Do you want to Encrypt email messages in Outlook? 

This guide will help you.

As security challenges mount, it's essential to implement the best protection for the platform itself and all emails within Outlook.   

Microsoft offers built-in encryption options with benefits and downsides for each one.

To protect the privacy of an email message, we encrypt it. 

Encrypting an email message in Outlook means it is converted from readable plain text into scrambled ciphertext.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Outlook related queries.

In this context, we shall look into how to encrypt email messages in Outlook.

The need to encrypt email messages in Outlook ?

When we need to protect the privacy of an email message, encrypt it. Encrypting an email message in Outlook means it is converted from readable plain text into scrambled ciphertext.

Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading.

Any recipient without the corresponding private key, however, sees indecipherable text.

Outlook supports these encryption options:

1. S/MIME encryption

To use S/MIME encryption, the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard.

2. Microsoft 365 Message Encryption (Information Rights Management)

To use Microsoft 365 Message Encryption, the sender must have Microsoft 365 Message Encryption.

3. Using Email Encryption Add-ins

The right Outlook email encryption add-in can let us send encrypted to any recipient (any email address, including free webmail users) using any email account. So this option to encrypt email in Outlook combines the best of both the previous two options. Also, this is likely the lowest cost option, or even free.

New Encrypt button and updates to email encryption

With the new Office update, email encryption in Outlook got better.

The Permissions button is replaced with the Encrypt button.

The new Encrypt button contains both encryption options (S/MIME and IRM). 

The S/MIME option is only visible if we have the S/MIME certificate configured in Outlook.

Methods to Encrypt email messages in Outlook ?

The best Outlook email encryption option depends on the ease of use for us and our recipients, available features such as access to encrypted messages outside Outlook, costs, and other capabilities.

Moving ahead, let us see methods to encrypt email messages in Outlook.

1. Encrypting with S/MIME

Configure certificate installed in the computer

Before we start this procedure, we must first have added a certificate to the keychain on our computer. 

Once we have our signing certificate set up on the computer, we will need to configure it in Outlook:

i. Under the File menu, select Options > Trust Center > Trust Center Settings.

ii. In the left pane, select Email Security.

iii. Under Encrypted email, choose Settings.

iv. Under Certificates and Algorithms, click Choose and select the S/MIME certificate.

v. Choose OK

vi. Finish composing the email and then select Send.

In between, for Office Insiders with Microsoft 365 subscription, we follow:

i. In the email message, choose Options, select Encrypt, and pick Encrypt with the S/MIME option from the drop-down.

ii. On the other hand, for Outlook 2019 and Outlook 2016:

iii. In the email message, choose Options, select Permissions.

Import the certificate that is not installed on the computer

Once we have purchased the certificate, open or go to the Outlook application on the computer and follow these steps:

i. On the top left, click File >> Options

ii. In the new window that opens, click Trust Center >> Trust Center Settings.

iii. Then click Email Security in the left pane.

iv. Under the heading Digital IDs (Certificates), click Import/Export.

v. A window opens, here, make sure to select Import existing ID. Then browse for the certificate file (typically a .pfx file). Enter the password associated with the certificate file and click OK.

vi. A pop-up informs us that the security level is set to Medium. It is best to leave it at Medium. Click OK.

vii. At times, free certificates cause a warning, informing us that Windows cannot validate that the certificate is actually from the claimed certificate authority. If we get such a warning and wish to use the certificate anyway, click Yes to continue.

viii. The Import/Export window will now close automatically. Click OK on the Trust Center window to close it.

Share the certificate with each recipient

To share the certificate, send a digitally signed message to each email recipient to whom we intend to send encrypted email in the future.

Here is how our Support Experts do it:

i. Compose a new email in Outlook.

ii. On the new message window, click Options.

iii. Then click the little icon next to More Options.

iv. The Properties window will open, click on Security Settings.

v. In the Security Properties window that opens, click Add digital signature to this message and then Close the Properties window.

vi. Send the message to the intended email recipient(s).

In addition, we sent the public key portion of the certificate.

So others can encrypt the message they need to send to us.

Add Recipient's Certificate to Contact Data

Every email recipient who receives an encrypted email should follow the following steps:

i. Open the digitally signed email.

ii. Where the “From” information for the message is shown, right-click the sender’s name and click Add to Outlook Contacts. However, if we already have the contact, we use the option to Edit/Update contact.

iii. In the contact card that opens, click Certificates.

iv. The contact card will show a list of certificates with at least one certificate for that contact and when we select that certificate, it will show a message informing us that we can use the certificate to encrypt messages that we send to this contact.

To Send Encrypted Email:

As always, start a new email message.

i. In the new message window, click Options in the top menu.

ii. Then click the little icon next to More.

iii. In the Properties window that opens, click Security Settings.

iv. In there, click the checkbox next to Encrypt message content and attachments.

Since we can’t encrypt the subject line, it is good to include something insensitive but appropriate to the content.

v. Then click OK on this window and then Close on the previous one.

vi. Finally, Send.

2. Encrypt with Microsoft 365 Message Encryption

Microsoft 365 subscribers can follow the below steps:

a. In the email message, choose Options >> Encrypt

b. Pick the encryption that has the restrictions we want to enforce.

For Outlook 2019 and 2016:

a. In the email message, select Options >> Permissions

b. Pick the encryption that has the restrictions we like to enforce.

i. Encrypt a single message:

a. In the message that we are composing, click File >> Properties.

b. Click Security Settings and then select the Encrypt message contents and attachments check box.

c. Then click Send.

ii. Encrypt all outgoing messages:

a. On the File tab. choose Options >> Trust Center >> Trust Center Settings.

b. On the Email Security tab, under Encrypted email, select the Encrypt contents and attachments for outgoing messages check box.

c. To change additional settings, such as choosing a specific certificate to use, click Settings.

iii. Send encrypted mails:

a. Compose a New Email.

b. Click Options in the top menu and then click Encrypt.

c. We can see a message informing us that encryption is applied to this message.

d. Finally, click Send as usual to send it.

3. Outlook Encryption Add-ins

This is likely the best method to send encrypted messages to recipients who may not have any encryption set up in their own email accounts.

On the web page that displays our secure message:

a. The user may view the message and download any attachments.

b. Choose to set a password: For security reasons, the message will automatically expire, unless the recipient selects the option to set a password and retain indefinite access.

c. Choose to send a secure reply.

The add-ins fall into two types:

a. Stand-alone Add-ins: These encrypt the email purely on our and our recipient's computers.

b. Packaged Add-ins: These add-ins are offered as part of a package that additionally includes a client portal or file sharing service.

How to resolve Possible error experienced while Encrypting email messages in Outlook ?

Recently we had a customer who came across an error while sending S/MIME encrypted mails from OWA.

A dialog box displays the following error message:

Outlook Web Access could not find your digital ID for encryption. If your digital ID is on a smart card, insert the card in the card reader, and then try to send the message again. You may also try sending the message unencrypted.
If your digital ID is not trusted by the Exchange server, you cannot use it to encrypt messages. For more information, contact technical support for your organization.

Cause of this error.

In a default installation of Exchange Server 2007 or Exchange Server 2010, if the user certificate is issued to an SMTP address that's not listed on the Active Directory account, then OWA won't use the certificate.

Solution to this error:

To resolve this issue, we must obtain a digital ID.

If we have a Digital ID for S/MIME emails, but the SMTP address doesn’t match the Exchange Server mailbox account, the Exchange Administrator can enable the following registry value to allow for the selection of the user certificate.

This allows users to select the certificate to sign outgoing messages. 

The OWA client will bypass the SMTP name check.

Use the steps below to enable this OWA feature.

i. Click Start >> Run >> regedit, and press Enter.

ii. Expand HKLM\System\CurrentControlSet\services\MSExchangeOWA\SMIME

iii. Right-click the SMIME key and click New > DWORD (32-bit).

iv. Name the new DWORD value AllowUserChoiceOfSigningCertificate

v. Then double-click AllowUserChoiceOfSigningCertificate and set the value to 1.

vi. Eventually, close the registry editor.

vii. Then click Start > Run, type cmd, and click Enter.

viii. From the command prompt run IISReset /noforce. Or, we can restart the IIS Admin service in Services.msc.

Once we configure the registry key, the user will see a new option under the E-Mail security section in the OWA options.

i. Sign in to OWA and click Options.

ii. Then click Email security.

iii. Under the Select Certificate for Mail Signing section, change the radio button to manually pick the certificate.

iv. Click Choose Signing Certificate…. A new window will open displaying available user certificates.

v. Then select the appropriate certificate and click OK.

[Need help with encryption in Outlook? Feel free to contact us. ]