Customer asks "How can I ensure that messages in an archive are tamper-proof?"

I believe the real question is how can I prevent my organizations messages from being tampered. The answer is PKI. Public Key Infrastructure. In Exchange 2007 PKI is used for a number of things from self-signing on install to PKI for TLS for the Edge Transport Server. PKI has been traditionally used for "Sign and Sealed" for message traffic. What does this mean? The first question to ask is, "How do you know the message truly came from the suspected source?" and second "How do you know the message has not been intercepted or tampered with?"

These questions are answered with digital signatures and encryption. Digital signatures provide authentication, nonrepudiation, and data integrity, encryption of the traffic keeps the message contents confidential.

In Exchange this is provided via S/MIME - Secure/Multipurpose Internet Mail Extensions.

S/MIME is the only option for Outlook 2007 to digitally sign a message. With IRM (Information Rights Management) protection is more limited because there is no authority to verify the identity of the sender. With IRM the interface doesn't show information about the identity of the sender as it does with S/MIME.

You can also encrypt messages so they aren't sent in the clear. The purpose of this blog is to focus on digital signatures.

To setup digital signatures across your organization you can use GPOs. The Outlk12.adm template provides the cryptography options needed to secure mail in the org. Under User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography, double-click the policy setting you want to set.

In our case we can set to sign all messages.

For more information on this https://technet.microsoft.com/en-us/library/cc179034.aspx