Does Microsoft Outlook Use Email Encryption?

Microsoft Outlook, a widely-used tool by over 400 million users globally, offers a level of email encryption to safeguard everyday emails. But is this encryption sufficient for businesses that need to send sensitive information to their customers? Let’s take a look.

Understanding the Basics of Email Encryption

Encryption disguises the contents of your email, transforming messages and attachments into a code that cannot be read by human eyes.

It achieves this through the use of ‘keys’—strings of randomly generated numbers used to encode data.

Encryption is particularly relevant to business emails.

The UK Information Commissioner's Office (ICO) advises that all personal information sent by email should be protected using encryption.

"Email encryption is a cornerstone of secure communication, especially for businesses handling sensitive customer information. Choosing the right encryption method ensures your data is protected without compromising usability."

— Paul Holland, Founder, Beyond Encryption

Email Encryption in Microsoft Outlook

Microsoft Outlook offers different levels of email encryption, depending on your preference and budget.

1. Transport Layer Security (TLS)

As one of the most basic encryption methods on the market, TLS is offered natively with the basic Outlook package.

It works by encrypting the connection between you and your recipients' email providers, preventing unwanted access to a message on its journey.

Emails using TLS encryption may not remain encrypted once they have reached the recipient’s inbox, leaving them vulnerable to third-party access and insufficient alone for protecting sensitive email data.

2. S/MIME (Secure/Multipurpose Internet Mail Extensions)

Unlike TLS, which encrypts the transmission, S/MIME encrypts the content of the emails themselves and not just the connection.

It requires that both sender and recipient have a mail application that supports S/MIME, and both must exchange 'digital certificates'.

S/MIME provides appropriate protection for sensitive information. However, it is inconvenient for communication with recipients who do not have the necessary setup, for example, customers.

Learn more about encrypting emails with S/MIME.

3. Microsoft Purview Message Encryption (MPME)

Available to Office 365 customers, MPME encrypts messages and attachments throughout their journey, known as end-to-end encryption.

Recipients of encrypted emails must click a link and then verify they have access to their inbox using a code or their Microsoft/Gmail credentials. This decreases the risk posed by email account takeover attacks.

MPME is designed to help protect confidential data. However, it lacks the accessible user experience required to deliver documents to customers who may not be familiar with this type of enterprise technology.

For businesses sending secure emails, there may also be a concern that MPME has no recipient authentication features to make sure messages reach the right people.

Read a detailed comparison of Microsoft Purview Message Encryption.

"Understanding the sensitivity of your data is the first step towards effective email security. Data classification allows businesses to apply the right protection to the right information, ensuring efficiency and safety."

— Mike Wakefield, CTO, Beyond Encryption

Prioritising Security with Data Classification

Before diving into specific email encryption methods, it's crucial to understand data classification.

This process involves categorising your organisation's information based on its sensitivity. Imagine customer credit card details compared to a company announcement.

Data Classification Levels

Classifying your data helps determine the most appropriate security measures for each type. For example:

• Highly Confidential. This classification applies to information with severe consequences if leaked, such as financial data, trade secrets, or personal details.
• Confidential. This includes sensitive information that could still cause harm if exposed, like marketing strategies or internal reports.
• Internal. This covers company information intended for internal use only, such as meeting minutes or departmental updates.
• Public. This refers to information that can be publicly shared, like press releases or product information.

Security Measures Based on Classification

Once you've classified your data, you can choose the appropriate security measures. Here's a guideline:

• Highly Confidential. This level might require a combination of strong encryption (like MPME or third-party solutions), access restrictions within your organisation (e.g., role-based access control), and additional measures like digital rights management (DRM) tools that restrict copying or forwarding.
• Confidential. For this level, S/MIME or MPME encryption might be sufficient, alongside access controls within your organisation.
• Internal. You might choose to encrypt internal emails for additional security, but password protection or access controls might be enough depending on the information's sensitivity.
• Public. Public information typically doesn't require encryption.

By classifying your data, you can make sure your most valuable information receives the strongest protection.

This helps prioritise your security efforts and avoid applying excessive security measures to less sensitive data.

"Our email encryption add-in is a game-changer for businesses looking to strengthen communication security. It provides an accessible way to secure sensitive data without requiring a complete overhaul of existing systems."

— Adam Byford, CCO, Beyond Encryption

The Role of Email Encryption Add-Ins

Outlook add-ins are useful integrations created by third parties for use within the Outlook application.

Add-ins can introduce additional security features such as email encryption and recipient authentication.

For example, our Outlook email encryption add-in for secure email provides everything you need to exchange sensitive emails safely.

It is designed for businesses to share information with customers easily while maintaining compliance with data protection regulations.

FAQs

What Is Email Encryption?

Email encryption transforms the content of emails into unreadable text to protect sensitive data during transmission.

How Does S/MIME Differ from TLS?

S/MIME encrypts the email content, while TLS encrypts the transmission path. Both have unique applications and limitations.

Are Email Encryption Add-Ins Worthwhile?

Yes, they provide enhanced security and usability, particularly for businesses handling sensitive data and requiring compliance with regulations.

References

How Many Email Users Are There?, LifeWire, 2021

Encryption in Outlook, Microsoft, 2024

Learn about encrypted messages in Outlook.com, Microsoft, 2024

Microsoft 365 Secure Email vs Mailock: A Comparison, Beyond Encryption, 2024

How To Recall (Or Revoke) An Email in Outlook, Beyond Encryption, 2024

Email Security: Sending Confidential Data Using Outlook?, Beyond Encryption, 2024

Reviewed by

Sabrina McClune, 20.12.24

Sam Kendall, 20.12.24