How to Setup Email Encryption Office 365 [Guide & Best Practices]

  • Articles
  • How to Setup Email Encryption Office 365 [Gui...

Table of Contents

Emails are integral to daily business communications. However, the ease of email comes with the possibility of confidential data being read by unauthorized third parties. This is where encryption for email can help, providing cloud security managed services to transmit and read private messages.

Microsoft Office 365 is a well-known cloud-based platform that is utilized by many businesses across the globe. It provides a range of tools and features, including encryption of emails to help you protect your personal information from unauthorized access.

In this article, we discuss how you can set up email encryption in Office 365 and how to use encryption for an email to provide the highest level of security.

Explanation of Email Encryption and How It Works

Email encryption protects email content and sensitive information from unauthorized access and is an essential part of effective cyber security management. This is particularly important for companies with sensitive data, such as personal or financial information. Unencrypted, this data is vulnerable to cyber attacks, identity theft, and other breaches. Email encryption also helps organizations meet data protection regulations like the General Data Protection Regulation (GDPR) and others.

Here is the 3-step process of how email encryption works:

  1. The message is encrypted, which means it's transformed from plain text to unreadable encrypted text. This happens through the sender's computer or central servers while sending the message.
  2. The encrypted message is stored in ciphertext even in transit to prevent being read by unauthorized parties.
  3. Once the message reaches the intended recipient, the message is changed back to plain text using one of two methods:
  • The recipient's device uses an encryption key that decrypts the messages. The key is typically private and coupled with a public key to secure the message.
  • A central server validates the receiver's identification before decrypting an encrypted message for the intended recipient to make sure the decryption is valid.

Types of Email Encryption and Their Pros and Cons

Email Encryption

Two major types of encryption in email are available: Transport Level encryption and End-to-end encryption.

Transport Level encryption protects email messages between the sender and receiver during their travel, not before or after the transit. End-to-end encryption, however, is exactly what it sounds like emails are encrypted while in transit, from beginning to end. In other words, every email sent out is encrypted once the send button is clicked and is unencrypted only after the recipient receives the email.

Some of the tools and protocols that use these two types of encryption include:

  • STARTTLS: This form of transport-level encryption upgrades a plain text connection to a secure, encrypted one. It is a Transport Layer Security (TLS) extension that is used for defining Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), and Post Office Protocol (POP3).
  • MTA-STS or DANE: Message Transfer Agent Strict Transport Security (MTA-STS) and DNS-based Authentication of Named Entities (DANE) are two countermeasures to maximize the security of STARTTLS and all transport-level encryption.
  • Bitmessage: A communication protocol that uses end-to-end encryption to protect messages from anyone who isn't supposed to see them. It is great for people and smaller businesses who want to ensure their messages are private and secure.
  • GNU Privacy Guard (GnuPG or GPG): This hybrid encryption model uses public and symmetric key cryptography.
  • PGP and S/MIME: Two widely used protocols for end-to-end email encryption. Phil Zimmerman developed PGP, first released in 1991, while S/MIME stands for Secure/Multipurpose Internet Mail Extensions.

Pros and Cons of Email Encryption

Following are the pros and cons of email encryption:



Safeguards sensitive information

Demands regular maintenance and oversight

Efficient and easy to use

Requires recipients to have decryption tools

Helps with authentication and spam protection




Mitigates risk of data breaches


Overview of Office 365's Email Encryption Capabilities

Microsoft Office 365 offers multiple encryption options to ensure that it meets the email security needs of different businesses.

Below are the three ways you can encrypt email in Microsoft Office 365:

1. Microsoft Purview Message Encryption

As part of Microsoft's cyber security software solution, Microsoft Purview Message Encryption offers users the power to encrypt messages and protect sensitive information during transit. It permits sending encrypted emails to internal and external recipients with complete control over the decryption process, including setting permissions and expiration dates. This encryption solution is included in Office 365 and can be combined with other email encryption tools like S/MIME.

It's important to note that Microsoft Purview is included in E5 but is an add-on service for customers without an E5 plan. However, a 90-day free trial can be taken advantage of so you can see how Microsoft Purview helps you manage your organization's data security to ensure compliance.

2. Information Rights Management (IRM)

Information Rights Management (IRM) is a Microsoft security solution for data protection that allows users to control how their sensitive information is managed and shared. Through IRM, users can apply restrictions to documents, emails, and other files to prevent unauthorized access, forwarding, printing, or copying.

Additionally, users can revoke access to shared data and audit and track its usage patterns. This data security solution is available across Office 365, SharePoint, and Azure Information Protection solutions.

3. S/MIME (Secure/Multipurpose Internet Mail Extensions)

As an industry-standard email encryption protocol, S/MIME offers complete message protection. It utilizes digital certificates to authenticate sender and recipient identities, then encrypts the message content to prevent unauthorized access.

S/MIME is also widely supported by email clients such as Microsoft Outlook, Apple Mail, and Gmail and is often employed in enterprise settings to protect sensitive information. By using S/MIME, users can ensure their email communications remain secure and confidential while guarding personal and business data against potential threats like hacking attacks, data breaches, and unauthorized access.

How to Setup Email Encryption in Office 365

How to Setup Email Encryption in Office 365

Email encryption is an effective way to protect the privacy and security of business emails. Below are some ways to set up email encryption in Office 365:

Step-By-Step Guide for Configuring Office 365 Email Encryption

  1. Open a new email message and click on the "Options" tab.
  2. Click on "Encrypt" and select the encryption option to enforce the restrictions you want, such as "Encrypt-Only" or "Do Not Forward."
  3. Note that the "Encrypt-Only" feature is only available to Microsoft Office 365 apps for enterprise users using Exchange Online.
  4. Finish composing your email and click "Send."

To encrypt a single message:

  1. Compose your message in Outlook.
  2. Click on "Files" and click "File Properties."
  3. Under "Security Settings," select "Encrypt message contents and attachments."
  4. Click "Send" to send your encrypted message.

How to Create and Manage Encryption Rules and Policies

Policies and encryption rules are crucial to protecting the privacy and security of sensitive information. They set guidelines and limits on how data can be protected, who should access it, and when. Creating and managing policies and rules for encryption requires careful preparation and consideration of the goals and requirements of your business.

To create and manage rules and policies for encryption, you should follow these steps:

  1. Find out what kinds of data should be protected. Identify the data your business handles that must be protected. This can include sensitive or confidential data such as financial information, customer information, and trade secrets.
  2. Create security standards for encryption. Decide the encryption standards that your company will employ. It could be AES, RSA, or other commonly used encryption algorithms.
  3. Develop encryption policies. Create guidelines that define how encryption can be utilized within the business. These policies should contain information on when encryption is needed, who is accountable for the implementation of encryption, and how the encryption key should be handled.
  4. Inform employees about encryption policies. Train employees on the organization's policies regarding encryption and instruct them on how to use encryption tools properly.
  5. Check and revise your policies frequently. Examine your encryption policy regularly to ensure it is still appropriate and effective. Update your policies as needed to address the latest threats and technological modifications.
  6. Implement policies. Ensure the encryption policy is in place and enforced consistently throughout your business. This could be done by surveillance and audits to ensure employees follow guidelines correctly.

Best Practices for Using Office 365 Email Encryption

Office 365 Email Encryption Best Practices

Office 365 email encryption setup effectively protects confidential information in email messages. However, it is essential to use encryption properly to protect your data.

Tips for Optimizing Email Encryption in Office 365

Here are some of the best methods to use Office 365 email encryption:

  • Secure passwords: Make sure that every user has a login password for Microsoft Outlook that is secure, distinct, and difficult to be guessed. This will stop unauthorized access to email accounts. It will also ensure that encryption keys for emails are safe.
  • Enable encryption by default: Configure Office 365 email encryption to be turned on for all outgoing emails. This ensures that sensitive information is encrypted, even if a sender fails to encode the message manually.
  • Choose the "Encrypt Only" option: If you want to encrypt an email, selecting "Encrypt Only" rather than the "Do not forward" option prevents unintentional users from reading the email and still permits an intended receiver to send the email if required.
  • Train users: Inform users about the importance of email encryption and the proper way to secure messages. This can help avoid accidental data leaks and ensure that confidential information is secure.
  • Monitor the use of email: Use monitoring tools to monitor the usage of emails and spot any unusual activities. This will help you identify possible security issues and ensure that the policies regarding the encryption of emails are followed.
  • Configure message expiration for email messages: Set them to expire after a specified time. This ensures that sensitive data is unavailable after a set period, even if the message is not deleted.
  • Check policies frequently: Review and update the policies on the encryption of emails to ensure that they're still in place and adapt to your company's requirements. This can help to avoid security holes while ensuring that confidential information is protected.

Amaxra CTA  2
Need Help with Microsoft Licensing?
Leave your Microsoft licensing, security, and software solutions to us so you can concentrate on moving your business forward.

Drop Us a Line

How to Share Encrypted Emails With External Recipients

When you use Office Message Encryption (OME), sending encrypted emails to other recipients is easy because it allows sending encrypted communications to anyone who is not part of your company, regardless of the email provider.

However, to optimize the email encryption in Office 365, here are some steps that you need to follow:

  1. Compose a new email: Begin by creating a brand new email using Outlook or Outlook via the Internet (Outlook Web App).
  2. Secure the email: Depending on the organization's configuration and the method you're using, it's possible to have different methods to secure the email. Two common approaches are:
  • Utilizing the "Encrypt" button: In Outlook and Outlook via the internet, press the "Encrypt" option or padlock symbol within the toolbar to enable encryption. Also, you can select the "Encrypt and Prevent Forwarding" option, which prevents recipients from copying or forwarding the content of their emails.
  • Utilizing a particular term or keyword: The business might have implemented an email transport rule that triggers encryption whenever a specific keyword or phrase is used in the email's subject line or body. For instance, you could include "[Encrypt]" within the body of your email to enable encryption.
  1. Add recipients from outside: Type in your email address of recipients from outside into the "To," "Cc," or "Bcc" fields.
  2. Send your email: After you've written your email and added encryption Click "Send."
  3. Access to external recipients: If recipients from outside receive the encrypted message, they will receive an email message that includes a link for viewing the encrypted message. To view this encrypted mail, they must click the link and sign in using the one-time password or their personal Microsoft or Google account. This ensures that only the intended recipients can view encrypted messages.

Monitoring and Troubleshooting Office 365 Email Encryption

Monitoring and Troubleshooting Office 365 Email Encryption

Monitoring and troubleshooting are important aspects of managing email encryption in Office 365. By monitoring email usage and encryption settings, you can ensure that sensitive data is being properly protected and that encryption policies are being followed. Troubleshooting issues with email encryption can also help prevent data leaks and ensure that emails are being delivered and received as intended.

Below are some email encryption tools offered by Office 365 and how to use them:

The Message Encryption Dashboard

The Message Encryption Dashboard offers a comprehensive overview of the use of encryption in emails within your company. Authorized IT administrators can see statistics like the number of encrypted messages encrypted, the number of people who have encrypted messages, and the number of messages that were not encrypted, even though they ought to be.

To access the Message Encryption Dashboard:

  1. Go to the Office 365 Security & Compliance Center
  2. Select "Data protection against loss" on the menu on the left.
  3. Click "Dashboard" in the section titled "Policy guidelines."

Message Trace

The Message Trace feature allows you to follow specific messages and check whether they are encrypted. It will also let you know whether the message was successfully delivered or if it encountered any problems during delivery.

To utilize Message Trace:

  1. Go to the Office 365 Exchange Admin Center
  2. Select "mail flow" on the menu on the left.
  3. Click "message trace" under "mail flow."

Data Loss Prevention (DLP) Policy Reports

DLP Policy Reports let you know the extent to which your organization's DLP policies are being implemented. You can access reports on the policy's matches, policy overrides, and policy tips.

To access DLP Policy Reports:

  1. Open Office 365 Security & Compliance Center
  2. Select "Data loss prevention" on the left menu of the screen.
  3. Click "Reports" in the section titled "Policy Tips."

Audit Logs

Audit Logs offer a comprehensive analysis of the activities within the Office 365 environment, including the encryption of emails. It is possible to see whom encrypted messages were sent, who got them, and when they were delivered.

To view Audit Logs:

  1. Go to the Office 365 Security & Compliance Center
  2. Select "Search" on the menu on the left.
  3. Select "Audit the logs."

By monitoring these tools regularly, it is possible to ensure that the email encryption guidelines are followed and that sensitive information is properly secured.

Common Issues With Email Encryption and Troubleshooting Tips

Email encryption within Office 365 could occasionally create issues that affect the security and delivery of encrypted emails. Here are some of these issues, along with troubleshooting techniques to help solve these issues:

  • The encryption is not applied to emails: If your emails are not encrypted as you would expect, look at your rules for transport in Exchange Online's Exchange Admin Center to ensure they are correctly configured. Check for any conflicting rules that could hinder encryption from working correctly.
  • Users cannot access encrypted emails: Ensure that users have the required authorization to access encryption tools for emails like Office Message Encryption (OME) or Information Rights Management (IRM). For recipients outside the organization, ensure they're following all the right steps to gain access to the encrypted email using the one-time passcode provided by their Google or Microsoft accounts.
  • Problems with email clients and devices: Encrypted emails may not be displayed correctly on certain devices or clients. It is recommended that users update their email client to the most recent version and test the compatibility of their email client with Office 365 encryption features.
  • Data Loss Prevention (DLP) policy conflicts: If you notice that a message is not being encrypted or not encrypted as you expect, then you should review the DLP policies to ensure they are not affecting the encryption process.
  • The header of email encryption-related errors: Check the headers of emails of the affected messages to determine problems with encryption settings and transport policies. Look for specific encryption-related header fields, such as "X-MS-Exchange-Organization-MessageEncryption" or "X-MS-Exchange-Organization-EncryptionProperties."

If you can identify and address the common issues associated with email encryption, you can take the appropriate steps to ensure that the encryption is functioning properly and securely.

Alternative Email Encryption Solutions

Alternative Email Encryption Solutions

There are a variety of email encryption solutions on the market. Common options are listed in the table below:

Email Encryption Solution

Key Features



Office 365 Email Encryption

Built-in encryption solution integrates with Office 365 infrastructure

Seamlessly integrates with Office 365 services

May require additional licensing fees


Granular control over encryption settings supports various email clients

Integrates with various email clients

Requires separate subscription for advanced features


End-to-end encryption, free version available, open-source software

Limited integration with other email clients

Free for basic features, paid plans for advanced features


Customizable encryption settings offer various encryption methods, support various email clients

Integrates with various email clients

Requires separate subscription for advanced features


End-to-end encryption, open-source software

Integrates with various email clients

Free for basic features, paid plans for advanced features


Customizable encryption settings offer data loss prevention (DLP) and advanced threat protection

Integrates with various email clients

Requires separate subscription for advanced features

Pros and Cons of Using Third-Party Email Encryption Solutions

The pros and cons of using third-party email encryption solutions are as follows:



Increased customization options

May require additional licensing fees

Can integrate with various email clients

May not integrate seamlessly with existing infrastructure

May offer additional features not available in built-in solutions

Requires separate subscription

Can be more secure than built-in solutions

May require additional training and support


Implementing encryption of emails in Office 365 offers numerous benefits for businesses, such as Improved security and protection of personal data, compliance with data security regulations, and enhanced confidence and trust with customers and their partners.

Suppose you are thinking of adopting email encryption in your business. In that case, the initial step is to review the current infrastructure for email and figure out which encryption software is most suitable for your requirements. Office 365 offers a built-in encryption tool for email that can be adequate for various organizations. However, third-party options may be needed for those with specific needs.

Amaxra can assist you in assessing your email system, identifying the best encryption solution that meets your requirements, and helping in the installation and training process. Contact us today to learn more about our services.

Amaxra Contact Us CTA_1
Get Started Today

We'll build a secure and complete Microsoft software solution for your business while you concentrate on what's important. 

Contact Us

Subscribe To Our Blog