Use digital signatures for email with Apple Mail and Outlook for macOS

On this page:


Before you begin

To view all the content available to you here, use the green Log in button at the top of this page to log into the Knowledge Base.

Note:

Due to enhanced security features in Exchange Online, digital signatures are no longer required at IU; however, digital signatures will continue to work as expected if you wish to continue using them.

At Indiana University, you can use S/MIME client certificates from the InCommon Certificate Service to digitally sign and/or encrypt email messages. For instructions on getting a client certificate, see Get an S/MIME client certificate for digital email signatures at IU. For information about potential issues affecting various applications and devices, see Known issues with using S/MIME client certificates to digitally sign or encrypt email at IU.

When you receive your client certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12 or .pfx), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.

View a video about using digital signatures in Apple Mail and Outlook for macOS.

Install your S/MIME client certificate

To install your S/MIME client certificate:

  1. Double-click the file downloaded from the InCommon Certificate Manager.
  2. Keychain Access will prompt you for the certificate passphrase; use the second ("PIN") passphrase, not the first ("request") passphrase.

The client certificate will be installed on your Mac and will appear in the "My Certificates" section of Keychain Access. The certificate is now available for use with Apple Mail, Outlook, and other applications that can use client certificates.

Note:
Your client certificate is available only on the computer and user account where you install it. To use your client certificate on another device, you will need to install it on that devices also.

Use your client certificate with Apple Mail

Use these instructions to enable Apple Mail to use client certificates for digitally signing and/or encrypting email.

Enable digital signing and encryption

  1. If you just installed your client certificate, close Mail, and then restart it.
  2. Begin composing an email message. You should see a "Signed" icon (The 'Signed' icon indicates your message will be digitally signed.) in the lower right of the message header, indicating the message will be digitally signed. If you don't see the "Signed" icon, select Customize (in the lower left of the message header), and add the "Lock" and "Signed" icons.

Digitally sign email

To send a digitally signed message, verify that the "Signed" icon has a checkmark () in it . If the "Signed" icon has an x instead, your message will not be digitally signed.

Note:
Because digital signatures are sent as attachments, which some mailing lists do not accept, you may not want to digitally sign messages sent to mailing lists.

Encrypt email

If you have the public certificate for the recipient(s) to whom the message is addressed, you will be able to encrypt the email message. In the lower right of the message header, click the open lock icon to lock it; when the icon is locked, your email message will be encrypted.

If you do not have certificates for everyone to whom the message is addressed, you will be prompted to send the message unencrypted.

Use your client certificate with Outlook for macOS

Use these instructions to enable Outlook to use client certificates for digitally signing and/or encrypting email

Enable digital signing and encryption

  1. If you just installed your client certificate, close Outlook, and then restart it.
  2. From the Outlook menu, select Preferences > Accounts, and then select your IU email account.
  3. If you are using the classic Outlook interface, click Advanced, and then select the Security tab. If you are using the new interface, click Security.
  4. In the "Digital signing" section, select your certificate from the drop-down menu.
  5. For "Signing algorithm", the default value of SHA-256 is appropriate for most situations. This section is not available in the new Outlook interface.
  6. For the best usability, enable the following options:
    • Sign outgoing messages
    • Send digitally signed messages as clear text
    • Include my certificates in signed messages
  7. In the "Encryption" section, select your certificate from the drop-down menu.
  8. It is not necessary to check Encrypt outgoing messages; each email message can be optionally encrypted when you compose it. If you are using the classic Outlook interface, AES 256 is the best encryption algorithm.
  9. IU does not currently use the Certificate authentication option; if this is option is available, do not select it.
  10. Click OK to save your changes and exit Outlook Preferences.

Digitally sign email

By default, your email messages will be digitally signed. To indicate signing, a lock icon with the text "This message will be digitally signed" will appear when you compose an email message:

The lock icon signifies your message will be digitally signed

If you do not want to use a digital signature, from the Options tab of the mail message, click Sign so that it is not selected. If you don't see the Options tab, you may need to open the message you're composing in a separate window. Click the far right icon next to the "From:" field.

Note:
Because digital signatures are sent as attachments, which some mailing lists do not accept, you may not want to digitally sign messages sent to mailing lists.

Encrypt email

Address and compose your email message. From the Options tab of the mail message, click Encrypt so that it is selected. If you don't see the Options tab, you may need to open the message you're composing in a separate window. Click the far right icon next to the "From:" field.

If Outlook is unable to find certificates for everyone to whom the message is addressed, you will be prompted to search for user certificates. If Outlook is still unable to find certificates for all addressees, you will be prompted to send the message unencrypted.

Use a group account certificate

To use an S/MIME client certificate with a group account, install and enable the certificate as you would for a standard account.

Notes:
  • If the profile you are using in your email client is the group account, there should be no issues.
  • If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.

Disable your client certificate in Apple Mail

  1. Open Mail.
  2. Begin composing an email message. Click the "Signed" icon (The 'Signed' icon indicates your message will be digitally signed.) in the lower right of the message header to no longer digitally sign email.

Disable your client certificate in Outlook for macOS

  1. From the Outlook menu, select Preferences > Accounts, and then select your IU email account. If you are using the classic Outlook interface, click Advanced, and then select the Security tab. If you are using the new Outlook interface, click Security.
  2. In the "Digital signing" section, select your client certificate from the drop-down menu.
  3. Uncheck Sign outgoing messages.
  4. Uncheck Send digitally signed messages as clear text.
  5. Uncheck Include my certificates in signed messages.
  6. Click OK to save your changes and exit Outlook Preferences.

This is document bcsn in the Knowledge Base.
Last modified on 2022-07-28 14:45:28.