Add a digital signature to all messages I send

Once the options have been enabled click Save.


11. A new email will now have to be created to enable the final few extensions. In the top right of the browser click on My Mail to return to the inbox.


12. Click on the New email icon.


13. Before the new email will load, a notification will once again appear asking to run MIME Edit binary behaviour, click Allow.


14. The new email will display two icons highlighted, an envelope with a Ribbon, and one with a lock. Respectively the two icons allow for digital identity (certificate), and message encryption. 



What Is Next?

Account Locks After Invalid Attempts,

Add A SPF Record,

Configure The Junk Email Filter.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


  • 0
    Nawaz Mistry

    Digital services of the economics and all exchange companies are invoked and practiced. It is certain and particular. The  essay service reviews are learned and understood in letter and spirit for the affairs and skills

Please sign in to leave a comment.