Articles in Root

How encryption works in Microsoft Outlook


How encryption works in Microsoft Outlook



  • You must have a digital certificate that supports encryption.  This is required as Outlook creates an encrypted copy to yourself in your sent items folder.
  • The recipient must have a digital certificate that supports encryption.
  • You will need a copy of the recipient's public key of their certificate.

Outlook follows a few scenarios before encryption can take place.  You should consider all scenarios below in order to successfully encrypt.

Firstly, if you are replying to a digitally signed or encrypted email, Outlook will attempt to use the certificate used for signing or encryption to encrypt back to the person.  If the email is digitally signed, then the certificate must support encryption.  If there are multiple people included in this email, this method may not work when replying with an encrypted email as all certificates are not included for all recipients.

Next, if the recipient is within your organisation (ie, they are set up on the same Exchange server as you) and they have a certificate, the recipient can publish their certificate to GAL (Global Address List).  This allows a copy of the recipients public key to be stored on the Exchange server.  When anyone in your organisation attempts to encrypt to this recipient, Outlook will look on the Exchange server first for a corresponding public key.

If neither of the first two scenarios above are met, then Outlook will attempt to use it's contact list credentials for an attached certificate.  If the user is outside of your organisation, then you must add them as a contact and include their certificate.

  1. If you have received an email from someone, you can right-click on their name in the email and select Add to Contacts from the drop-down list.  If the email is signed or encrypted, their certificate should be included automatically.
  2. If the email is not signed or encrypted to you, you must then open their Contact card in Outlook and add the certificate manually.  When their contact details are open, there should be a Certificates view in the Show section. Open up this section.  Click on the Import button on the side and navigate to the Contact's certificate as a file.  This should be a *.cer or *.crt file.  When you have imported the correct certificate, click on Save & Close in the top left hand corner.

You can obtain the certificates for any QuoVadis customer using the Certificate Lookup tool found at