Fix PDF Digital Signature Invalidated After Sending by Email
Digital signatures that show as invalid after emailing a PDF are almost always caused by email gateway rewriting. Here's why it happens and how to prevent it.
A PDF with a valid digital signature that shows as "invalid" after the recipient receives it by email — even though you never modified it after signing — is being altered in transit by email security systems. This is increasingly common as corporate email gateways become more aggressive in scanning attachments.
How Email Corrupts Digital Signatures
Digital signatures protect against any modification to the PDF file — even a single byte change invalidates the cryptographic hash. Email security gateways (Proofpoint, Mimecast, Microsoft Defender, Cisco IronPort) scan PDF attachments for threats. Some of these systems modify the PDF during scanning: they may add metadata to track that the file was scanned, re-encode the attachment container, strip embedded JavaScript even if benign, or adjust certain PDF features flagged by their security rules. Each of these modifications changes the file's bytes, breaking the signature hash.
Fix 1 — Use Secure File Sharing Instead of Email Attachment
The most reliable fix is bypassing email attachment scanning entirely. Upload the signed PDF to Google Drive, OneDrive, SharePoint, or Dropbox. Share the direct download link via email. The recipient downloads the original file directly from the cloud storage service — no email gateway scanning modifies it. The downloaded file has the same hash as what you uploaded, and the signature validates correctly. This is the recommended approach for legally significant signed documents.
Fix 2 — Password-Protect the PDF Attachment
Most email security gateways cannot scan inside encrypted (password-protected) PDFs — they require decryption to inspect content. Use FixMyPDF's protect tool to add a user password after signing. Email the password-protected file along with the password (ideally via a separate channel — SMS or phone call). The recipient enters the password, the file decrypts, and the signature inside is intact because the gateway couldn't modify the encrypted content. After opening with the password, the signature validates correctly.
Fix 3 — Use a Certified Signature With Long-Term Validation
For regularly sending signed PDFs through email, use Long-Term Validation (LTV) signatures (available in Adobe Acrobat Pro). LTV embeds all necessary certificate information at signing time, so validation doesn't require checking the certificate authority online. More importantly, some email gateways that modify PDFs still preserve LTV signatures because they're recognised as security-critical. Ask your signing certificate provider about LTV support if you send many signed legal documents.
Informing Recipients About Gateway Invalidation
If you've tried the above and the signature is still breaking, inform recipients that their email security gateway is modifying attachments. They can usually ask their IT department to add a "bypass scanning for signed PDFs from [your domain]" rule, or enable a "safe attachment bypass" for trusted senders. Alternatively, provide recipients with the file hash (SHA-256) separately — they can verify the file wasn't modified even if the Adobe signature shows as broken, by comparing the hash of the received file to the hash you provide.
Try Sign PDF Now — Free
Browser-based, private, and instant. No account or software required.
Open Sign PDF