Disclaimer, S/MIME for IIS SMTP Service and Exchange Server 2000/2003/2007 SP2

Digital Signature

Digital signature provides authentication and data integrity between email sender and recipient. It gives recipient an assurance that the sender is who he claims to be and the email content was not altered in transit. After an email was signed, and receipient's email client received the email, the email client will use the public key in the email to verify the email content. If there is any change, the email client will warn the recipient.

How to sign email content?

Digital signature is always signed by sender certificate. The certificate used to sign email content MUST have a public/private key pair. First of all, user MUST obtain a digital certificate for personal email protection from third-party certificate authorities such as www.verisign.com. After a certificate is installed on user pc, it can be viewed by "Control Pannel" -> "Internet Options" -> "Content" -> "Certificates" -> "Personal". When you view the certificate, please note there is a line "You have a private key that corresponds to this certificate" in certificate view, that means you are able to use this certificate to sign email content. If this line doesn't appear, that means you are unable to sign the email content by this certificate.

Export the certificate file

To enable email to be signed with specified certificate automatically, you need to export your certificate from certificate store to *.pfx. Go to "Control Pannel" -> "Internet Options" -> "Content" -> "Certificates" -> "Personal", then select your certificate and click "Export", then choose "Yes, Export the private key" -> ".pfx" file and set a password and save it to your server local disk.

If you want to export the certificate from your machine certificate storage, please do it like this:

Windows Start Menu->input:
MMC

press enter.

MMC->File Menu->Add/Remove Span-in
Add->Choose "Certificates"-> Computer Account->Local Machine->Finish->Close.

Then you should find the certificate at 
"Certificates(Local Computer)->Personal->Certificates"
then right click -> Export ...

Setup Digital Signature

Firstly, click "Smime Sink Manager" from "Start menu -> All Programs -> EA Smime Sink -> Smime Sink Manager" to begin the setup. Secondly, click "Digital Signature" -> "New Signature", the following diaglog box will popup.

email digital signature, smime

Sender Email Address

If an email address is specified here, every email from this email address will be signed with specified certificate automatically. Select a certificate (.pfx) from your local disk, then input a password and click "OK".

Detached Signature

A detached signature is a signature where the signed entities and signature are separate from each other. With this option checked, receipient can view the email body correctly even the email client doesn't support S/MIME. This is important for email client especically some web mail system which doesn't support S/MIME.

Important Notice

Digital signature will not be added to email body under the following situations:

The email is not MIME compatible. For example, the email is sent from outlook to internal user and it is in RTF format, digital signature will not be added to the RTF email. So you should send the email to outside domain to test the digital signature.