Learn about encrypted messages

If you have an Office 365 E3 it now includes encryption features that let you share your confidential and personal information while ensuring that your email message stays encrypted and doesn’t leave Office 365. This is useful when you don’t trust the recipient’s email provider to be secure.

The encryption options are available in the ribbon when you’re composing a message.

Outlook.com ribbon with Encrypt button highlighted

What encryption options are available?

As an Office 365 E3 subscription, you’ll see the following:

Encrypt: Your message stays encrypted and doesn’t leave Office 365. Recipients with Outlook.com and Office 365 accounts can download attachments without encryption from Outlook.com, the Outlook mobile app, or the Mail app in Windows 10. If you’re using a different email client or other email accounts, you can use a temporary passcode to download the attachments from the Office 365 Message Encryption portal.
Encrypt and Prevent Forwarding: Your message stays encrypted within Office 365 and can’t be copied or forwarded. Microsoft Office attachments such as Word, Excel or PowerPoint files remain encrypted even after they’re downloaded. Other attachments, such as PDF files or image files can be downloaded without encryption.

How do I send an encrypted email message?

To send a message with encryption, choose one of the options available under the Encrypt button “Change Permissions” option: Encrypt, Do Not Forward, Confidential and Confidential View Only.

How do I read an encrypted email message? (I’m using Office 365)

If you’re using Office 365 and are using the Outlook Web Access website or the Outlook mobile app you can read and reply to encrypted messages the same way you do with unencrypted messages.

If you’re using Outlook for Windows, Outlook for Mac, or a third-party email app, you’ll receive an email message with instructions for how to read the encrypted message. You can gain access using your Microsoft account or your Office 365 account.

How do I read an encrypted email message? (I’m not using Outlook.com or Office 365)

You’ll receive an email message with instructions for how to read the encrypted message. If the encrypted message was sent to a Google or Yahoo Mail account, you can authenticate using your Google or Yahoo account or by using a temporary passcode. If the message was sent to a different account (Comcast or AOL, for example) you can use a temporary passcode. The temporary passcode will be sent to you in email.

Message received when you attempt to open an encrypted message

Are attachments also encrypted?

All attachments are encrypted. Recipients who access the encrypted email via the Office Message Encryption portal can view attachments in the browser.

Attachments behave differently after they’re downloaded depending on the encryption option used:

If you choose the Encrypt option, recipients with Outlook.com and Office 365 accounts can download attachments without encryption from Outlook.com, the Outlook mobile app, or the Mail app in Windows 10. Other email accounts using a different email client can use a temporary passcode to download the attachments from the Office 365 Message Encryption portal.
If you choose the Encrypt and Prevent Forwarding option, there are two possibilities:
- Microsoft Office attachments such as Word, Excel or PowerPoint files remain encrypted even after they’re downloaded. This means that if the recipient downloads the attachment and sends it to someone else, the person they forwarded it to won’t be able to open the attachment because they don’t have permission to open it. Note that if the recipient of the file is using an Outlook.com account, they can open encrypted Office attachments on the Office apps for Windows. If the recipient of the file is using an Office 365 account, they can open the file in Office apps across platforms.
- All other attachments, such as PDF files or image files, can be downloaded without encryption.

How is this different from the current level of encryption in Office 365?

Currently, Hosted Exchange with Office 365 uses opportunistic Transport Layer Security (TLS) to encrypt the connection with a recipient’s email provider. However, with TLS, the message might not stay encrypted after the message reaches the recipient’s email provider. In other words, TLS encrypts the connection, not the message.

Additionally, TLS encryption doesn’t provide the ability to preventing forwarding.

Messages encrypted with Office 365 stay encrypted and remain inside the Office 365 Service. This helps secure your email when it’s received.