Unlocking the Mystery: Understanding Outlook Email Encryption
Key takeaways :
- Microsoft 365 uses encryption in two ways: in the service and as a customer control, with encryption being used by default in the service.
- Outlook emails can be encrypted using options like “Encrypt” and “Encrypt and Prevent Forwarding,” providing different levels of security for attachments.
- Microsoft 365 employs various methods for email encryption, including S/MIME encryption, Microsoft 365 Message Encryption, and Information Rights Management (IRM).
- To use S/MIME encryption, both the sender and recipient must have a mail application that supports the S/MIME standard, with Outlook being one such application.
- Recipients with Outlook.com and Microsoft 365 accounts can download encrypted attachments without encryption from specific platforms, while others may require a temporary passcode for access.
- Microsoft Office attachments such as Word, Excel, or PowerPoint files remain encrypted even after being downloaded, preventing unauthorized access if forwarded to others.
Are Outlook Emails Encrypted by Default?
Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information. Microsoft 365 uses encryption in two ways: in the service, and as a customer control. In the service, encryption is used in Microsoft 365 by default; you don’t have to configure anything. For example, Microsoft 365 uses Transport Layer Security (TLS) to encrypt the connection, or session, between two servers.
If you choose the Encrypt option, recipients with Outlook.com and Microsoft 365 accounts can download attachments without encryption from Outlook.com, the Outlook mobile app, or the Mail app in Windows 10. Other email accounts using a different email client can use a temporary passcode to download the attachments from the Microsoft 365 Message Encryption portal.
If you choose the Encrypt and Prevent Forwarding option, there are two possibilities: Microsoft Office attachments such as Word, Excel or PowerPoint files remain encrypted even after they’re downloaded. This means that if the recipient downloads the attachment and sends it to someone else, the person they forwarded it to won’t be able to open the attachment because they don’t have permission to open it. Note that if the recipient of the file is using an Outlook.com account, they can open encrypted Office attachments on the Office apps for Windows. If the recipient of the file is using an Microsoft 365 account, they can open the file in Office apps across platforms. All other attachments, such as PDF files or image files, can be downloaded without encryption.
How Microsoft 365 Uses Email Encryption
Microsoft 365 uses various methods for email encryption, such as S/MIME encryption, Microsoft 365 Message Encryption, and Information Rights Management (IRM).
- S/MIME encryption – To use S/MIME encryption, the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard.
- Microsoft 365 Message Encryption (Information Rights Management) – To use Microsoft 365 Message Encryption, the sender must have Microsoft 365 Message Encryption, which is included in the Office 365 Enterprise E3 license.
IRM protection should not be applied to a message that is already signed or encrypted using S/MIME. To apply IRM protection, S/MIME signature and encryption must be removed from the message. The same applies for IRM-protected messages; users should not sign or encrypt them using S/MIME.
Discover: Decoding Email Address Sensitivity: Insights for Gmail, Yahoo Mail, and Outlook Users
- Microsoft Purview Message Encryption.
- Secure/Multipurpose Internet Mail Extensions (S/MIME).
- Information Rights Management (IRM).
How is This Different from the Current Level of Encryption in Outlook.com?
Currently, Outlook.com uses opportunistic Transport Layer Security (TLS) to encrypt the connection with a recipient’s email provider. However, with TLS, the message might not stay encrypted after the message reaches the recipient’s email provider. In other words, TLS encrypts the connection, not the message.
Send Encrypted Email from Office 365
Office 365 secure emails can be sent using Outlook Online. The principal and technique are the same as with Outlook, only the menu looks a bit different.
- Compose a new email in Outlook Online.
- Select Encrypt in the toolbar.
- Click Change Permissions if you also want to prevent forwarding of the email.
- Click Send when done.
If you don’t see the encrypt button, then click on the 3 dots. You can also add the encrypt button to the bottom toolbar.
How to Encrypt Email in Microsoft Outlook on Windows 11
With a Microsoft 365 subscription, you can send encrypted emails to your contacts. By default, you get the OME or Office 365 Message Encryption for sending encrypted emails using Outlook. As such, you don’t have to install any certificates to encrypt your email. Follow these steps:
- Open Outlook on your Windows PC.
- Click on New Email at the top-left corner.
- Click on Options in the Menu Bar.
- Click the Encrypt icon and select Encrypt. You will see a message that says, “This message will be encrypted.”
- Enter all the details and send your encrypted email.
There are several encryption options and methods you can use to encrypt an email in Microsoft Outlook. For a quick and easy method, if you’re using Outlook on the Web with a Microsoft 365 subscription, you can simply click the Encrypt button in the new email window to send an encrypted email.
Get a Digital ID for Outlook (Encryption and Signing Certificates)
To be able to encrypt important Outlook emails, the first thing you need to get is a Digital ID, also known as an E-mail Certificate. You can get the digital ID from sources recommended by Microsoft. You will be able to use these IDs not only to send secure Outlook messages but protect documents of other applications as well, including Microsoft Access, Excel, Word, PowerPoint, and OneNote.
Encrypting Email with Outlook on the Web (Outlook.com)
Encrypting email in Outlook.com is similar to using the desktop version. Follow these steps to encrypt an email if you prefer to use Outlook on the Web:
- Launch your favorite web browser and navigate to Outlook.com, logging in with your Microsoft account.
- Compose an email by clicking on the New message button at the top-left corner of the page.
Transmission of Outlook Email (company or non-company) is encrypted using the default settings in Outlook Send/Receive settings. The database (Exchange or PST file) is proprietary but not encrypted. A person with correct credentials can export an email file and read it on another machine. I have not seen a setting to encrypt the database. The Exchange setup itself is secure.
Outlook Online lets you digitally sign or encrypt your emails, either individually or by default for all outbound messages.