Read time: 7 minutes

Summary: Emails play a critical role in sharing sensitive information, making email encryption essential for data security. Office 365 Message Encryption simplifies this process, ensuring secure communication even with external recipients. This article explains the encryption methods and highlights the importance of safeguarding data in the Office 365 environment. It also recommends Kernel Migrator for Exchange as a backup solution for added data protection.

Emails have seamlessly integrated into our daily lives, assuming a pivotal role. They serve as a primary means for sharing sensitive information, including financial data, legal contracts, sales reports, projections, confidential product details, and crucial customer and employee information. Consequently, email inboxes have evolved into virtual vaults housing substantial volumes of confidential data, making the risk of information leakage a formidable threat to organizations. Thus, safeguarding confidentiality becomes an imperative for every organization.

Email encryption serves as an invaluable safeguard, bolstering information security by guaranteeing that only designated recipients have the privilege to access and decipher messages. With Office 365 Message Encryption (OME), the process of sending and receiving encrypted emails, both within and beyond your organizational borders, is simplified. Office 365 message encryption seamlessly integrates with a plethora of popular email services, including, Yahoo!, Gmail, and others.

In this post, we will delve into the intricacies of Office 365 message encryption, exploring its features and functionalities, and providing a comprehensive guide on leveraging it to safeguard your externally sent emails.

How Does Encryption in Office365 Work?

Office 365 migration encryption employs advanced cryptographic techniques to transform plain, readable text into an unintelligible cipher. Subsequently, only the intended recipient possesses the decryption capability, effectively preventing unauthorized parties from compromising security.

Office 365 message encryption is built upon the foundation of the Azure Rights Management Service (Azure RMS) and offers a robust array of encryption options. This comprehensive approach includes identity and authorization policies as integral components. To safeguard your messages, you have the flexibility to employ rights management templates and mail flow rules (also known as transport rules) seamlessly, ensuring a robust encryption process within the Office 365 environment.

  • Rights Management Templates: This feature empowers you with the ability to apply robust encryption and tightly control sharing of your messages through options such as ‘Encrypt Only’ and ‘Do Not Forward.’ Furthermore, it offers a range of additional restrictions for added security.
  • Mail Flow Rules/Transport Rules: You have the ability to establish transport rules that can be targeted at specific messages or user groups, whether they are within or outside your organization. When a message aligns with the defined transport rule criteria, it is seamlessly encrypted automatically.
Who Can Send and Receive Encrypted Messages?

With Office 365 Message Encryption, you have the ability to securely send encrypted emails to recipients, irrespective of their email client preferences, whether it’s Gmail,, or any other service. Only the sender needs to have Office 365 Message Encryption to ensure the successful delivery of an encrypted email. Recipients, on the other hand, can effortlessly read the message and even send an encrypted reply without requiring a subscription to Office 365 or Outlook. This invaluable feature is supported by a range of Office365 plans, including the following:

  • Microsoft 365 Business Premium
  • Office 365 A1, A3 or A5
  • Office 365 Enterprise E3 or E5
  • Microsoft 365 Enterprise E3 or E5
  • Office 365 Government G3 or G5

Note: If you don’t currently subscribe to any of the previously mentioned plans, there is an alternative option available. You can acquire a standalone license for Azure Information Protection, granting you full access to all the functionalities offered by Office 365 Message Encryption.

Method 1: Encrypting Emails with Office365 Message Encryption

As an Office365 user, you can encrypt emails in Outlook with these simple steps:

  • Click on New Email and select the Options tab.
  • Select Encrypt and pick any options based on the restrictions you want to enforce, like Encrypt-Only or Do Not Forward.Encrypt-Only or Do Not Forward

Note: To encrypt all outgoing emails in Outlook 2016 and 2019, there are some simple steps. When you use the Trust Center settings, all the emails will automatically get encrypted when you send them.

Method 2: Configure a Sensitivity Label to Apply Encryption to Emails

A sensitivity label is a valuable tool for classifying and safeguarding data based on its sensitivity level. By implementing a sensitivity label, you can effortlessly secure emails and files through encryption. This streamlined process becomes even more efficient if your organization already employs sensitivity labels. To create a Sensitivity Label, follow the below steps:
Open Microsoft Purview Compliance Portal , select Solutions, and click on Information Protection.

  • Select Labels and click on +Create a label
  • In the New Sensitivity Label page, fill out all the necessary details about the label you are creating and click on on Next
  • In Define the Scope for this Label wizard, select items and click Next.
  • In the next window, select the Encrypt items and then click Next.
  • Now select Configure encryption settings in Encryption Window and fill in other details as shown below.Configure encryption settings
  • Click on the Assign permissions link (a blue link in the above image) and add any authenticated users who can open the email. Also, choose permissions and then click on save to apply these on save
  • Now, you have the option to do auto-labeling. You can skip this step, as we will use the transport rule later. As we have selected this label with emails and files only, you can’t modify information in the group & sites and preview steps.
  • Review your sensitivity label settings and click on create label to finish the task.
  • Creating a label can take some time. Once the process is completed, you will receive confirmation.process is completed

The next and final task is to publish the created sensitivity label to make it available for selection in the transport rule.

  • Go to the label policies and select Publish label
  • Click the choose sensitivity labels to publish and select your label. Click on Add and then Next to proceed.
  • Now, choose which user or group should have the label available. Click Done and then next to proceed.
  • In this step, you can select to use various policy settings. Click on Next.
  • Now, you have the option to apply the default label for documents, emails, and Power BI. Once done, proceed to the next step.
  • Now, name your label policy and add a description. Finally, review the policy and click on submit to publish it.
Method 3: Configure a Mail Flow/Transport Rule to Encrypt Emails Sent externally

To enable encryption for outbound emails from specific group members, you can utilize a pre-established label (as we have previously done). Follow the steps below to create a transport rule that accomplishes this:

  • Open the Exchange admin center. Click on Mail Flow and then select Rules.
  • Click on +Add a rule and choose the option ‘Apply Office365 Message Encryption and rights protection to messages.’
  • In the Set Rule Conditions wizard, give a name to the rule, like External email encryption.
  • In the Apply this rule if row, select The Recipient, then is internal/external, and at last, select Outside the organization. Click on Save.
  • Click +icon to add another condition. Here select the sender, then is a member of this group, and at last, select the group who have their emails encrypted. Click on Save.
  • Now, in the Do the following row, select Modify the message security and Apply Office365 message encryption and rights protection.
  • Click on the Select one link in the Rights protect message with section and add the sensitivity label we have published in previous steps (or a label of your choice).Click on the Select one
  • Complete the remaining steps of the process, review your rule settings, and at last, click on Finish to create a Mail flow rule/new transport rule.
  • The transport rule is disabled by default, so choose it from the rules list and enable the rule using the toggle.

After enabling the new rule, any emails or messages originating from a member of the chosen group and destined for recipients outside the organization will undergo automatic encryption.


Numerous methods are available for ways to secure data in Office 365 environment, and one particularly effective approach is through the utilization of Office 365 Message Encryption. This blog aims to provide you with valuable insights into the process of securing externally transmitted emails using Office 365 Message Encryption, offering a comprehensive understanding of this essential security feature.

We strongly recommend backing up your Office 365 data due to the inherent risks of data loss or corruption. When it comes to Office 365 backup solutions, Kernel Migrator for Exchange stands out as the top choice. This automated exchange migration tool ensures comprehensive protection by securely backing up all mailbox elements, including emails, notes, contacts, and attachments, among others.

Kernel Migrator for Exchange