Skip to content

How to Encrypt Email in Outlook & Microsoft 365 – Complete Guide

How to encrypt email in Outlook Microsoft 365 2026 – secure message encryption guide

Let’s talk about something most people don’t think about until it’s too late: what happens if the wrong person reads a sensitive email you just sent?

With remote work still everywhere, supply-chain attacks on the rise, and regulations like GDPR, DORA, HIPAA, and CCPA getting stricter every year, sending unencrypted emails with confidential information is no longer just risky — it can be financially and legally disastrous.

Microsoft 365 gives you several powerful ways to encrypt emails in Outlook — from built-in Microsoft Purview Message Encryption (formerly Office 365 Message Encryption) to sensitivity labels, S/MIME certificates, rights management (RMS), and even end-to-end encrypted options in specific scenarios. But knowing which method to use, when, and how to set it up correctly can feel overwhelming.

This guide walks you through every practical option available in 2026 — explained clearly, step by step, with real-world use cases, pros/cons, and the exact scenarios where each method shines (or falls short). By the end, you’ll know exactly how to protect sensitive emails in Outlook (desktop, web, mobile) and Microsoft 365 — whether you’re an individual, small business, or enterprise admin.

Go to Microsoft Purview Compliance Portal Open Microsoft 365 Admin Center Read Full Microsoft 365 Admin Guide

Why Email Encryption Matters More Than Ever in 2026

Email is still the #1 way businesses share sensitive information — contracts, financial data, HR documents, customer PII, health records, legal advice, source code previews, and more. Emails sent from Microsoft 365 are typically protected using Transport Layer Security (TLS) while traveling between mail servers. However, TLS only encrypts the connection during transmission. Once the email reaches the recipient’s mailbox, it can still be accessed by anyone with account access unless additional protection such as Microsoft Purview Message Encryption, sensitivity labels, or S/MIME is applied.

In 2026, the threats are real and growing:

  • Business Email Compromise (BEC) attacks remain the #1 cause of financial loss (FBI IC3 2025 report)
  • Advanced phishing attacks and token-theft techniques can sometimes bypass poorly configured authentication methods. This is why organizations should combine strong authentication, conditional access policies, and email encryption to protect sensitive communications.
  • Supply-chain breaches expose partner email accounts
  • Regulators are fining companies millions for failing to protect personal data in transit and at rest
  • Microsoft Copilot respects Microsoft 365 security boundaries and user permissions. Applying sensitivity labels and encryption ensures that sensitive emails remain accessible only to authorized users and helps prevent unintended data exposure.

Microsoft 365 gives you multiple encryption layers — choose the right one based on your compliance needs, recipient type, and whether the recipient needs to be inside or outside your organization.

Overview: Encryption Options in Outlook & Microsoft 365 2026

Microsoft offers four main ways to encrypt emails in Outlook / Microsoft 365. Here’s a quick comparison:

Encryption Method Best Use Case Key Features
Microsoft Purview Message Encryption (formerly Office 365 Message Encryption) Secure emails to external recipients Browser portal access, branding, revocation
Sensitivity Labels with Encryption Internal and external protection with restrictions Granular permissions, tracking, integration with Purview
S/MIME Certificates True end-to-end encryption between trusted parties Cryptographic protection, digital signatures
Azure RMS / AIP (Legacy) Legacy environments or older policies Granular rights management

Option 1: Microsoft Purview Message Encryption (Formerly Office 365 Message Encryption) – Easiest for External Recipients

Microsoft Purview Message Encryption (formerly Office 365 Message Encryption) is Microsoft’s simplest way to send encrypted emails to anyone — even people outside your organization who don’t use Microsoft 365.

How it works in 2026:

  • You compose an email in Outlook (desktop, web, or mobile)
  • Apply encryption (via ribbon button or sensitivity label)
  • Microsoft wraps the message in a secure portal link
  • Recipient receives a notification email and can securely view the encrypted message in a browser by authenticating using a Microsoft account, Google account, or a one-time passcode.

Best use cases:

  • Sending contracts, invoices, or PII to clients/customers
  • Sharing HR documents with external recruiters
  • Communicating with vendors who don’t use M365

Setup steps (admin level):

  1. Go to Microsoft Purview Compliance Portal
  2. Navigate to Email & Collaboration → Encryption
  3. Configure Microsoft Purview Message Encryption settings and policies.
  4. For mail flow rules: Exchange Admin Center → Mail flow → Rules
  5. Create a rule: If message contains sensitive info → apply Microsoft Purview Message Encryption
  6. Customize branding (logo, intro text, disclaimer)

Encrypt Emails Directly from Outlook

Users can encrypt emails directly while composing a message.

  1. Open Outlook
  2. Click New Email
  3. Go to Options
  4. Click Encrypt
  5. Choose one of the following options: Encrypt, Do Not Forward, Confidential / Sensitivity Label

This uses Microsoft Purview Message Encryption or Sensitivity Label policies configured by administrators.

Option 2: Sensitivity Labels with Encryption – Most Powerful & Modern Method

In 2026, sensitivity labels (part of Microsoft Purview Information Protection) are the gold standard for encrypting and protecting emails in Microsoft 365.

Why labels win:

  • Auto-apply encryption + rights restrictions
  • Restrict forward, print, copy/paste
  • Administrators can review audit logs and activity events in Microsoft Purview to monitor access and usage of protected emails and files.
  • Revoke access anytime
  • Apply to emails, Teams messages, SharePoint/OneDrive files
  • Integrate with Copilot (labels prevent sensitive data from being used in AI)

Best use cases:

  • Internal sensitive emails (HR, finance)
  • External sharing with restrictions (no forward/print)
  • Regulated industries (HIPAA, GDPR)

Setup steps (admin):

  1. Go to compliance.microsoft.com → Information protection → Labels
  2. Create new label: e.g., “Confidential – Encrypted”
  3. Enable encryption: Assign permissions to specific users, groups, your organization, or authenticated external users who are allowed to access the encrypted message.
  4. Set restrictions: No forward, no print, expires in 30 days, etc.
  5. Publish label to users (Label policies)
  6. Users apply label in Outlook (ribbon button or right-click)
Pro tip: Combine labels with auto-labeling policies — Microsoft Purview scans content (credit cards, SSNs, health data) and applies encryption automatically.

Option 3: S/MIME Certificates – True End-to-End Encryption

S/MIME (Secure/Multipurpose Internet Mail Extensions) is the only method that provides true end-to-end encryption — the message is encrypted on your device and can only be decrypted by the recipient’s private key.

When to use S/MIME in 2026:

  • You communicate with external partners who also use S/MIME
  • You need cryptographic proof of encryption (not portal-based)
  • Compliance requires true E2EE (rare)

Drawbacks:

  • Both sender and recipient need S/MIME certificates installed
  • Complex setup (buy certs from DigiCert, GlobalSign, or internal CA)
  • Doesn’t work with non-S/MIME recipients
  • Not user-friendly for large teams

Setup in Outlook for Microsoft 365:

  1. Obtain S/MIME certificate (personal or from company CA)
  2. Import certificate into Windows Certificate Store or macOS Keychain
  3. In Outlook Desktop: File → Options → Trust Center → Trust Center Settings → Email Security → Import/Export
  4. Enable “Encrypt contents and attachments” for signed recipients

Option 4: Azure Rights Management Services (RMS / AIP) – Legacy but Still Supported

Older Microsoft 365 tenants and some hybrid setups still use Azure RMS / Azure Information Protection (AIP) for encryption. It’s largely replaced by sensitivity labels in 2026, but still supported.

Sensitivity labels provide a modern way to manage encryption and rights protection in Microsoft 365. These labels use Azure Rights Management (Azure RMS) as the underlying technology while offering a simpler management experience.

When it’s still relevant:

  • Legacy policies or third-party integrations
  • Offline protected content requirements

Most new setups should use sensitivity labels instead — they’re simpler and more powerful.

Quick Comparison: Which Encryption Method Should You Use in 2026?

Microsoft Purview Message Encryption (formerly Office 365 Message Encryption)

When: Sending to external non-M365 users who just need to read securely.

Sensitivity Labels with Encryption

When: Internal + external protection with granular rights (no forward/print/copy).

S/MIME Certificates

When: True E2EE needed and both parties have certificates.

Azure RMS / AIP (Legacy)

When: You have old policies or integrations — migrate to labels when possible.

Final Checklist – Secure Your Emails in Outlook 2026

  • Decide your use case: internal-only, external, compliance-heavy?
  • For most teams: start with Sensitivity Labels + Encryption
  • Enable Microsoft Purview Message Encryption for external recipients
  • Use S/MIME only if both sides have certificates
  • Test: send encrypted test email → verify recipient experience
  • Train users: show how to apply labels in Outlook ribbon
  • Monitor: use Purview audit logs to track encrypted messages
Go to Microsoft Purview → Start Protecting Emails Read Best Office 365 Management Guide

Last updated: March 05, 2026 • Written by Edvard Smith, Microsoft 365 Security & Compliance Specialist with 10+ years helping organizations secure email communication.