If a user sends out an e-mail from his e-mail address (user@contoso.com) and digitally signs the e-mail using a different e-mail address (user@test.contoso.com) --> the receiver will see the signature as trusted. This happens although the signing e-mail address and the sending e-mail address are different.

The setting “Do not check e-mail address against address of certificates being used” is referring to the sender’s and not the recipient’s machine. This means, that if you enable this option, the Outlook application on the sender’s machine will not check if the signing address is the same as the sender’s address. This, however, does not apply for the recipient of that signed e-mail. The recipient will only check the signing address by default.

Here is the explanation from the ADM Templates for Outlook 2010:

“This policy setting controls whether Outlook verifies the user's e-mail address with the address associated with the certificate used for signing.\n \n If you enable this policy setting, users can send messages signed with certificates that do not match their e-mail addresses.\n \n If you disable or do not configure this policy setting, Outlook verifies that the user's e-mail address matches the certificate being used for signing.”

The behavior on the recipient’s machine is by design. For any incoming signed e-mail, Outlook will check the signing address and not the sender’s address. The check is being performed on the sender’s machine. If the setting is activated, Outlook will not check if the signing e-mail address is the same as the sender’s address.


Further information regarding this feature is provided by the following KB article: http://support.microsoft.com/kb/276597 - How to turn off e-mail matching for certificates in Outlook.