{"id":8237,"date":"2019-01-11T00:32:00","date_gmt":"2019-01-10T23:32:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=8237"},"modified":"2024-10-03T00:33:51","modified_gmt":"2024-10-02T22:33:51","slug":"outlook-external-content-is-not-allowed-in-secure-email","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/01\/11\/outlook-external-content-is-not-allowed-in-secure-email\/","title":{"rendered":"Outlook: &quot;external content is not allowed in secure email&quot;"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2012\/07\/Office1.jpg\" width=\"55\" height=\"60\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/01\/08\/outlook-externer-inhalt-ist-in-sicheren-mails-nicht-zulssig\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Users of Outlook 2010 to 2016 may face the problem that they suddenly see the message \"External content is not allowed in secure mail\" when they access e-mail. It's not a bug, it's a feature \u2013 a couple of days ago the right piece of the puzzle has fallen into my picture.<\/p>\n<p><!--more--><\/p>\n<h2>There was something a few months ago \u2026<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg04.met.vgwort.de\/na\/dfc38b0744c240baaa19149a3775e401\" alt=\"\" width=\"1\" height=\"1\" \/>A few days ago I stumbled upon a German post, where a user reported issues with Outlook. He received the warning \"External content is not allowed in secure mails\". Something rang the bell back in my mind. A short search within my German blog brought the article <a title=\"https:\/\/www.borncity.com\/blog\/2018\/10\/12\/microsoft-patchday-nachlesen-9-oktober-2018\/\" href=\"https:\/\/www.borncity.com\/blog\/2018\/10\/12\/microsoft-patchday-nachlesen-9-oktober-2018\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Patchday-Nachlese (9. Oktober 2018)<\/a> as a hit. A reader reported this issue after applying October updates. He wrote:<\/p>\n<blockquote><p>Since the October updates in Outlook 2016 (in connection with Exchange 2013), the info text \"external content is not allowed in secure email\" is displayed for signed e-mails.<\/p><\/blockquote>\n<p>At that time I did not find a solution \u2013 and I wasn't aware, that <em>KB4461440 <\/em>has been the root cause for this behavior. Also mention Exchange 2013 turned me to the wrong the direction. I received <a href=\"https:\/\/www.borncity.com\/blog\/2018\/10\/11\/patchday-microsoft-office-updates-9-oktober-2018\/#comment-65601\" target=\"_blank\" rel=\"noopener noreferrer\">this comment<\/a> which directs to the right point, but I overlooked this hint.<\/p>\n<h2>The fix has been found \u2026?<\/h2>\n<p>The day before I stumbled upon a German Dr. Windows article <a href=\"https:\/\/www.drwindows.de\/news\/tipp-outlook-meldung-externer-inhalt-ist-in-sicheren-mails-nicht-zulaessig-beheben\" target=\"_blank\" rel=\"noopener noreferrer\">Tipp: Outlook-Meldung \"Externer Inhalt ist in sicheren Mails nicht zul\u00e4ssig\" beheben<\/a>. Martin Geu\u00df, a MVP colleague has also been confronted with that problem. He wrote that DHL delivery notification e-mails contain this error. It could also be, that signed e-mails &#8211; and images embedded in websites are then blocked. It is the old problem of mixed content on secure pages.<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/IXZrZdX.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" title=\"\" src=\"https:\/\/i.imgur.com\/IXZrZdX.jpg\" alt=\"Outlook Trust Center\" width=\"614\" height=\"238\" \/><\/a><br \/>\n(Source: Dr. Windows, <a href=\"https:\/\/i.imgur.com\/IXZrZdX.jpg\" target=\"_blank\" rel=\"noopener noreferrer\">Click to zoom<\/a>)<\/p>\n<p>Martin Geu\u00df named the right option for a German Outlook 2016, that is responsible for the warning mentioned above.<\/p>\n<p>1. Go to Outlook options and select the category <em>Trust Center<\/em>.<\/p>\n<p>2. Go to the sub category <em>Automatic download <\/em>and uncheck the checkbox with the option <em>Bilder in verschl\u00fcsselten oder signierten HTML-E-Mails nicht herunterladen<\/em> (English might be \"Don't download pictures in encrypted or signed HTML email messages.\").<\/p>\n<p>This has also been discussed briefly <a href=\"https:\/\/kb.iu.edu\/d\/atoj\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> and <a href=\"https:\/\/knowledgebase.constantcontact.com\/articles\/KnowledgeBase\/5554-images-not-displaying-in-an-email-client?lang=en_US#outlook16\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. This means that the unchecked Outlook security feature is no longer used. The error message is gone and external content is displayed again. At the same time, however, the signed e-mail can be tracked via this downloaded external content. Keywords are tracking pixels. Therefor read the following explanations.<\/p>\n<h2>Introducted via update<\/h2>\n<p>While writing the German version of this blog post I wanted to know more about it and searched the internet. I came across this German Technet forum post from October 2018. Someone there had described the problem and referred to my blog post mentioned above. Short time later the same solution was published there. There is also the 32-bit DWORD registry value:<\/p>\n<p><em>DisallowSMIMEExternalContent<\/em><\/p>\n<p>within <em>HKCU\\Software\\Microsoft\\Office\\xx\\Outlook\\Security\\ <\/em>(xx is a placeholder for the Office version 14.0, 15.0, 16.0). A value 0 disables the option, and 1 set the option. Within the German Technet post I found the note:<\/p>\n<blockquote><p><strong>Important:<\/strong> This option isn't available on unpatched systems.<\/p><\/blockquote>\n<p>A hint that Microsoft has introduced a new option with an update. There is also a reference to <a href=\"https:\/\/support.office.com\/en-us\/article\/block-or-unblock-external-content-in-office-documents-10204ae0-0621-411f-b0d6-575b0847a795\" target=\"_blank\" rel=\"noopener noreferrer\">this Microsoft document<\/a> where blocking external content (Web beacons) for Office is described. In the meantime, there are other web sites where the topic has been addressed since November or December 2018.<\/p>\n<h2>Microsoft's Reaction to the Efail vulnerability<\/h2>\n<p>It was not explicitly mentioned above because I only wrote about digitally signed mails. The mails can also be encrypted. In this case, external content can be used to retrieve such encrypted emails unencrypted. The whole topic runs under the <a href=\"https:\/\/en.wikipedia.org\/wiki\/EFAIL\" target=\"_blank\" rel=\"noopener noreferrer\">Efail vulnerability<\/a> known since May 2018. If you receive encrypted e-mails, you should not deactivate the above option. Maybe it will help.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Users of Outlook 2010 to 2016 may face the problem that they suddenly see the message \"External content is not allowed in secure mail\" when they access e-mail. It's not a bug, it's a feature \u2013 a couple of days &hellip; <a href=\"https:\/\/borncity.com\/win\/2019\/01\/11\/outlook-external-content-is-not-allowed-in-secure-email\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,11],"tags":[47,395],"class_list":["post-8237","post","type-post","status-publish","format-standard","hentry","category-issue","category-office","tag-issue","tag-outlook"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/8237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=8237"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/8237\/revisions"}],"predecessor-version":[{"id":35351,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/8237\/revisions\/35351"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=8237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=8237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=8237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}