If you received a message with an invalid or untrusted S/MIME digital signature, you might have problems replying to that message with Outlook on the Web (OWA).
The inability to reply is not necessarily a bad thing as it might indicate an impersonation attempt. Impersonation is where a bad actor pretends to be someone you know, often for financial gain. A common example of impersonation is a bad actor pretending to be a CEO asking their company accountant to wire money to the bad actor’s bank account.
So, if you see a failed digital signature, it is a good time to pause and determine if the sender really is who they say they are through other verified mechanisms (e.g., call them on a trusted phone number). Then validate if they are aware of the digital signature issue to see if they are already working to resolve it.
If using a product like Office 365, you can also check if the message has failed any impersonation checks. For example, are safety tips in OWA warning that you don’t typically receive mail from this sender with that email address.
The screenshot below provides an example of a message received in OWA where the S/MIME digital signature is not considered valid or trusted. Clicking the click here link gives us some additional insight into the error. We can see OWA does not trust this certificate because it has a broken certificate chain, more than likely caused by a missing or expired intermediary cert.
When attempting to reply to this message in OWA, you may receive the following error.
This message can't be sent right now. Please try again later.
Workaround: Remove the digital signature
The real solution is to have the sender troubleshoot the issue with their digital certificate. However, if you need to reply, and you have ascertained without any doubt that this is not an impersonation attempt, you can remove the digital signature to reply.
On the message in question, click reply (or forward), and select the three dots (…). Then, from the pop-up menu, select Show message options.
From the message options dialog, uncheck Digitally sign this message (S/MIME). Click Ok.
You will now be able to send the reply (forward).
As mentioned above, this is a workaround and should only be executed if you are positive the email came from a verified sender and not a bad actor. The real solution is having the sender determine why their certificate has an error. In our example, the issue was an invalid certificate chain, most likely due to a missing or incorrect intermediary cert. But other issues could include expired certs, missing keys, untrusted certificate authorities, or old, unsupported ciphers.
Have you run into this issue before? Have you seen another cause for this issue? Drop a comment below or join the conversation on Twitter @SuperTekBoy.