If you use Classic Outlook and rely on S/MIME to sign or encrypt your email, you may be wondering how the new Outlook handles this feature. The new Outlook for Windows uses a different architecture that changes how certificates are managed and applied. This article explains the core differences in S/MIME behavior between the two versions and what Classic Outlook users need to know before switching.
Key Takeaways: S/MIME in New Outlook vs Classic Outlook
- Classic Outlook S/MIME settings: Stored locally in the Windows certificate store and managed via File > Options > Trust Center > Email Security.
- New Outlook S/MIME settings: Managed per-account through the web-based settings pane under Settings > Mail > S/MIME.
- Certificate import method: Classic Outlook imports .pfx files directly; new Outlook requires certificates to be installed in the Windows certificate store first.
How S/MIME Works in Classic Outlook
Classic Outlook uses the Windows certificate store to retrieve and apply S/MIME certificates. When you configure S/MIME in Classic Outlook, you point the application to a digital certificate that has already been installed on your computer. This certificate contains your public key for signing and your private key for decrypting messages.
The configuration is done through File > Options > Trust Center > Trust Center Settings > Email Security. In this dialog, you select a certificate for signing and a separate certificate for encryption if they are different. Classic Outlook also allows you to set default S/MIME settings for all new messages, including whether to always sign or encrypt outgoing mail.
One key limitation in Classic Outlook is that S/MIME settings are tied to the local Windows profile. If you move to a different computer, you must export and reimport your certificate. The settings themselves do not roam with your Microsoft 365 profile.
How S/MIME Works in New Outlook
The new Outlook for Windows uses a web-based infrastructure for S/MIME. Instead of relying solely on the local Windows certificate store, new Outlook integrates with Microsoft 365 Exchange Online to manage certificates. This means that S/MIME settings are stored in the cloud and roam with your account across devices.
To enable S/MIME in new Outlook, you navigate to Settings (gear icon) > Mail > S/MIME. From this pane, you can toggle signing and encryption on or off for your account. New Outlook also supports per-message S/MIME controls directly from the ribbon, similar to Classic Outlook.
A critical difference is that new Outlook does not allow you to directly import a .pfx certificate file from within the application. Instead, you must install the certificate into the Windows certificate store using the standard Windows certificate import wizard. After installation, new Outlook automatically detects the certificate and makes it available for signing and encryption.
Steps to Configure S/MIME in New Outlook
- Install your S/MIME certificate on Windows
Double-click the .pfx file you received from your certificate authority. When the Certificate Import Wizard opens, select Current User as the store location. Enter the private key password if prompted. Choose Automatically select the certificate store based on the type of certificate. - Open new Outlook settings
Launch new Outlook. Click the gear icon in the top-right corner of the window. Select Mail from the left navigation pane, then click S/MIME. - Enable S/MIME for your account
Under the S/MIME settings page, toggle the switch for Enable S/MIME for this account to On. The application will scan the Windows certificate store and display the available signing and encryption certificates. - Select the correct certificate
In the Signing certificate dropdown, choose the certificate that matches your email address. In the Encryption certificate dropdown, choose the same certificate if it supports both functions, or select a separate encryption certificate if you use one. - Set default behavior for outgoing messages
Below the certificate selection, check the boxes for Always sign outgoing messages and Always encrypt outgoing messages if you want these applied by default. You can override these settings per message later. - Send a test signed message
Compose a new email to yourself. On the ribbon, click the Options tab. Look for the Encrypt group. Click Sign to apply your digital signature, or click Encrypt to encrypt the message. Send the email and verify that you can open it on the receiving end.
Common Issues When Switching from Classic to New Outlook
New Outlook does not detect my S/MIME certificate
This happens when the certificate is installed in the local machine store instead of the current user store. Open the Windows Certificate Manager by typing certmgr.msc in the Run dialog (Windows key + R). Expand Personal > Certificates. If your certificate is not listed here, reimport the .pfx file and ensure you select Current User in the import wizard.
Another cause is that the certificate has expired. Check the Valid to date in the certificate details. If expired, request a new certificate from your certificate authority.
I can sign messages but cannot encrypt them
Encryption requires the recipient’s public key, which is typically included in their S/MIME certificate. If you have never received a signed message from that recipient, new Outlook may not have their certificate. Ask the recipient to send you a digitally signed message first. After you open it, new Outlook stores the certificate automatically.
In Classic Outlook, you could manually import a recipient’s certificate from a .cer file. New Outlook does not support this manual import. The only way to obtain a recipient’s certificate is through a signed email from them.
S/MIME settings do not sync between Classic Outlook and new Outlook
This is by design. Classic Outlook stores settings locally in the Windows registry and the certificate store. New Outlook stores settings in Exchange Online. If you switch between the two applications, you must configure S/MIME separately in each one. There is no migration tool for S/MIME settings between the two versions.
| Item | Classic Outlook | New Outlook |
|---|---|---|
| Certificate storage | Local Windows certificate store only | Windows certificate store plus Exchange Online |
| Settings location | File > Options > Trust Center > Email Security | Settings > Mail > S/MIME |
| Certificate import method | Direct .pfx import via Trust Center | Windows Certificate Import Wizard only |
| Settings roaming | Does not roam; tied to local Windows profile | Roams with Microsoft 365 account |
| Per-message controls | Ribbon > Options > Encrypt group | Ribbon > Options > Encrypt group |
| Recipient certificate import | Manual .cer file import supported | Only via receiving a signed message |
With the steps above, you can configure S/MIME in new Outlook and understand what changes when moving from Classic Outlook. The key difference is that certificate handling shifts from a purely local process to a cloud-aware one. If you plan to use both applications, configure S/MIME separately in each. For advanced users, consider using a dedicated certificate management tool like DigiCert Certificate Utility to export and reinstall certificates across devices efficiently.