Updated answer now includes opaque signatures
The p7m usually is an encrypted email message (including all attachments), but it is required to know the Content-type to definitely know it. If you can see only a p7m attachment in the receiving mail client, this may mean that the mail has been encrypted in whole and the receiving client hasn’t been able to decrypt the S/MIME message.
The reasons can vary, and it‘s hard to say without further details. The most obvious cause would be that the recipient‘s private key ist not available or not associated with the email address configured in the receiving client.
To verify if the message is signed or encrypted, take a look at the raw email message.
Encrypted contents
In an encrypted email, you will find headers like:
Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data
Content-Disposition: attachment; filename="smime.p7m"
Followed by the encoded encrypted email.
Signed emails, however, can come in two different flavors. Quoted from RFC 8551:
There are two formats for signed messages defined for S/MIME:
In general, the multipart/signed form is preferred for sending, and
receiving agents MUST be able to handle both.
Detached signatures
So-called detached signatures are the most common signatures. The mail contents is kept in clear-text, and the signatures is attached to the email. For such a signed email, you should find a Content-type headers like:
Content-Type: multipart/signed;
boundary="BC5E686BA36";
protocol="application/pkcs7-signature";
micalg=sha1
And probably near the end of the same message:
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Followed by the encoded signature. If it‘s only signed, you should be able to see the message text.
Opaque signatures
However, there are also so-called opaque signatures, which encode the full contents in the signature, so the email does not contain clear-text any more. In this case, you should find these headers:
Content-Type: application/pkcs7-mime;
smime-type=signed-data;
name="smime.p7m"
Content-Disposition: attachment;
filename="smime.p7m"
Note that the filename looks like in an encrypted email, but the MIME type is different.
Conclusion
Again quoted from RFC 8551:
Messages signed using the multipart/signed format can always be
viewed by the receiver whether or not they have S/MIME software.
They can also be viewed whether they are using a MIME-native user
agent or they have messages translated by a gateway. In this
context, "be viewed" means the ability to process the message
essentially as if it were not a signed message, including any other
MIME structure the message might have.
Messages signed using the SignedData format cannot be viewed by a
recipient unless they have S/MIME facilities. However, the
SignedData format protects the message content from being changed by
benign intermediate agents. Such agents might do line wrapping or
content-transfer encoding changes that would break the signature.
So if you see only p7m-Attachments in the email client, possible causes are
- the email is encrypted, but the email client does not have the corresponding private key available to decrypt the message
- the email is opaque-signed, but the email client does not support opaque signatures
The latter was the case with Outlook Web App (OWA), but I don't know if it still is.
