What’s the difference between clear text and opaque digital signing?

10 Mar ‘23

When sending S/MIME digitally signed emails, depending on the email client, the sender has the option to activate clear text signing. When not using clear text signing, the default will usually be opaque signing. Opaque signing is also referred to as embedded signing.

In Windows Outlook, the option can be found under: File -> Options -> Trust Center -> Trust Center Settings -> Email Security -> Encrypted email:

Contrary to popular believe, there is no cryptographic difference between clear text signing and opaque signing. However there is a difference in the way the packaging works.

Opaque signing will use additional base64 encoding, making the size of the email slightly larger, and making the message more robust against accidental corruption on a receiving mailserver.

In practical terms the cleartext multipart/mime version is compatible with most enterprise mail clients such as Outlook, MacMail and Samsung Mail. However less popular email clients, such as mailgateways and especially those used on Android, have problems with opaque digital signing, resulting in both digitally signed emails as well as encrypted emails ending up as a blank email with the message being attached as an “smime.p7m” attachment.

Using clear text digital signing reduces the chances of the recipient ending up with a blank email with the message attached as a “smime.p7m” attachment.