Does Microsoft Outlook Use Email Encryption?

Microsoft Outlook, a widely used tool by over 400 million users globally, offers a level of email encryption to safeguard everyday emails.

But is this encryption sufficient for businesses that need to send sensitive information to their customers?

Let's take a look.

Understanding the Basics of Email Encryption

Encryption disguises the contents of your email, transforming messages and attachments into a code that human eyes can't read.

It achieves this through the use of 'keys'—strings of randomly generated numbers used to encode data.

Encryption is particularly relevant to business emails.

The UK Information Commissioner's Office (ICO) advises that all personal information sent by email should be protected using encryption.

"Email encryption is a cornerstone of secure communication, especially for businesses handling sensitive customer information.

Choosing the right encryption method makes sure your data is protected without compromising usability."

— Paul Holland, Founder, Beyond Encryption

Email Encryption in Microsoft Outlook

Microsoft Outlook offers different levels of email encryption, depending on your preference and budget.

1. Transport Layer Security (TLS)

As one of the most basic encryption methods on the market, TLS is offered natively with the basic Outlook package.

It works by encrypting the connection between you and your recipients' email providers, preventing unwanted access to a message on its journey.

Emails using TLS encryption may not remain encrypted once they have reached the recipient’s inbox, leaving them vulnerable to attacks.

TLS for email is also associated with known incompatibility problems with some email clients. That's why alone, it is not enough for sensitive data.

2. S/MIME (Secure/Multipurpose Internet Mail Extensions)

Unlike TLS, which encrypts the transmission, S/MIME encrypts the contents of emails themselves and not just the connection.

It requires that both sender and recipient have a mail application that supports S/MIME, and both must exchange 'digital certificates'.

S/MIME can provide solid protection for sensitive information.

However, it can be inconvenient for communication with recipients who may not have the necessary setup (for example, customers).

Setting up S/MIME certificates on devices may be difficult for people who aren't familiar with digital configuration and settings. 

Learn more about encrypting emails with S/MIME.

3. Microsoft Purview Message Encryption (MPME)

Available to Enterprise Office 365 users, MPME encrypts messages and attachments throughout their journey, known as end-to-end encryption.

Recipients of encrypted emails must click a link and then verify they have access to their inbox using a code or their Microsoft/Gmail credentials.

This decreases the risk posed by email account takeover attacks and is suitable for protecting highly confidential data.

However, MPME can still be a challenge for recipients.

It lacks a user experience streamlined enough to deliver documents to vulnerable customers or people with low levels of technological literacy.

That's why businesses tend to use purpose-built solutions designed to be easy to access when they send sensitive information to customers.

There may also be a concern from businesses that MPME has no recipient authentication features to make sure messages reach the right people.

Learn more about Microsoft's secure email offering.

The Role of Email Encryption Add-Ins

Outlook add-ins are useful integrations created by third parties for use within the Outlook application.

Add-ins can introduce additional security features such as email encryption and recipient authentication, in a user-friendly way.

For example, our Outlook email encryption add-in for secure email provides everything you need to exchange sensitive emails safely.

It is designed for professionals or businesses to share information with their customers while protecting it in line with data regulations.

Prioritising Security with Data Classification

Before deciding whether Outlook's security is right for the information you need to email, it's important to understand data classification.

"Understanding the sensitivity of your data is the first step towards effective email security.

Data classification allows businesses to apply the right protection to the right information, ensuring efficiency and safety."

— Mike Wakefield, CTO, Beyond Encryption

The process involves categorising your organisation's information based on its sensitivity.

Data Classification Levels

Classifying your data helps determine the most appropriate security measures for each type.

For example:

• Highly Confidential: This classification applies to information with severe consequences if leaked, such as financial data, trade secrets, or personal details.
• Confidential: This includes sensitive information that could still cause harm if exposed, like marketing strategies or internal reports.
• Internal: This covers company information intended for internal use only, such as meeting minutes or departmental updates.
• Public: This refers to information that can be publicly shared, like press releases or product information.

Security Measures Based on Classification

Once you've classified your data, you can choose the appropriate security measures.

Here's a guideline:

• Highly Confidential: This level might require a combination of strong email encryption (like MPME or third-party solutions) and other solutions (for example, access restrictions within your organisation or tools that restrict copying or forwarding).
• Confidential: For this level, S/MIME or MPME encryption might be sufficient, alongside access controls within your organisation.
• Internal: You might choose to encrypt internal emails for additional security, but password protection or access controls might be enough depending on the information's sensitivity.
• Public: Public information typically doesn't require encryption.

Classifying your data helps to make sure your most valuable information receives the strongest protection.

It means you can prioritise your security efforts and avoid applying excessive security measures to less sensitive data.

Finding the Right Balance

Email encryption is a great tool for protecting sensitive information, but not all Outlook's encryption methods are created equal.

You should carefully evaluate your requirements and choose the method that's right for you or your customers' data.

"Strong email security is not just a necessity—it's a critical component of building trust through your communications."

— Adam Byford, CCO, Beyond Encryption

Learn more about email encryption.

FAQs

What Is Email Encryption?

Email encryption transforms the content of emails into unreadable text to protect sensitive data during transmission.

How Does S/MIME Differ from TLS?

S/MIME encrypts the email content, while TLS encrypts the transmission path. Both have unique applications and limitations.

Are Email Encryption Add-Ins Worthwhile?

Yes, they provide enhanced security and usability, particularly for businesses handling sensitive data and requiring compliance with regulations.

References

Number of Sent and Received E-Mails per Day Worldwide from 2018 to 2027, Statista, 2024

Encryption in Outlook, Microsoft, 2024

Learn About Encrypted Messages in Outlook.com, Microsoft, 2024

Microsoft 365 Secure Email vs Mailock: A Comparison, Beyond Encryption, 2024

How to Recall (or Revoke) an Email in Outlook, Beyond Encryption, 2024

Email Security: Sending Confidential Data Using Outlook?, Beyond Encryption, 2024

Reviewed by

Sabrina McClune, 20.12.24

Sam Kendall, 04.01.25