When you open your Outlook Drafts folder and see items marked as encrypted that you cannot read, the messages are often partially saved drafts that were encrypted during creation or transfer. This issue commonly occurs when Outlook crashes or loses connection while composing a message with encryption enabled, leaving the draft in a locked state. The encryption key required to decrypt the draft may not be available in your current Outlook profile or certificate store. This article explains why drafts become unreadable and provides step-by-step methods to recover the content.
Key Takeaways: Recovering Unreadable Encrypted Drafts in Outlook
- File > Options > Trust Center > Trust Center Settings > Email Security: Verify your encryption certificate is installed and set as the default for signing and encrypting.
- Outlook in Safe Mode (outlook.exe /safe): Launch Outlook without add-ins to determine if a third-party add-in is blocking draft decryption.
- Copy draft to plain text editor: Extract raw text from the encrypted draft by copying the message body into Notepad or Word to recover readable content.
Why Encrypted Drafts Become Unreadable in Outlook
When you compose an email with S/MIME encryption enabled, Outlook encrypts the message body and attachments using a digital certificate. If Outlook closes unexpectedly or loses network connectivity, the draft is saved in its encrypted state. When you reopen the draft, Outlook attempts to decrypt it using the same certificate. If that certificate is missing, expired, or not associated with your current Outlook profile, the draft remains encrypted and unreadable.
Another common cause is a mismatch between the encryption certificate used to create the draft and the certificate currently available. This can happen after migrating to a new computer, reinstalling Outlook, or updating your digital certificate. Outlook stores the encryption key reference inside the draft item, but if the private key is no longer in your certificate store, decryption fails.
How Outlook Stores Encrypted Drafts
Outlook saves drafts in the Drafts folder as .msg files inside your mailbox. For encrypted messages, the body is stored as encrypted content. When you double-click the draft, Outlook looks up the sender’s certificate (which is your own certificate when composing) and attempts to decrypt the message. If the certificate is not found or the private key is not accessible, Outlook displays the item as encrypted and unreadable.
When Encryption Certificates Change
Digital certificates have expiration dates. If your certificate expired after the draft was saved, Outlook cannot decrypt the draft because the private key is no longer valid. Similarly, if you renew your certificate and the old private key is removed, drafts created with the old certificate become unreadable. This is the most frequent scenario for this issue.
Steps to Recover Unreadable Encrypted Drafts
Follow these methods in order. Start with the simplest fix and move to more advanced recovery if needed.
Method 1: Verify and Reinstall Your Encryption Certificate
- Open Outlook and go to File > Options > Trust Center
Click Trust Center Settings, then select Email Security on the left. - Check the Default Settings section
Under Encrypted email, ensure the Settings button shows a certificate. If it says None, click Settings and select your encryption certificate from the list. If no certificate appears, you need to install one from your IT department or certificate authority. - Install the missing certificate
Obtain your certificate file (.pfx or .p12) and double-click it. Follow the Certificate Import Wizard. Choose to automatically select the certificate store based on the certificate type. Enter the private key password if prompted. - Restart Outlook and open the draft
After the certificate is installed, close and reopen Outlook. Double-click the encrypted draft. If the certificate matches, Outlook will decrypt the message and you can read it.
Method 2: Launch Outlook in Safe Mode
- Close Outlook completely
Ensure no Outlook process is running. Open Task Manager and end any Outlook.exe tasks if needed. - Press Windows Key + R, type outlook.exe /safe, and press Enter
Outlook starts in Safe Mode, which loads only essential components and disables all third-party add-ins. - Open the Drafts folder and double-click the encrypted draft
If the draft becomes readable, an add-in was interfering with decryption. Restart Outlook normally and disable add-ins one by one via File > Options > Add-ins to identify the problematic one.
Method 3: Copy Draft Content Using a Plain Text Editor
- Open the encrypted draft in Outlook
Double-click the draft to view it. You will see the encrypted message body as a single block of encrypted text or a message saying the item is encrypted. - Press Ctrl+A then Ctrl+C to copy everything
This copies the entire message content, including headers and encrypted body, to the clipboard. - Open Notepad or Word and press Ctrl+V to paste
In Notepad, you may see raw encrypted text. In Word, the text may appear as garbled characters. Look for any readable fragments such as the subject line, sender, or partial body text that was never encrypted. - Save the pasted content as a .txt file
Name it something like DraftRecovery.txt. If you find readable content, you can reconstruct the draft manually.
Method 4: Export the Draft as a .msg File and Open in Another Profile
- Drag the encrypted draft from the Drafts folder to your desktop
This creates a .msg file copy of the draft. Do not delete the original. - Create a new Outlook profile
Go to Control Panel > Mail > Show Profiles > Add. Name the profile and configure your email account. Ensure the same encryption certificate is installed on this profile. - Open Outlook with the new profile
When prompted, choose the new profile. In Outlook, drag the .msg file from your desktop into the Drafts folder. - Double-click the draft in the new profile
If the certificate is correctly configured, the draft should decrypt and become readable.
If the Draft Remains Unreadable After Recovery Attempts
Outlook Shows Error: Cannot Decrypt This Message
This error means the private key for the encryption certificate is not available. Check if the certificate is present in the Windows Certificate Manager. Press Windows Key + R, type certmgr.msc, and press Enter. Expand Personal > Certificates. Look for your email certificate. If it is missing or expired, you need to reinstall or renew it from your certificate authority. After reinstalling, restart Outlook and try opening the draft again.
Draft Appears as a Blank Item
A blank encrypted draft usually indicates that the draft was saved before any content was typed. In this case, there is no recoverable content. Delete the draft and start a new message. To avoid this in the future, wait until you have typed at least a few words before closing a message with encryption enabled.
Multiple Drafts Show the Same Encryption Issue
If all encrypted drafts from a specific period are unreadable, the encryption certificate used during that period is likely missing or expired. Contact your IT department to obtain the old certificate and its private key. Once installed, all drafts from that period should become readable. If the old certificate cannot be recovered, the drafts are permanently lost.
Prevention vs Recovery: Managing Encrypted Drafts
| Item | Prevention | Recovery |
|---|---|---|
| Certificate management | Keep a backup of your certificate and private key in a secure location | Reinstall the certificate from backup or request a new one from your authority |
| Draft saving behavior | Disable automatic saving of drafts when encryption is enabled by setting AutoSave to a longer interval | Use the copy-to-text-editor method to extract any readable fragments |
| Outlook profile | Use the same Outlook profile for all encrypted messages to maintain certificate consistency | Create a new profile with the correct certificate and import the .msg file |
You can now recover encrypted drafts by verifying your certificate, launching Outlook in Safe Mode, or copying the content to a text editor. If the certificate is missing or expired, reinstalling it is the most effective solution. As an advanced tip, regularly export your encryption certificate to a .pfx file using certmgr.msc and store it in a password-protected location to avoid future recovery issues.