How to Encrypt Emails in Outlook (Microsoft 365)

Security

Outlook email encryption ensures that any email you send with Microsoft’s email client is encrypted before it leaves your computer. In this guide, we’re going to detail how to encrypt email in Outlook, as well as why you may want to start using this feature whether it’s for business communications or personal use.  

What is Outlook email encryption?

Encryption is the securing of information when either at rest or in transit to a destination. When you use Outlook to encrypt an email, you are instructing the app to encode the email contents (body, attachments) and only allow the recipient(s) of the email to view it if they have the correct decoding mechanism (authentication).

Email encryption ensures that only the intended audience (recipients) reads the message content of an email (from the sender). Think of it as using certified mail with snail mail. With encrypted email, we’re utilizing a sort of digital ID on both ends.

When you encrypt message contents, you essentially scramble the ‘plain text’ of what you type into indecipherable zeros and ones. When you send emails in clear text (not encrypted) and they are intercepted, a malicious individual can gain access to all the information in that email. However, if the email is encrypted, only those with the decryption key can access it.

Does Outlook automatically encrypt emails?

No, Outlook does not automatically encrypt emails out of the box. You can configure the security settings in Outlook to encrypt all outbound emails, but this is not the default option in Microsoft’s email client.

How do I send an encrypted email?

There are several encryption options and methods you can use to encrypt an email in Microsoft Outlook. We will go through several methods you can use later. For a quick and easy method, if you’re using Outlook on the Web with a Microsoft 365 subscription, you can simply click the Encrypt button in the new email window to send an encrypted email.

Encryption button
Click the ‘Encrypt’ button to send an encrypted email in Outlook on the Web

What are the benefits of encrypting emails?

Let’s highlight here the most beneficial reasons to encrypt emails: privacy, security, and compliance in a corporate environment. There are also some more benefits related to cost efficiency, and authentication, among others.

Let’s dig a bit deeper into the most important benefits here.

Privacy and security

Obviously, when you send an email, you’re intending for only the recipients to see it. Each day, companies worldwide use email to communicate both internally and externally, often sending valuable and sensitive data, so there are many advantages to having email security. Cybersecurity is a top priority for all businesses in today’s world where email systems are among the most common attack vectors that cybercriminals take advantage of.

Compliance in a corporate environment

Businesses that deal with student records, financial data, medical records, credit card information, etc. must abide by certain guidelines to stay compliant and to pass security audits. Almost all of these guidelines, specifically the Health Insurance Portability and Accountability Act (HIPAA), the Criminal Justice Information Services (CJIS) security policy, and the Consumer Financial Protection Bureau (CFPB) require encryption. Others, like the General Data Protection Regulation (GDPR), strongly encourage it.

Although varying circumstances will often dictate if specific metrics are mandated or recommended, they all require that organizations protect employee and customer data. This includes things such as electronic Personal Health Information (ePHI), Personal Identifiable Information (PII), or Nonpublic Personal Information (NPI). Email encryption was designed to enable users to go about their daily workflows and projects while also accomplishing the basic tenants of security: keeping all private company information, well, private.

3 ways to encrypt emails in Outlook

There are three main methods you can use in Outlook to encrypt the email you send. I will go through all the how-to steps here. Please note that some of the steps/verbiage will vary depending on the version of Outlook you’re running and the type of email account you’re using (Microsoft Exchange account, Office 365 account, Outlook.com, or other consumer email services).

1. S/MIME encryption

S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email encryption and signing industry standard supported by Outlook and other email clients. The encryption part is done by the sender using the public keys, and the decryption part is done by the recipient using his/her private key to read the email in plain text.

Setup

Before you start this procedure, you need to add a certificate to the keychain on your computer that you will obtain from your IT administrator or helpdesk. Once you have your signing certificate set up on your computer, you’ll need to configure it in Outlook.

The scope of this post does not go into that detail as obtaining this certificate will vary according to how your organization handles these certificates. Out of completeness, I will post the overall steps here using Outlook.

Sending an encrypted email message

  1. On the File menu, select Options -> Trust Center -> Trust Center Settings.
  2. On the left side, select Email Security.
  3. Under Encrypted email, choose Settings.
  4. Under Certificates and Algorithms, click Choose and select the S/MIME certificate.
  5. Choose OK.
  6. Finish writing your email and click the Send button.

Receiving/reading an encrypted email

When you receive an encrypted email, the experience will vary. When using S/MIME, you must make sure you have installed a copy of your digital encryption keys on the machine you will be using.

Receiving an encrypted mail via S/MIME
Receiving an encrypted email via S/MIME

A key icon in the message list or reading pane indicates an encrypted message.

If you normally use the Conversation view, you will need to open the message in a new window to view its contents. There will be a link on the message to make this easier.

How to send an email using S/MIME controls
How to send an encrypted email using S/MIME controls

When you receive an encrypted message, Outlook will check whether the S/MIME control is installed and whether there is a certificate available on your computer. If the S/MIME control is installed and there is a certificate available, the message will be decrypted when you open it.

If your certificate is stored on a smart card, you will be prompted to insert the smart card to read the message. Your smart card may also require a PIN to access the certificate.

2. Microsoft 365 Message Encryption

Microsoft 365 Message Encryption utilizes Microsoft’s Rights Management System for the encryption engine and processes. This feature is part of the Office 365 Enterprise E3 license, so make sure you check with your Microsoft Licensing status to determine if your users have access to this and it is enabled for the users looking to benefit from this feature.

Setup

Microsoft 365 Message Encryption is part of the Office 365 Enterprise E3 license. Additionally, the Encrypt-Only feature (the option under the Encrypt button) is only enabled for subscribers (Microsoft 365 Apps for enterprise users) that also use Exchange Online. Don’t worry, details are coming… 🙂

Sending an encrypted email

In the Outlook desktop app, start a new email message, choose Options, select Encrypt, and pick the encryption that has the restrictions you want to enforce, such as Encrypt-Only or Do Not Forward.

Message security options
Choosing message Encryption options in the Outlook desktop app

In Outlook on the Web, start a new email message, click the Encrypt button, and optionally click Change permissions to choose another method of restrictions for the email.

message encryption options in Outlook on the Web
Choosing the message encryption options in Outlook on the Web

Receiving/reading an encrypted email

Depending on what mail application you’re using, a message that is encrypted by Microsoft 365 Message Encryption is delivered to a recipient’s inbox just like any other email message. If the recipient has Outlook 2013, 2016, or 2019 and a Microsoft 365 email account, they’ll see an alert about the item’s restricted permissions in the Reading pane. This also works with Outlook for iOS, Outlook for Android, and Outlook on the Web. After opening the message, the recipient can view the message just like any other.

If the recipient, however, does NOT have a Microsoft 365 account (or an Outlook/Hotmail) account, they will need to follow these steps:

  1. Select Read the message.
    sending encrypted email to a non-Microsoft recipient
    When you send an encrypted email to a non-Microsoft recipient
  2. Select how you’d like to sign in to read the message. If your email provider is Google, Yahoo, or Microsoft, you can select Sign in with Google, Yahoo, or Microsoft respectively. Otherwise, select sign-in with a one-time passcode.
    Sign In with Google to read protected message
    As I sent this to my Gmail account, I clicked on Sign In with Google
  3. Once you receive the passcode in an email message, make a note of the passcode, then return to the web page where you requested the passcode and enter the passcode, and select CONTINUE.

     

    Tip: Each passcode expires after 15 minutes. If that happens, or if you can’t open the message for any reason, start over by opening the attachment again and following the steps.

 

 

reading the encrypting email in Outlook
And now I can view the email message in its full glory!

The costs of Outlook Email Encryption

The costs associated with being able to send email encrypted using Outlook varies. If your organization has enough licenses, you can assign them to the users that would benefit most from this feature. Obviously, if it is within your budget, every user who sends emails (especially externally) should at least have this feature available. Of course, you can also set all your users in your organization to automatically send all outgoing messages in encrypted form.

Microsoft 365 Message Encryption is offered with the following plans:

  • Office 365 Enterprise E3
  • Office 365 Enterprise E5
  • Microsoft 365 Enterprise E3
  • Microsoft 365 Enterprise E5
  • Microsoft 365 Business Premium
  • Office 365 A1
  • Office 365 A3
  • Office 365 A5
  • Office 365 Government G3
  • Office 365 Government G5

3. How do I encrypt an email in Outlook for free?

There are *free* email encryption add-ins available for Outlook. However, you must read the license terms. Many, if not all of them, will state that the usage of the said add-in is “free for non-profit and personal use.” Here are a few examples of add-ins available:

Encrypting an email with the Encryptomatic OpenPGP solution
Encrypting an email with the Encryptomatic OpenPGP solution

The steps of course vary using these different plug-ins, but here are the basic steps you go through.

Initial Setup

First, download and install the plug-in while Outlook is closed. After the setup is complete, open Outlook.

Sending an encrypted email

Click New Email in Outlook to send a new email. You will likely see a new toolbar button to Encrypt the email. Be sure to visit the documentation from the vendor to get more details. You may need to click a ‘Secure Send’ button rather than ‘Send.’

Receiving an encrypted email

This, again, will vary based on what plug-in was used. Recipients will receive the email and the subject line should be visible. If they click on it, they won’t see the ‘body’ of the email. They will be instructed to click on a link to successfully access the body and any attachments in the email. More sophisticated plug-ins might take you to a secure website, but, that may be asking a lot from a ‘free service.’

Which encryption method is the best for you?

Well, if money is no object, purchasing an Office 365 / Microsoft 365 license from the list above, assigning these licenses to your users, instructing them to encrypt important and confidential emails, or setting compliance controls at a tenant level to enforce encryption is a great start to make an organization more secure. You can feel as confident in a move like that as enabling Microsoft Multi-Factor Authentication (MFA) for all your users.

You close a very large attack footprint by setting this solution in place. Ensuring, as best you can, that all email servers you’re using in your organization have at least an option to send encrypted email, you’ll reap the benefits of a more secure environment very soon.

As I stated above, you may need to weigh the cost-benefit analysis of a subset of users that can use this functionality. Your other users could certainly utilize a free solution. However, be prepared for an additional layer of support and knowledge required amongst your IT support teams. At least with the Microsoft solution, you can open an Office 365 service request right from the Microsoft 365 admin center website.