Digital Signatures - Misleading Security Warnings from Microsoft Outlook

If you use Microsoft Outlook to read email, and you receive digitally signed email from somebody, you may see a message in the preview pane that says something like:

This item cannot be displayed in the Reading Pane. Open the item to read its contents.

If you open the item, you may see a popup warning:

The digital signature on this item is Invalid or Not Trusted.

For more information about the certificate used to digitally sign the message, click Details.

If you then click "View Message", the message header section may include the following:

There are problems with the signature. Click the signature button for details.

All of these messages can be quite misleading and suggest that the email is somehow less reliable or secure than the other email you receive. In fact the opposite is true. A more honest message would read:

This message is digitally signed, but Outlook is unable to confirm that the signature was made by the person named as the sender of the message.

These messages occur when the certification authority signing the email is not on the Microsoft approved list. The fact is, the digital signature format is an open standard and Microsoft is neither the first nor last word on which certification authorities are valid. Microsoft produces these "errors" in an attempt to "encourage" people to use one of the certification authorities that has undergone the Microsoft approval process.

Provided you are satisfied the message you have received is genuinely from the person it says it is from, you can mark the sender's certificate as trusted to avoid these messages. To do so:

  1. Click on "Details..." in the pop-up warning, or on the padlock button in the top right hand corner of the email message.
  2. In the tree, click on the "Signer" line, which will be at the bottom of the list.
  3. Click on the "Edit Trust..." button in the bottom left hand corner of the window.
  4. If it is not already selected, click on the "Trust" tab.
  5. Click on "Explicitly Trust this Certificate" near the bottom of the window.
  6. Click the "OK" button.
  7. The tree should now show a green tick on the "Signer" line. Click "Close" to return to the message.
  8. Close the message.
  9. Re-open the message. The warning should no longer appear.