How to Sign Emails with CAC in Outlook

in Setup Guides 9 min read

Digital signing your email with your CAC proves to recipients that the message actually came from you—not someone spoofing your address. It’s required by DoD policy for emails containing attachments or links, and it’s good practice for any official correspondence. Here’s how to set it up correctly.

What Email Signing Actually Does

Email configuration

When you digitally sign an email with your CAC:

  • Recipients see a verification badge confirming the message is authentic
  • Any tampering with the message after sending will break the signature
  • The message becomes legally attributable to you

This is different from encrypting email, which protects content from being read by unauthorized parties. Signing proves authenticity; encryption protects confidentiality. You can do both, but this guide focuses on signing.

Prerequisites Before You Start

Before configuring Outlook, verify these are in place:

  • Valid CAC: Your card must not be expired. Check the expiration date printed on the front.
  • DoD Root Certificates: Install the DoD root certificates if you haven’t already. Download InstallRoot from MilitaryCAC.com and run it to automate this process.
  • CAC Reader: Your smart card reader must be connected and recognized by Windows.
  • Middleware: ActivClient or similar CAC middleware should be installed. Most government computers have this pre-installed.

Step 1: Access Trust Center Settings

Open Outlook and navigate to the Trust Center:

  1. Click File in the top menu
  2. Select Options from the left sidebar
  3. Click Trust Center at the bottom of the left menu
  4. Click the Trust Center Settings button
  5. Select Email Security from the left panel

You should now see options for encrypted email and digital IDs.

Step 2: Configure Your Security Settings

Under the “Encrypted email” section:

  1. Click the Settings button next to “Default Setting”
  2. In the “Security Settings Name” field, enter something descriptive like “My CAC Signing” or “DoD Email Signing”
  3. For “Cryptographic Format,” ensure S/MIME is selected

Step 3: Select Your Signing Certificate

This is where people often make mistakes. Your CAC contains multiple certificates—you need to select the correct one:

  1. Next to “Signing Certificate,” click Choose
  2. Insert your CAC if you haven’t already—Windows may prompt for your PIN
  3. A list of certificates will appear. Look for the certificate labeled “DOD EMAIL” or “DOD CA-XX” with your name and an email purpose
  4. Select this certificate and click OK

Important: Do NOT select the “DOD ID” certificate—that’s for authentication/login, not email. The email signing certificate will typically say “Email” in the intended purposes.

Step 4: Configure Encryption Certificate (Optional)

If you also want to encrypt emails (required for PII/CUI to external recipients):

  1. Next to “Encryption Certificate,” click Choose
  2. Select your DOD EMAIL encryption certificate (may be the same as signing, or separate)
  3. For “Encryption Algorithm,” select AES (256-bit)—this is the current DoD standard

Step 5: Set Default Signing Behavior

Decide whether to sign all outgoing emails automatically:

  • To sign all emails by default: Check “Add digital signature to outgoing messages”
  • To sign only specific emails: Leave this unchecked and manually add signatures when needed

Per Air Force policy (and similar policies across services), emails containing attachments or embedded links should be digitally signed. I recommend enabling automatic signing—it’s easier than remembering to do it manually.

Click OK to save settings, then OK again to close Trust Center.

Step 6: Test Your Configuration

Send a test email to yourself or a colleague:

  1. Compose a new email
  2. If you didn’t enable automatic signing, click Options in the message window, then click Sign
  3. You’ll be prompted to enter your CAC PIN
  4. Send the email

When the recipient opens the message, they should see a ribbon or badge icon indicating the message is digitally signed. They can click on it to verify the signature.

How to Sign Individual Emails (Without Default Signing)

If you didn’t enable automatic signing, here’s how to sign specific messages:

  1. Compose your email as normal
  2. Click the Options tab in the message window
  3. In the Permission group, click Sign (envelope with ribbon icon)
  4. Enter your CAC PIN when prompted
  5. Send the email

For emails requiring both signing and encryption, click both Sign and Encrypt buttons.

Troubleshooting Common Issues

“Certificate Not Found” or “No Certificates Available”

  • Ensure your CAC is fully inserted in the reader
  • Try removing and reinserting the card
  • Restart Outlook with the CAC inserted
  • Verify DoD root certificates are installed (run InstallRoot)
  • Check that your CAC isn’t expired

“Invalid Certificate” Error When Sending

  • The certificate may have expired—check your CAC expiration date
  • System date/time may be incorrect—certificates validate against current time
  • Try clearing the Outlook cache: Close Outlook, navigate to %localappdata%MicrosoftOutlook, delete the RoamCache folder, restart Outlook

Recipient Says Signature Is Not Trusted

  • The recipient needs DoD root certificates installed on their system
  • External recipients (non-.mil) may not have these certificates
  • This is a recipient-side issue, not a problem with your configuration

Outlook Asks for PIN on Every Email

This is normal and expected. Each digital signature requires your CAC PIN to prove you’re present at the computer. There’s no way to cache this for security reasons.

Wrong Email Address Associated with Certificate

If your certificate shows an old email address:

  1. You may need to visit your local RAPIDS office to update your CAC
  2. Certificate email addresses are tied to DEERS records

What Happens When You Get a New CAC?

This is critical: Your new CAC has new certificates with different keys. This means:

  • You’ll need to reconfigure Outlook’s Trust Center settings to point to the new certificates
  • Encrypted emails sent to your old certificates cannot be decrypted with your new CAC—save any encrypted emails you need before your old card is destroyed
  • You can recover old certificates through your security office if needed

Signing vs. Encrypting: When to Use Each

Scenario Sign? Encrypt?
Email with attachment to .mil address Yes (required) Not required
Email with embedded link Yes (required) Not required
PII/CUI to external recipient Yes Yes (required)
PII/CUI within .mil/.gov Yes No (as of 2024)
Routine correspondence Recommended Not required

Note: Per GENADMIN 2024-1118, email containing CUI/PII/PHI that remains within .mil and NSA.GOV domains is sufficiently protected and does not require additional encryption.

Quick Reference: The 5-Minute Setup

  1. File → Options → Trust Center → Trust Center Settings → Email Security
  2. Click Settings, name it “CAC Signing”
  3. Choose your DOD EMAIL certificate for signing
  4. Check “Add digital signature to outgoing messages”
  5. Click OK, send a test email

That’s it. Once configured, signing becomes automatic—just enter your PIN when prompted.

Last updated: December 2025. Configuration steps may vary slightly between Outlook versions.

John Bigley

About John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.

John Bigley

John Bigley

Author & Expert

John Bigley is an electrical engineer and EV enthusiast who has been driving electric vehicles since 2015. He has installed over 200 home charging stations across the Pacific Northwest and consults on commercial EV infrastructure projects.

19 Articles
View All Posts

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe for Updates

Get the latest articles delivered to your inbox.