If you received a message with an invalid or untrusted S/MIME digital signature, you might have problems replying to that message with Outlook on the Web (OWA).
The inability to reply is not necessarily a bad thing as it might indicate an impersonation attempt. Impersonation is where a bad actor pretends to be someone you know, often for financial gain. A common example of impersonation is a bad actor pretending to be a CEO asking their company accountant to wire money to the bad actor’s bank account.
So, if you see a failed digital signature, it is a good time to pause and determine if the sender really is who they say they are through other verified mechanisms (e.g., call them on a trusted phone number). Then validate if they are aware of the digital signature issue to see if they are already working to resolve it.
If using a product like Office 365, you can also check if the message has failed any impersonation checks. For example, are safety tips in OWA warning that you don’t typically receive mail from this sender with that email address.
The screenshot below provides an example of a message received in OWA where the S/MIME digital signature is not considered valid or trusted. Clicking the click here link gives us some additional insight into the error. We can see OWA does not trust this certificate because it has a broken certificate chain, more than likely caused by a missing or expired intermediary cert.
When attempting to reply to this message in OWA, you may receive the following error.
This message can't be sent right now. Please try again later.
Workaround: Remove the digital signature
The real solution is to have the sender troubleshoot the issue with their digital certificate. However, if you need to reply, and you have ascertained without any doubt that this is not an impersonation attempt, you can remove the digital signature to reply.
On the message in question, click reply (or forward), and select the three dots (…). Then, from the pop-up menu, select Show message options.
From the message options dialog, uncheck Digitally sign this message (S/MIME). Click Ok.
You will now be able to send the reply (forward).
As mentioned above, this is a workaround and should only be executed if you are positive the email came from a verified sender and not a bad actor. The real solution is having the sender determine why their certificate has an error. In our example, the issue was an invalid certificate chain, most likely due to a missing or incorrect intermediary cert. But other issues could include expired certs, missing keys, untrusted certificate authorities, or old, unsupported ciphers.
Have you run into this issue before? Have you seen another cause for this issue? Drop a comment below or join the conversation on Twitter @SuperTekBoy.
Thank you for this article, and I thoroughly enjoy the DW references. Unfortunately, it does not answer my question and was the only google result when searching. How do you fix this when the certificates are valid, and the problem is literally just that “the server” doesn’t trust the root and/or intermediate certificates, and “the server” is OWA for a M365 tenant?
In other words – you cite a workaround, which you used the correct word to refer to it (I appreciate this!), but what is the solution?
Hi DMF,
Who is the certificate provider? Unfortunately, it sounds like the sender might have a certificate from a certificate authority that is not widely recognized or supported. They may need to switch providers. I assume this certificate also came from a public certificate authority?
Thank you! I was unable to reply to a S/MIME signed message and your suggestions made the trick.
Great news. It really is a workaround because ultimately, the sender needs to fix the problem.
Thank you for providing a comprehensive answer to this issue. I looked at several other support articles about this error, and they either have incredibly vague and generic solutions, or they provide solutions without instructions on how to implement said solution. You have done an excellent job of providing a solution as well as the procedure for implementation. Thanks.