Email encryption
Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information.
In this article:
How email encryption typically works
A message is encrypted, or transformed from plain text into unreadable ciphertext, either on the sender's machine or by a central server while the message is in transit.
The message remains in ciphertext while it's in transit in order to protect it from being read in case the message is intercepted.
Once the message is received by the recipient, the message is transformed back into readable plain text in one of two ways:
The recipient's machine uses a key to decrypt the message, or
A central server decrypts the message on behalf of the recipient, after validating the recipient's identity.
Email encryption options
Using certificates for sender and recipients (S/Mime)
This option works with any email account that you have added to Outlook but requires your recipients to also use Outlook (or an S/Mime compatible email application). Both you and your email recipients must install and share encryption certificates.
Microsoft 365 Message Encryption (OME)
If you have a Microsoft 365 email account you can send an encrypted message using OME. This option does not require installing certificates and allows you to send encrypted messages to any email recipient.
When to use email encryption
Email encryption should be used when sending information that is classified as Confidential or Restricted. Highly Restricted information should never be transmitted by email.
For a description of the classifications and for more information see Guidelines for secure data exchange: Choosing information transmission methods based on the security classification.
Comparison and use cases
| Certificates (S/MIME) | O365 Message Encryption (OME) |
---|---|---|
Recommended for Confidential and Restricted information (see section above) | When either your organization or the recipient's organization requires true peer-to-peer encryption. i.e. government agencies. | Sending sensitive information to people inside or outside your organization. |
Ease of setup | Moderate: Both you and your recipients must install certificates. | Easy: no setup required, just select the option to encrypt (Microsoft 365 email required). |
Ease of use - sending encrypted messages | Moderate: Sender and recipient must exchange keys in advance. | Easy: In Outlook - Select options > Encrypt > Send |
Ease of use - receiving encrypted messages | Moderate: Recipient must install certificate. | Easy/Moderate: if you have a Microsoft account and you're using Outlook the message should just open. If not, a passcode is required. |
Mobile use | Moderate: Certificates need to be installed on all devices. | Easy/Moderate: if you have a Microsoft 365 account and you're using the Outlook mobile app the message should just open. If not, a passcode is required. |
Sending secure replies | Easy: since recipient also installed certificate, they can send encrypted. | Easy: replies are automatically encrypted. |
Email encryption instructions
See Email security section: Using certificates (S/Mime) (see Email security section)
Related articles
Need help?
Contact the IST Service Desk online or 519-888-4567 ext. 44357.
Article feedback
If you’d like to share any feedback about this article, please let us know.