How to Set up Email Encryption in Office 365


Of all the many acronyms in the alphabet soup of IT, and specifically when talking about security, CIA is one that is very commonly used. Although the words it represents are nowhere near exciting like its namesake, the Central Intelligence Agency, they underpin cyber security. 

The CIA “triad” I’m referring to here, Confidentiality, Integrity and Availability refers to the model used in the development of IT security systems. This is where assurance is provided that data is kept private, isn’t altered and accessible only by authorized persons. 

This article addresses a topic represented by Confidentiality, which is of course encryption. Encryption is when we take plain text and convert into ciphertext, a series of unintelligible characters, while in transit from the source to the destination. It’s been around in Office 365 for longer than you may think. So read on and find out how Office 365 email encryption works and how to use it.

Does Office 365 have email encryption?

Why yes! In fact, Office 365 has several email encryption options available using three different methods:


  1. Microsoft Purview Message Encryption/Office 365 Message Encryption (OME)
  2. Information Rights Management (IRM)
  3. Secure/Multipurpose Internet Mail Extensions (S/MIME)

Microsoft’s documentation does an excellent job with a table describing the what, why and when for each. I’ve created an abbreviated table below, see this document for the full version Office 365 mail encryption

Technology OME IRM S/MIME
Service Description Send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail,, etc.). Applies usage restrictions to email messages. It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. Certificate-based encryption solution that allows you to both encrypt and digitally sign a message. Uses Public/Private key exchange
Limitations Can’t apply usage restrictions to messages. For example, you can’t use it to stop a recipient from forwarding or printing an encrypted message. Some applications may not support IRM emails on all devices. Further details here: Client device capabilities Doesn’t allow encrypted messages to be scanned for malware, spam, or policies.
Recommendations and example scenarios when you want to send sensitive business information to people outside your organization. when you want to apply usage restrictions as well as encryption. When either your organization or the recipient’s organization requires true peer-to-peer encryption

What are the benefits of encrypting emails?

The key benefit of encrypting email is that the contents of the email can only be seen by the sender and the recipient. There are many other benefits, some of which are more appealing depending on the individual or industry.  

Although this article is focused on Office 365 email encryption, it is worth mentioning benefits for individuals too. There is a wide belief that your personal email is a secure method of exchanging information. This is a false belief, and there are many articles explaining the dangers of this assumption. There are many scenarios in which being able to securely exchange your personal emails with someone else is advantageous to you. For example, sending credit details to a travel agent for a booking, or a myriad of other situations in which you need to transmit sensitive information and need to ensure it can only be read by a specific person or persons. 

For businesses with sensitive product information, for example in an industry like aviation, where trade secrets must be heavily protected, the ability to encrypt email significantly reduces the chance of corporate espionage. They would benefit from using IRM for encryption so that they can apply different types of templates with restrictions to the outgoing email. All the way from preventing an email from being forwarded to even preventing screenshots using a local application. It’s not a bullet-proof solution though, and where there’s a will, there’s a way! Someone intent in obtaining the details could simply take a photo using their mobile phone.

That leaves S/MIME as the last one to discuss. 

S/MIME is the senior citizen in this encryption family. It’s one of the oldest email encryption technologies and been around since the 90’s. S/MIME makes use of certificate-based authentication for both encryption and digital signing. In doing so for the latter, it also provides data integrity (remember the CIA triad…) when used for digitally signing emails. 

S/MIME is commonly used by government departments and organizations where they need enterprise-wide security, and businesses needing to be compliant with regulations such as PCI, HIPPA and the other usual suspects. 

How does office 365 email encryption work?

Ah, the secret sauce! Well, not so secret as it’s literally documented by Microsoft how it all fits together.

Although Microsoft make a distinction between OME and IRM, they are both built on Azure Rights Management (Azure RMS). Azure RMS, the platform used for IRM, is Microsoft’s cloud-based protection technology designed to “protect files and emails across multiple devices, including phones, tablets, and PCs by using encryption, identity, and authorization policies” (What is Azure Rights Management? – AIP | Microsoft Docs).

S/MIME encryption uses asymmetric cryptography employing the Public/Private key method and is certificate-based, such that both sender and receiver must have certificates. The sender encrypts the email using the recipient’s public key and the recipient decrypts the email using the private key.

How do I encrypt emails in Office 365?

Email Encryption in Office 365

The good news is that when sending emails using Outlook on the web, encrypting emails is incredibly easy. So easy in fact that you can do so by simply clicking on the “Encrypt” button when composing a new message. 

Similarly, when using the Outlook client, chose the option “Encrypt” from the toolbar and choose the degree of encryption you want to use.

So, what does each option effectively do?

Email Encryption in Office 365

1. Encrypt: The message remains encrypted and doesn’t leave the Microsoft 365 ecosystem. If the recipient reads this message using the web client, the Outlook mail app, or Mail in Windows 10,  the decryption experience for them is totally seamless. For all other situations, the recipient will receive an email looking like this with instructions on how to read the encrypted message.

Email Encryption in Office 365
  1. Encrypt and Prevent Forwarding: Reading of the message is the same as with the “Encrypt” option. Any Microsoft Office attachments (e.g., Word, Excel or PowerPoint) will remain encrypted even after downloaded, thanks to Azure RMS. All other attachments can be downloaded with encryption.

Another option I mentioned earlier is using Transport Rules. As an Administrator, you use Transport Rules in Exchange Online to encrypt emails based on specific criteria. To do this, choose the option “Apply Office 365 Message Encryption and rights protection to messages” 

Email Encryption in Office 365
Email Encryption in Office 365

This presents a series of various actions you can then apply.

To properly protect your Microsoft Office 365 environment, use Hornetsecurity Microsoft 365 Total Protection, 365 Total Backup, and 365 Total Protection Enterprise Backup to securely backup and replicate your Microsoft 365 critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies.

To keep up to date with the latest Microsoft 365 articles and practices, pay a visit to our Hornetsecurity blog now.


When it comes to encryption, Office 365 email encryption offers quite a few choices and level of granularity as a personal of business consumer and as an Administrator ensuring emails are kept confidential.

The ease of which you can send encrypted messages is hard to beat. So, what you are you waiting for?