Sending sensitive information like contracts, financial details, or personal data via email requires an extra layer of security. This guide shows you how to encrypt email in Outlook, turning your message into unreadable code that only your intended recipient can unlock. We'll cover the two main methods: the straightforward Microsoft 365 Message Encryption for subscribers, and the more traditional S/MIME certificate method. Following these steps ensures your confidential communications stay private from the moment you click 'Send'.
Fast Answer
- Microsoft 365 Users: In a new email, go to Options > Encrypt and choose a policy like Encrypt-Only.
- S/MIME Users: In a new email, go to Options > Encrypt with S/MIME (requires a pre-installed certificate).
Before You Start
- An active Outlook email account: This guide applies to the Outlook desktop app for Windows and Mac, as well as Outlook on the Web.
- A qualifying Microsoft 365 subscription (for the easiest method): Features like Microsoft 365 Message Encryption (OME) are included in plans such as Microsoft 365 Business Premium, E3, or E5. Check your subscription details first.
- A digital certificate (for the S/MIME method): If you don't have the right M365 plan, you'll need a personal digital ID from a Certificate Authority. Your company's IT department may provide this for you.
Step-by-Step Instructions
Check Your Outlook Version and Subscription
Before you can encrypt anything, you need to know which tools you have available. The method you use depends entirely on your Microsoft Office licence. This quick check will save you a lot of time.
In the Outlook desktop app, go to the top-left corner and click File. In the new menu that appears, select Office Account (or just 'Account' in some versions). Look under 'Product Information'. Here you'll see your subscription type, such as 'Microsoft 365 Apps for Business' or 'Office Home & Student 2021'.
If you have a subscription that includes 'Microsoft 365 Business Premium', 'E3', 'E5', or similar enterprise-level plans, you most likely have access to the simple Microsoft 365 Message Encryption (OME). If you have a basic, personal, or older standalone version of Office, you will likely need to use the S/MIME method instead.
Method 1: Encrypting with Microsoft 365 Message Encryption (OME)
This is the simplest and most common method for business users. It doesn't require any complex certificate setup. If your subscription from Step 1 qualifies, this is the way to go.
- Compose a new email in the Outlook desktop app or on the web.
- Write your message and add your attachments as you normally would.
- In the message window, navigate to the Options tab in the top ribbon.
- Look for a button labelled Encrypt or a dropdown menu labelled Permissions. Click it.
- You will see several policies. For standard protection, choose Encrypt-Only. This scrambles the message content so only recipients can read it, but they can still copy, print, and forward it.
- For stricter control, you can choose Do Not Forward. This option encrypts the email and also prevents the recipient from forwarding, printing, or copying the content. Other custom policies set by your organisation might also appear here.
- Once selected, you'll see a confirmation message at the top of the email, such as "This message is encrypted. Recipients can't remove encryption." You can now send the email securely.
Method 2: Setting Up S/MIME Encryption
If you don't have a qualifying Microsoft 365 subscription, you'll need to use S/MIME (Secure/Multipurpose Internet Mail Extensions). This method is an older industry standard that relies on a personal digital certificate that you must obtain and install.
First, you need a Digital ID. Your company's IT department may issue one. If you're an individual, you'll need to obtain one from a commercial Certificate Authority (CA). Once you have the certificate file (often a .pfx or .p12 file):
- In Outlook, go to File > Options > Trust Center.
- Click the Trust Center Settings... button.
- Select Email Security from the left-hand menu.
- Under the 'Encrypted email' section, click the Import/Export button.
- Browse to find your digital certificate file, enter the password you were given with it, and follow the prompts to install it.
- Once installed, you can go back to the 'Email Security' screen and click the Settings button. Here you can name your security settings and choose the certificate you just installed for signing and encrypting. Ensure you check the box to 'Add digital signature to outgoing messages' as a default, which is crucial for the next step.
The Crucial Step for S/MIME: Exchanging Keys
S/MIME encryption will not work unless you have the recipient's public key, and they have yours. You can't just send an encrypted email to someone out of the blue. The easiest way to exchange these keys is by sending each other digitally signed emails.
Send a digitally signed (but not encrypted) email to your contact. To do this, compose a new message, go to the Options tab, and click Sign. When your recipient gets this email, they should right-click your name in the 'From' field and choose 'Add to Outlook Contacts'. This action saves your certificate (your public key) with your contact information on their computer.
You must ask them to do the same for you. Once you receive a digitally signed email from them and add them to your contacts, Outlook will have stored their public key. Now, and only now, can you send them an S/MIME encrypted email.
Sending an S/MIME Encrypted Email
After completing the setup and key exchange, sending an encrypted message is straightforward. The hard part is over.
- Open a New Email and address it to the recipient whose key you have saved.
- Go to the Options tab in the ribbon.
- Click the Encrypt button. You should see a small blue lock icon appear. This confirms that S/MIME encryption will be applied. Note that this is a different button/icon than the OME 'Encrypt' dropdown with policies.
- Compose your message and click Send. Outlook will use the recipient's public key (which you stored earlier) to encrypt the message before it leaves your outbox. Only they, with their matching private key, can decrypt and read it.
Understanding the Recipient's Experience
How your recipient views the message is a critical part of the process. Understanding this helps you manage expectations and provide clear instructions.
- Microsoft 365 (OME) Recipient: If they also use a modern version of Outlook with a Microsoft 365 account, the email will likely open just like any other message, with a small banner at the top indicating it's encrypted. If they use Gmail, Yahoo, or another service, they will get an email with an attachment or a link. Clicking it will take them to the Office 365 Message Encryption portal, where they may need to log in with their Google/Yahoo account or use a one-time passcode sent to their inbox to view the message securely in their web browser.
- S/MIME Recipient: If you have correctly exchanged keys, the experience is seamless. The email arrives in their inbox, and Outlook automatically uses their private key to decrypt it. They will see a small certificate or lock icon indicating the message was secure, but they won't have to take any extra steps. If you have not exchanged keys, they will receive an unreadable, garbled message and an error.
For this reason, unless you have a specific requirement for the S/MIME standard, the Microsoft 365 OME method is generally more user-friendly for recipients who are not technically savvy.
Quick Reference
| Situation | Use This Method | Why |
|---|---|---|
| Sending sensitive data to a colleague inside your company. | Microsoft 365 Encryption (OME) | It's the easiest method, requires no setup, and works seamlessly for internal users. |
| Sending a contract that you don't want printed or forwarded. | OME with 'Do Not Forward' policy | This applies Information Rights Management (IRM) to prevent unauthorized sharing. |
| Communicating securely with an external government agency or partner who requires S/MIME. | S/MIME Encryption | This is an established industry standard often required for formal, high-security communication. |
| Sending a quick confidential note to a friend using Gmail. | Microsoft 365 Encryption (OME) | It provides a secure portal for them to read the message without needing complex certificates. |
Common Problems When You Encrypt Email in Outlook
Even with the right setup, you can run into a few common issues. Here’s how to troubleshoot them.
- Problem: The 'Encrypt' button is missing or greyed out.
Solution: This usually means one of two things. For OME, your Microsoft 365 licence doesn't support the feature. Check your subscription plan or contact your IT admin. For S/MIME, it means either your certificate isn't correctly installed in the Trust Center, or Outlook can't find a public key for one of your recipients. - Problem: My recipient says they can't open the email.
Solution: If you used OME, gently guide them through the process of clicking the link and using the one-time passcode. They may be wary of the extra steps. If you used S/MIME, this is a clear sign that you do not have their public key. You must exchange digitally signed emails with them first before you can send them an encrypted message. - Problem: Outlook gives me an error about 'No matching certificates'.
Solution: This S/MIME error occurs when the email address you are sending from (your 'From' address) does not exactly match the email address listed inside your digital certificate. This can happen if you have multiple email aliases. You must either get a new certificate for the alias or make sure you are sending from the primary address associated with your current certificate.
Advanced Tips for Encrypting Email in Outlook
Once you're comfortable with the basics, you can use these tips to streamline your secure communications.
- Create a Rule to Automate Encryption: You can set up an Outlook rule to automatically encrypt messages that meet certain criteria. For example, you can encrypt all emails sent to a specific recipient (like your solicitor) or any email with "[CONFIDENTIAL]" in the subject line. Go to File > Manage Rules & Alerts > New Rule, choose 'Apply rule on messages I send', set your conditions, and on the 'actions' screen, select 'apply security setting' and choose your OME policy or S/MIME setting.
- Digitally Sign vs. Encrypt: These are not the same. A digital signature proves you are the sender and that the message hasn't been tampered with (authenticity and integrity). Encryption hides the content of the message (confidentiality). For highly sensitive messages, you can apply both by clicking both the 'Sign' and 'Encrypt' buttons in the Options tab.
- Encrypt All Messages by Default: If your work requires all communication to be secure, you can set encryption as the default. Go to File > Options > Trust Center > Trust Center Settings > Email Security. Check the box that says 'Encrypt contents and attachments for outgoing messages'. Use this with caution, as it will prevent you from sending emails to anyone for whom you don't have an S/MIME key, which can be disruptive.
How To Encrypt Email In Outlook FAQ
Is Outlook email encrypted by default?
Do I need to pay extra to encrypt email in Outlook?
Can I encrypt email attachments in Outlook?
What's the difference between S/MIME and Microsoft 365 Message Encryption?
Final Checklist for Encrypting Email in Outlook
Before you hit send on that next confidential message, run through this quick checklist.
- Subscription Verified: I've checked my Office Account details to confirm if I have access to Microsoft 365 Message Encryption.
- Method Chosen: I know whether I'm using the simple OME policy or the more complex S/MIME certificate method.
- S/MIME Setup Complete (if applicable): My digital certificate is installed in the Trust Center, and I have successfully exchanged signed emails with my recipient.
- Recipient Notified: I have given my recipient a heads-up that they will receive an encrypted email and may need to take an extra step to open it.
- Correct Policy Applied: In the 'Options' tab, I have selected the right level of protection (e.g., 'Encrypt-Only' or 'Do Not Forward').
- Visual Confirmation: I can see the confirmation banner at the top of my draft email stating that encryption is active before I click send.
Reader note
When a page mentions a commercial resource, Hotgingerweb tries to keep the decision criteria visible beside the link. The practical fit matters more than the promotion.
