Office 365 message encryption

Let’s talk about email encryption.

That didn’t take long! I’ve never seen a room empty out that quickly. I’d like to thank the fourteen of you who are still reading. I didn’t want to say this while everyone else was here, but you’re my favorites.

If you’re in a small or midsized business, you’re probably not using email encryption. It’s always been a painful ordeal to set it up and to use it. It imposes unreasonable burdens on both the sender and the recipient.

Microsoft now offers Office 365 Message Encryption, a method of encrypting email that changes everything about that experience. It’s built into Outlook and Office 365 webmail. Once you have the right license, it requires literally no effort to set it up. Sending an encrypted message requires only a click. It’s as easy as any encryption method can be for recipients.

Most of you are still not going to use it. Your clients won’t like it, and the security advantages are pretty slim, to be honest, but it’s interesting to know that things have changed. CPAs and attorneys have special obligations, and this may be easier or cheaper than anything you’re currently using.


What is email encryption? What does it protect?

When an email message is encrypted, its contents cannot be read as it travels from your mail server to the recipient’s mail server. It is scrambled with Deep Math, and the only way to unscramble it is to prove that you are the recipient.

The short version:

  • Encryption protects a message as it travels from your mail server to the recipient.
  • Encryption prevents a message from being read by anyone other than the designated recipient.
  • However, encryption does not provide any extra protection if a mailbox is hacked because a bad guy learns the password.

Imagine that you are sending an encrypted message from your Office 365 mailbox to a Gmail address. This explanation is simplified and there are lots of caveats and details, but it will give you an idea of what’s protected.

You can read your message. It’s right there in Outlook. You wrote it, obviously you can read it, right? After you send it, it will be in Sent Items, with your other messages.

From your computer, it’s sent to the Office 365 mail server. Microsoft can read it, just like everything else in your mailbox. As it happens, Microsoft doesn’t scan your mail for advertising or nefarious invasions of privacy, but technically it could.

Microsoft encrypts your message and sends it on its way to Google’s Gmail server. It is safe on this part of the journey! Nothing can read the message along the way.

But frankly, for the most part, that’s not where the bad guys are stealing email. It’s not where hacks happen.

Once the recipient proves that they own the Gmail address, the message is decrypted, and the recipient can read it.

Without encryption, you have no control over your message after the recipient gets it. It can be forwarded freely and anyone can read it.

You get some control if you encrypt the message. Only the recipient has access to it. You can set it so it can’t be forwarded and perhaps prevent the recipient from printing it or copy/pasting it. It adds some barriers against bad guys – not impenetrable barriers, but every little bit helps.

Okay, the message was safe as it went from the Office 365 mail server to the recipient. Great! And yet . . .

  • If a bad guy steals your password, the encryption does nothing. The bad guy can log into your mailbox and read your messages.
  • Similarly, on the other end, if the recipient’s mailbox is hacked, the bad guy can read your encrypted message, just like the real recipient could.

All the efforts by the bad guys are focused on getting passwords. That’s the goal of the phishing messages that come in every day, pretending to be from Microsoft or Google.

Encryption doesn’t help if your mailbox is hacked.

How does message encryption work?

Message encryption works by magic

When you mark a message for encryption and push the Send button, magic happens and it is turned into fairy dust that is blown across the Intertubes until a computer at the other end chants a secret spell to reassemble the dust sprinkles into words.

Trust me, that is all you want to know about encryption. Periodically I take another pass at figuring out public keys and private keys and ciphertext. It makes my brain hurt. Let’s assume that it’s magic.

Using Office 365 Message Encryption in Outlook

Office 365 Message Encryption is built into Outlook and Office 365 webmail.

Small or medium business users can activate Office 365 Message Encryption (OME) by upgrading to an Office 365 E3 license, currently $20/month. It’s an extra $7.50/month over an Office 365 Business Premium license, the license many of you currently have. Users can have different licenses; you don’t have to upgrade your whole company.

(A few heavy mail users already have an E3 license, because it’s also the best way to get a bigger mailbox – it includes 100Gb of mailbox space instead of 50Gb with the cheaper plans.)

Other licenses include OME, but they’re even more expensive and include features that are only relevant to enterprises with more complex needs and IT staff to match. Technically it’s possible to set up “Azure Information Protection Plan 1” to add encryption to Office 365 Business Premium licenses, but let’s be honest, not a soul is reading this paragraph any more, amirite? Hell, I can barely pay attention, and I’m writing it.

Outlook message encryption - Options / Permission

Start a message in Outlook. When you have the right license, you can click on Options, then click on the Permission button that you’ve never noticed. The dropdown lets you choose from several options. All of them encrypt the message. The options provide additional controls over what the recipient can do with the message once it’s decrypted. Office 365 administrators have the power to customize those options or set up rules to encrypt messages automatically when appropriate.

(Pesky details: The button says “Encrypt” in webmail. It only appears in the Office 365 subscription version of Outlook, not older versions or non-subscription versions.)

The big improvement is in the experience for the recipient.

If you send an encrypted message to an Office 365 subscriber – either in your business or another business that also uses Office 365 – the recipient can view the message in Outlook or webmail without any additional steps. Microsoft already knows that the person is the authorized recipient. The message is automatically decrypted.

There are so many businesses using Office 365 that this permits you to use encrypted email with no burden whatsoever on a large percentage of your recipients.

Office 365 message encryption - link sent by email to third party email recipient

If you send an encrypted message to someone who is not an Office 365 subscriber, they receive a link with a button to “Read the message.” The only downside is that the above message looks exactly like the fake messages sent by bad guys.

When a recipient clicks on the button, they’re taken to a web page.

Office 365 message encryption - login page to view encrypted message

Microsoft has a special arrangement to authenticate anyone who uses Gmail or Yahoo mail. When they type in their mail password, Microsoft checks directly with Google or Yahoo. If the password is correct, the recipient is shown the message immediately.

Again, it looks kind of like something set up by the bad guys, doesn’t it? Your recipients might need to be reassured before they start tapping in their passwords.

For every other type of email address, the recipient has to click on the link to get a passcode by email that can be typed in to view the message. In the world of message encryption, that is a seriously streamlined process.

The recipients can send an encrypted reply to your message, but they cannot initiate a new encrypted message to you.

There are many encryption alternatives, with a wide range of prices, technical requirements, and levels of difficulty for users. Office 365 Message Encryption is the easiest for senders and recipients, and the price is daunting but not unreasonable. If you want to send encrypted mail, OME is a tempting choice.

Share This