Call Us For A AreWeAFit Consultation (954) 507-3475
Giaspace | IT Services Fort Lauderdale & Miami
Get An Estimate

How to Send Secure Emails in Outlook 365 (And Why It’s Essential To Do So)

Key Points in This Article:

  • Email presents significant cybersecurity risks, many of which can be mitigated by sending secure emails.
  • Microsoft 365 offers users two email encryption methods, Microsoft 365 Message Encryption and S/MIME encryption, which are easy to use.
  • There are other encryption options on the market; however, they should be thoroughly vetted for risks and limitations before you use them for your business.

Email. It’s become so common in our personal and professional lives that we often take for granted just how much it’s transformed society. But just as much as we overlook its rewards, we also overlook its risks. Individuals and professionals transmit sensitive information by email every single day.

By some estimates, as much as half of the emails people send are insecure. Unsecured emails pose a significant threat to the individual who sends and receives them, opening them up to someone snooping on your conversation, accessing your financial info, falling victim to malware, and more.

If you’re a business owner, consider the damage unsecured email may cause. A phishing email or downloaded malware could be the foothold a cybercriminal needs to hold your business for ransom, steal confidential information, and more.

Further, suppose your business, like many others, is now more reliant on hybrid-remote or remote work, or you’ve implemented BYOD (bring your own device) policies. In that case, you’re more vulnerable than before.

Sending Secure Email With Microsoft Outlook

How to Send a Secure Email Through Microsoft Outlook 365

Fortunately, Microsoft Outlook provides robust tools to strengthen your email security. But before you start exploring and training your employees to use them, it’s critical to ensure you have the appropriate email policies. Ensure your employees know when they must send secure emails and that they will be held accountable for not doing so.

Microsoft 365 Message Encryption

Microsoft 365 has two built-in tools for email encryption. Encrypting an email translates it into indecipherable text that only the appropriate recipient can decipher (or decrypt), read, and access.

Outlook 365 offers users both Microsoft 365 Message Encryption and S/MIME encryption. The former is fairly simple to use. When you want to encrypt an email using Microsoft 365 Message Encryption, you’ll choose Properties from the File tab in Outlook. From there, select Security Settings, and check Encrypt message contents and attachments. After you do so, send your message. You can also choose the Options tab, then Encrypt, then select the Encrypt-only option before sending.

You can also choose to encrypt all your messages by default. You’ll need to choose Options from File, then Trust Center, then Trust Center Settings. From the resulting dialogue box, you’ll find Encrypted email under the Email security tab. You’ll check Encrypt contents and attachments for outgoing messages from here, then close.

Microsoft 365 also uses Azure Information Protection (AIP) to help you protect emails in other ways. Using webmail, you can choose Encrypt under the Options tab in Outlook and choose the permissions you set on your email. You’ll see several besides Encrypt-only, including Do Not Forward, Confidential All Employees, and Highly Confidential All Employees. You can also find these options in the Outlook application by selecting Protect in a new email you’ve started. You’ll see that Do Not Forward is chosen by default, though you can choose another option by selecting Change Permissions.

Choosing Do Not Forward will not only encrypt your email but will also prevent its recipients from forwarding or printing it. When you select Confidential All Employees, your email will be encrypted, protected from printing or forwarding, and protected from viewing by recipients outside your organization. And when you choose Highly Confidential All Employees, your message will enjoy the protections of a Confidential All Employees email and will further not allow recipients to reply to it.

When a recipient receives your email, they’ll be asked to verify their identity by signing back into their email account or using a one-time passcode pushed to them. Once they’ve been authenticated, the recipient will see the email but will have restrictions on what they can do with it or, in some cases, what they can see.

When you train your employees to use these options, you’re ensuring they can safeguard the sensitive business information they email. These options can greatly mitigate the risk of third-party snooping and accidental distribution of confidential data outside the organization as well as to those inside it who don’t need to see it.

S/MIME Encryption

Microsoft 365 also supports S/MIME encryption. However, to use this encryption type, your recipient must also use an email application that supports S/MIME. You’ll also need to enable it before you can use it.

To do so, you’ll select Options from File, then select Trust Center, then Trust Center Settings. From here, choose Email Security, then Settings, which can be found under Encrypted email. You’ll find the option for the S/MIME certificate under Choose when you’ve selected Certificates and Algorithms. Click OK to enable it.

Once enabled, you’ll encrypt your email with S/MIME by opening a message, selecting Options, then  Encrypt, and finally, Encrypt with S/MIME. You should note this option works with individual emails, but for mass emails, you’ll want to use Microsoft 365 Message Encryption or a trusted third-party encryption provider.

Step-by Step: How to Send an Encrypted Email Using Microsoft 365 Message Encryption (OME)

Microsoft 365 Message Encryption (OME) is the simplest and most common way to send secure emails in Outlook 365, enabling you to protect messages sent to anyone, inside or outside your organization. Here’s how to do it:

  1. Compose a New Email: Open Outlook 365 (desktop app, web, or mobile) and click “New Email” to start your message. Fill in your recipient(s), subject, and message content as usual.
  2. Access Encryption Options:
    • Outlook Desktop App: In the new message window, navigate to the “Options” tab on the ribbon. You’ll see an “Encrypt” button (often represented by a padlock icon). Click it.
    • Outlook on the Web (OWA): When composing a new email, look for the “Encrypt” button in the top toolbar.
    • Outlook Mobile App: Look for the three dots (…) or a padlock icon in the compose screen to find encryption options.
  3. Choose Your Protection Level: From the “Encrypt” dropdown menu, you’ll typically have options:
    • Encrypt Only: The message content and attachments are encrypted. Recipients can view the message, reply, and forward it (though attachments may lose encryption if forwarded by some recipient types).
    • Do Not Forward: The message content and Office attachments (Word, Excel, PowerPoint) are encrypted, and the recipient is prevented from forwarding, printing, or copying the content.
    • (You might also see custom sensitivity labels configured by your IT administrator, e.g., “Confidential” or “Highly Confidential,” which include encryption.)
  4. Send Your Email: Once you’ve selected your desired encryption option, you’ll often see a notification banner at the top of your message indicating that it’s encrypted. Complete your email and click “Send.” Outlook 365 handles the encryption automatically before it leaves your outbox.

This straightforward process ensures your sensitive information is protected during transit and at rest, giving you peace of mind.

How to Use S/MIME for Enhanced Email Security in Outlook 365

S/MIME offers a robust, certificate-based method for email encryption and digital signing in Outlook 365. While it requires a bit more initial setup, it provides strong authentication and non-repudiation.

Prerequisites:

  1. Obtain a Digital Certificate: You’ll need an S/MIME digital certificate (also known as a Digital ID) from a trusted Certificate Authority (CA) or issued by your organization’s IT department. This certificate usually includes your public key and a corresponding private key.
  2. Install the Certificate: Install the certificate on your computer’s certificate store (usually through a .pfx file provided by your CA).

Configuring S/MIME in Outlook 365 (Desktop App):

  1. Open Trust Center Settings: In Outlook, go to File > Options > Trust Center > Trust Center Settings…
  2. Email Security: Select the “Email Security” tab.
  3. Encrypted Email Settings: Under “Encrypted email,” click “Settings…”
  4. Choose Certificates: Here, you’ll configure your signing and encryption certificates. Click “Choose…” next to both “Signing Certificate” and “Encryption Certificate” and select the digital certificate you installed.
  5. Set Default Behavior (Optional): You can check “Encrypt contents and attachments for outgoing messages” and “Add digital signature to outgoing messages” to apply S/MIME automatically.

Sending an S/MIME Encrypted or Signed Email:

  1. Compose a New Email.
  2. Access Options Tab: Go to the “Options” tab on the ribbon.
  3. Encrypt/Sign:
    • To Encrypt using S/MIME: Click “Encrypt” (padlock icon) and choose “Encrypt with S/MIME.” (This option only appears if S/MIME is correctly configured and the recipient’s public key is known.)
    • To Digitally Sign your email: Click “Permissions” or “Sign” and select “Add Digital Signature.”
  4. Send: Click “Send.” Outlook will use your private key to encrypt or sign the message. If encrypting, ensure the recipient has your public key (often exchanged automatically after your first digitally signed email).

S/MIME is ideal for businesses requiring verifiable identity and stringent end-to-end encryption, particularly in highly secure communication environments.

Deciphering Secure Emails: How Recipients Open Encrypted Messages

Sending a secure email is only half the battle; ensuring the recipient can easily open and read it is equally important. How a recipient accesses an encrypted Outlook 365 message depends on their email provider and the encryption method used:

For Microsoft 365 Message Encryption (OME):

  1. If the Recipient Uses Outlook.com or Microsoft 365 (and is in Outlook client/OWA): The message typically decrypts automatically in their inbox. They’ll see a banner indicating it’s protected, but can open it like any other email.
  2. If the Recipient Uses Gmail, Yahoo, or Another Email Service:
    • They will receive a standard email with an attached message.html file or a link stating “Read the message.”
    • Clicking this link will direct them to a secure Microsoft 365 portal.
    • Here, they will be prompted to verify their identity. They can often choose to sign in with their existing Google, Yahoo, or Microsoft account credentials, or receive a one-time passcode to their email address.
    • Once authenticated, the message will display in their web browser, where they can read and reply securely.

For S/MIME Encrypted Emails:

  1. Recipient Must Have S/MIME Configured: The recipient must also have S/MIME set up in their email client (like Outlook) and possess the sender’s public key (often obtained from a digitally signed email previously sent by the sender).
  2. Automatic Decryption: If configured correctly, Outlook will automatically decrypt the message upon arrival, and the recipient can open it normally.
  3. Certificate Issues: If the recipient does not have the correct certificate or key, they will not be able to open the message and will receive an error.

Understanding the recipient’s experience is crucial for smooth, secure communication and helps you guide external partners on how to access your encrypted messages.

Beyond Encryption: Additional Outlook 365 Security Features for Email Protection

While encryption protects the content of your emails, Outlook 365 and the broader Microsoft 365 ecosystem offer a multi-layered defense to safeguard your email environment from a variety of threats:

  • Data Loss Prevention (DLP): Microsoft Purview DLP policies automatically detect, monitor, and protect sensitive information (like credit card numbers, social security numbers, or client data) from being shared inappropriately via email. DLP can block emails, notify users, or encrypt content based on predefined rules.
  • Sensitivity Labels (Microsoft Purview Information Protection): These customizable labels allow users to classify emails (e.g., “Confidential,” “Public”) and automatically apply protective actions, including encryption, watermarks, headers/footers, and restrictions on forwarding or printing. Labels persist with the data, even if it leaves your organization.
  • Exchange Online Protection (EOP): This is the first line of defense for your Microsoft 365 emails, offering robust anti-spam and anti-malware filtering that scans incoming and outgoing messages to block threats before they reach your inbox.
  • Microsoft Defender for Office 365 (formerly ATP): This advanced threat protection suite extends EOP by providing:
    • Safe Links: Rewrites URLs in emails to scan them for malicious content at the time of click.
    • Safe Attachments: Opens attachments in a virtual environment (sandbox) to check for malware before they reach your inbox.
    • Anti-Phishing Capabilities: Uses machine learning to detect and block sophisticated phishing attempts, impersonation, and spoofing.
  • Multi-Factor Authentication (MFA): While not email-specific, enabling MFA for all Microsoft 365 accounts is paramount. It adds an essential layer of security to prevent unauthorized access to mailboxes, even if passwords are compromised.
  • Mail Flow Rules (Transport Rules): Administrators can configure rules to automatically encrypt emails based on content, recipient, or sender, ensuring compliance and consistent security.

By leveraging these complementary features, businesses can create a comprehensive email security posture within their Outlook 365 environment.

Best Practices for Secure Email Communication in Outlook 365

Achieving robust email security isn’t just about enabling features; it’s about fostering a culture of security awareness and consistent application of best practices. For businesses leveraging Outlook 365:

  1. Educate Your Employees: The human element is often the weakest link. Regular training on phishing awareness, identifying suspicious emails, and the importance of using encryption for sensitive data is crucial.
  2. Always Use Encryption for Sensitive Data: Make it a non-negotiable policy to encrypt any email containing personally identifiable information (PII), financial data, proprietary information, or confidential communications, even if it’s internal.
  3. Implement and Enforce DLP Policies: Work with your IT team (or GiaSpace!) to set up and fine-tune Data Loss Prevention policies that automatically identify and protect sensitive information before it leaves your control.
  4. Leverage Sensitivity Labels: Empower users to classify data correctly by implementing clear, easy-to-understand sensitivity labels that automatically apply the right level of protection.
  5. Enforce Multi-Factor Authentication (MFA): This is non-negotiable. MFA adds a critical layer of security to all Microsoft 365 accounts, drastically reducing the risk of unauthorized mailbox access.
  6. Regularly Review Mail Flow Rules: Ensure your Exchange Online mail flow rules are up-to-date and effectively automating email security based on your evolving business needs.
  7. Keep Outlook 365 Updated: Ensure all users are running the latest versions of Outlook and their operating systems to benefit from the newest security patches and features.
  8. Understand Recipient Capabilities: If sending encrypted emails externally, be aware of how your recipients will access the messages and provide clear instructions if necessary.
  9. Audit and Monitor: Regularly review email activity and security reports within the Microsoft 365 admin center to identify potential threats or policy violations.

By embedding these practices into your daily operations, you transform your email system into a truly secure communication channel.

Common Challenges and Troubleshooting for Secure Email in Outlook 365

While Outlook 365’s secure email features are powerful, users might occasionally encounter challenges. Knowing how to address them can save time and frustration:

  1. Recipient Cannot Open Encrypted Message:
    • OME: Check if the recipient is following the instructions (e.g., signing in via the portal, using the one-time passcode). Ensure their email provider isn’t blocking the message.
    • S/MIME: The most common reason is that the recipient does not have your public key or a valid S/MIME certificate configured in their email client. You might need to send them a digitally signed email first so they can import your public key.
  2. “Encrypt” Button or Option is Missing/Greyed Out:
    • Licensing: Ensure your Microsoft 365 subscription includes OME or the necessary rights management capabilities (e.g., E3 or equivalent).
    • Configuration: Your IT administrator might need to enable or properly configure OME/Purview Message Encryption for your organization.
    • S/MIME: Check if your digital certificate is correctly installed and configured in Outlook’s Trust Center.
  3. “Do Not Forward” Not Working as Expected for Attachments:
    • “Do Not Forward” protection primarily applies to Office files (Word, Excel, PowerPoint). Other attachment types (like PDFs or images) might not retain protection if downloaded and re-shared by the recipient. Consider converting sensitive PDFs to protected Office formats or using a separate secure file transfer method.
  4. Performance Issues or Delays with Encrypted Messages:
    • While usually minimal, very large attachments with encryption can sometimes cause slight delays. Ensure good internet connectivity.
    • If using S/MIME, ensure your certificate is valid and not expired.
  5. Sensitive Information Detected, But Not Encrypted:
    • Review your DLP policies and sensitivity labels in the Microsoft Purview compliance portal. Ensure the rules are configured to automatically encrypt (or block) content that matches your sensitive information types, and that these policies are applied to the relevant users.

When in doubt, always consult your organization’s IT department or reach out to an expert like GiaSpace for specialized troubleshooting.

GiaSpace’s Role: Expert Support for Your Outlook 365 Email Security

Navigating the complexities of email security in Outlook 365 can be daunting, especially for businesses with limited in-house IT resources. At GiaSpace, we specialize in providing comprehensive Microsoft 365 management and cybersecurity solutions for businesses across Florida – from Gainesville to Miami.

Our experts can help you:

  • Assess Your Current Security Posture: Identify vulnerabilities and recommend the optimal encryption and security features for your specific business needs.
  • Implement & Configure OME/Purview Encryption: Ensure Microsoft 365 Message Encryption is properly set up and tailored to your organization’s compliance requirements.
  • Deploy S/MIME Certificates: Guide you through obtaining, installing, and configuring digital certificates for enhanced S/MIME security.
  • Develop & Enforce DLP and Sensitivity Label Policies: Create intelligent rules that automatically protect sensitive data, reducing the risk of accidental exposure.
  • Provide User Training: Educate your team on best practices for secure email, ensuring high adoption rates and minimizing human error.
  • Ongoing Monitoring & Support: Proactively monitor your email security, troubleshoot issues, and ensure your system remains protected against evolving cyber threats.

Partner with GiaSpace to transform your Outlook 365 email from a potential liability into a secure, compliant, and efficient communication channel.

Frequently Asked Questions About Outlook 365 Email Security

Here are answers to common questions about securing your emails in Outlook 365:

Q: What’s the main difference between OME and S/MIME?

A: OME (Microsoft 365 Message Encryption) is cloud-based, easier to deploy broadly, and recipient-friendly, even if they don’t use Outlook. S/MIME is certificate-based, provides stronger identity verification (digital signatures), and requires both sender and recipient to have S/MIME configured. OME is generally recommended for broad business use, while S/MIME is often used in highly regulated industries.

Q: Can I encrypt an email if the recipient doesn’t use Outlook 365?

A: Yes, with Microsoft 365 Message Encryption (OME), you can send encrypted emails to any email address. Recipients without Outlook 365 will access the message via a secure web portal. S/MIME also works cross-platform, but requires the recipient to have S/MIME configured and your public key.

Q: Does simply adding “Confidential” to the subject line make an email secure?

A: No. Adding words like “Confidential” to the subject line is a common practice for internal classification, but it provides no actual encryption or security. You must actively apply encryption or sensitivity labels for real protection.

Q: What happens if an encrypted email is intercepted?

A: If an encrypted email is intercepted by an unauthorized party, they will only see scrambled, unreadable data. Without the correct decryption key (which only the intended recipient possesses or can securely access), the content remains protected.

Q: How do I know if an email I received is encrypted?

A: In Outlook, you’ll typically see a banner at the top of the message indicating that it has restricted permissions or is encrypted. For OME, external recipients will often see a notification email with a link to the secure portal.

Q: Is email encryption a substitute for Data Loss Prevention (DLP)?

A: No, they are complementary. Encryption protects data in transit and at rest. DLP proactively prevents sensitive data from being sent improperly in the first place, or flags it for review. Both are crucial for comprehensive data security.

Published: Jun 16, 2025

author avatar
Robert Giannini
Robert Giannini is an accomplished VCIO with deep expertise in digital transformation and strategic IT. His strengths include consolidating complex systems, implementing cutting-edge automation, and applying AI to drive significant growth.
See Full Bio
social network icon

Latest Blog Posts

Why Security Experts Are Warning Against ChatGPT Atlas

Why Security Experts Are Warning Against ChatGPT Atlas

Read More
The Rise of Edge Computing: Why Milliseconds Matter

The Rise of Edge Computing: Why Milliseconds Matter

Read More
5 AI Note-Taking Apps Every Business Team Should Know About

5 AI Note-Taking Apps Every Business Team Should Know About

Read More
Read The GiaBlog

GiaSpace's Proven Track Record Of Success

FiscalChimp Accounting

FiscalChimp Accounting

Read More
MDS Builders Inc.

MDS Builders Inc.

Read More
Cain Food Industries, Inc.

Cain Food Industries, Inc.

Read More
ECI Pharmaceuticals

ECI Pharmaceuticals

Read More
Read More Case Studies

Proven IT Results, Verified by Reviews