Microsoft 365 Secure Email vs Mailock: A Comparison

When it comes to safeguarding your business's communications, choosing the right secure email solution is crucial. In this review, we look at how Microsoft 365's latest offering, Microsoft Purview Message Encryption (MPME), compares to Mailock's secure email service.

MPME, which is typically included in top-tier 365 packages (such as E5) and can also be added to other plans, is an updated version of the legacy Office Message Encryption (OME). Key features include:

• Military-grade encryption
• Inbox access verification
• Audit trails (limited)

As we often receive questions regarding the differences between MPME and Mailock secure email, we'll compare the two in terms of their core features for safe customer communications.

Microsoft 365 Encryption vs Mailock: at a glance

Overview of Microsoft and Mailock email solutions

What is Microsoft Purview Message Encryption?

Microsoft Purview Message Encryption is built on M365's Azure Information Protection (AIP) suite of tools for security and compliance. It uses email encryption and inbox access verification to increase the chance of an email reaching the right person without being intercepted.

What is Mailock secure email?

Mailock secure email uses military-grade encryption and multi-factor authentication to deliver confidential information by email to the right person. It integrates tightly with Microsoft 365 and Windows Outlook, helping organisations to remain compliant with regulatory guidance, protect valuable data, and deliver sensitive messages at high volumes.

Microsoft Purview Message Encryption (MPME)

Microsoft Purview Message Encryption is a preventative barrier to email interception where recipient authentication is not required.

Email encryption

MPME uses military-grade AES-256 encryption to obscure sensitive information contained in email messages. This prevents message data from being accessed if an individual email were to be intercepted.

Microsoft has acknowledged a security vulnerability with the rights management suite which means that it should only be used as a preventative measure. Technically, if someone were to get hold of many secure messages, they could use crypto-analysis to figure out the cipher and uncover the obscured data.

"The rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary."

— Microsoft spokesperson, 2022

Though this is technically possible of course, the encryption used by MPME is a strong layer of protection that is enough to ward off a high majority of email interception attacks.

The accompanying features that MPME provides (e.g, inbox access verification, revoke) also increase the level of protection against the most common threats that emails face.

Trigger words

As yet, there is no 'before you send' data loss prevention available to Microsoft Purview Message Encryption users.

If organisations want to make sure emails containing confidential information are sent securely, encryption must be applied automatically, rather than using prompts that ask senders to perform a manual check. For example, administrators could set up a rule in M365 to encrypt all emails containing the word 'confidential'.

The problem with this approach is that not every email containing a particular word is sensitive. A sender might reference a 'confidential' piece of information without revealing it, with every subsequent email in the thread then sent securely. The sender may be completely unaware that this email thread is encrypted for their recipients.

Sending an email is such a daily occurrence that employees may not always remember to think twice before they hit 'deliver'. Some level of 'before-you send' prevention is necessary, but automating it is bound to leave gaps in which employees will be relied on to proactively prevent sensitive messages from being sent unsecured.

Companies should invest adequately in data loss prevention training for employees using MPME unless they intend to integrate additional tools.

Inbox access verification

Inbox access verification is an important preventative measure that helps to eliminate a number of the most common email threats.

An additional check that a recipient has access to their email account when they attempt to open a message can prevent messages from being opened if they are intercepted. MPME offers multiple inbox access verification types:

• One-time-code
• Microsoft sign-in
• Google sign-in

This makes it easy for recipients to verify their account access regardless of the email provider they use.

Recipient authentication

Inbox access verification does not protect emails against all risks. If an unauthorised individual has a recipient's account credentials, not only could they open all unsecured emails, they could verify their account access and open any secure emails too.

Inbox access verification may also fail to provide strong enough evidence that information has been delivered to the intended recipient, which is key for compliance with certain regulatory guidelines.

For this reason, the most secure email solutions offer recipient authentication to make sure that only the right people can access secure emails, and that evidence of this is recorded.

Microsoft does not currently offer any recipient authentication to its Purview Message Encryption users.

Many recipients of secure emails have two-factor authentication enabled on their email accounts, which helps to ensure that only the intended person can access secure emails. However, this can only be enabled by recipients and is not something over which senders have direct control.

Message revoke

What are the protections in place for sensitive emails that have already been sent to the wrong person?

MPME offers its users the ability to revoke secure emails under certain conditions. This function can be accessed by senders within their Outlook client and by administrators with PowerShell access. It is only available with Azure Information Protection P1 in some plans (e.g., E5).

The revoke function works if the recipient has received a link-based experience - if a message hasn't been automatically decrypted to their inbox because they are using a compatible version of Outlook.

This means that secure emails sent to other Microsoft 365 users are unlikely to be revoked. If a misfired sensitive email becomes an urgent priority, a failed revoke could create a lot of work for those responsible for isolating and containing the breach.

Read receipts

For confirmation that a secure email has reached its destination, senders using MPME can request a read receipt in the same way as with their other M365 emails.

When composing an email, a sender can choose to request a read receipt by selecting a tick box. This will prompt the recipient to confirm if they are willing to share their read receipt information with the sender upon opening the email.

Since the recipient decides whether to allow read logs to be shared, no accurate analytics on open and download rates for secure emails sent to customers can be recorded.

This also prevents organisations from gathering proof of delivery for compliance and in case of litigation.

Audit trails

For many organisations and their industry regulators, keeping a record of sensitive communications is crucial.

Microsoft Purview Message Encryption provides a searchable compliance dashboard for sent secure messages including timestamps, revocation details, and expiration periods (if applicable).

However, this does not include data on recipient access. For organisations that require proof-of-delivery, audit trails are limited in this capacity as they can only be used as a send record.

The compliance dashboard is also only accessible to Microsoft 365 account administrators. There are no audit records available to the individual sender of a secure email.

Usage and limits

Delivering confidential information to customers at scale is critical for large organisations in highly regulated sectors such as financial services.

Since MPME is designed as a preventative measure for everyday business email activity, its usage limits do not account for delivery at scale.

Smaller companies will not find rate limits to be an issue, though larger organisations should be aware that there are caps to usage.

If your usage could reach the following limits, you should consider switching to an on-premise exchange server or another solution:

• 30 messages per minute
• 10,000 messages per day

Set up/management

To set up Microsoft Purview Message Encryption for your organisation you will need the help of a Microsoft specialist to configure it in PowerShell.

Your Microsoft specialist will have to activate Azure Information Rights Management for your tenancy and set up the rules to apply encryption to custom templates using the message encryption facility.

Mailock secure email

Mailock is a powerful solution for securely exchanging confidential information with customers at any scale.

Email encryption

Mailock uses military-grade AES-256 encryption to protect confidential email data and attachments.

The encryption method used by Mailock is designed to obscure sensitive information so patterns in the encrypted data can't be used to decipher it. Each block of encrypted data is injected with a unique identifier that ties it to the last, making it unique.

This makes it extremely difficult to analyse the consistencies between multiple encrypted messages and decipher their contents.

"Security is fundamental to the Mailock system, and always comes first. Our most valued financial organisations use the network to deliver highly sensitive information on a daily basis."

— Michael Wakefield, CDO, Beyond Encryption

Mailock's encryption key architecture, combined with the authentication challenges it provides, is designed to ensure that only the right recipient has the tools to decipher encrypted messages and attachments.

The end-to-end encryption used by Mailock is also available to recipients of secure emails, who can securely reply for free.

Trigger words

How does Mailock stop its users from sending confidential information in an unsecured email?

Organisations can set trigger words or add to the default set. When these trigger words are present in an email, users will be prompted to confirm whether they would like to send the email securely.

This helps to train employees to think twice before sending an email and prevents confidential information from being leaked.

Administrators can create rules within M365 in addition to these user-level prompts to unilaterally force an email to be sent securely when it contains particular keywords or is marked 'confidential'.

By providing full control over any automated data loss prevention, Mailock allows organisations to easily match their protection to their needs.

Inbox access verification

As with Microsoft's Purview Message Encryption service, Mailock gives users the option to require a one-time-code from recipients of secure emails (sent to their inbox) before they gain access to a message.

This helps to prevent interception by double-checking that recipients have immediate access to their email account.

However with Mailock, other more robust recipient authentication methods can also be accommodated.

Recipient authentication

Authenticating email recipients beyond their inbox access may be necessary to ensure sensitive information is delivered to the right person.

Checking that a recipient has instantaneous access to their email account when they attempt to open a secure email eliminates a high majority of email-based threats. However, it does not stop an unauthorised party who has gained entry to a recipient's inbox.

Mailock offers multiple recipient authentication types that go beyond inbox access verification, including:

• SMS: Send a one-time code to your recipient's mobile device.
• Q&A: Ask your recipient a question only they could correctly answer.
• Unipass ID: Allow financial professionals to verify their Unipass ID.

Many organisations, such as those in the financial services, require proof-of-delivery for particular types of documents to maintain certain standards of compliance (such as MIFID II).

Authentication can also provide protection against future litigation. Organisations can show with confidence that particular individuals have opened and downloaded documents.

Message revoke

Access to a Mailock email can be revoked by the sender (as opposed to Microsoft’s approach of inviting a recipient to ignore or delete a message).

The ability to block access to a confidential email sent to the wrong person can save a small problem from becoming a bigger one by giving a business the power to immediately contain a breach.

Mailock's revoke function stops a recipient from being able to access a secure email instantaneously, regardless of their device or email client.

Unilateral revoke is a critical feature that helps organisations to comply with regulatory guidelines such as the Information Commissioner's Office guidance on misfired emails (emails sent to the wrong person).

The revoke function is available both to individual senders using Mailock For Outlook and to company administrators via the admin portal.

Read receipts

For companies that need to confirm that sensitive information has been delivered, Mailock also offers read notifications.

Read receipt settings are accessible in Outlook and work in every case, regardless of the receiving email client. This is because access is always gained through interaction with the Mailock encrypted core to retrieve the key that deciphers a message and its contents.

Read notifications are useful for anyone wishing to progress a customer along a journey, from sales to customer support, as they can follow up when the customer is most likely to respond.

Audit trails

Need to maintain complete records of sensitive communications in line with regulatory guidance?

Mailock provides its users with secure email audit trails, displayed at both user and admin-level. Access timestamps for send and open activity, revoke messages, and view all sent secure emails in one place.

As Mailock's send and open timestamps aren't based on email 'pixel tracking', which can be blocked by privacy tools, they are 100% accurate and can be used to assess secure email engagement analytics.

In highly regulated industries, keeping accurate records that show proof of delivery helps organisations to comply with the latest regulations.

Usage and limits

Mailock Automation is designed for large organisations that need to deliver sensitive documents to customers at scale.

For this reason, there is no hard ceiling on the volume of secure emails that can be sent. Fair usage policies and volume-based pricing apply depending on your package, but there is no imposed limit on the scalability of email volume or throughput.

This makes Mailock a viable alternative for organisations that deliver a high volume of confidential post and are considering secure email for the cost and carbon savings it would afford them.

Research conducted by sustainability consultancy Project Rome estimates that switching post to secure email could result in up to 95% cost savings, not to mention the sustainability benefits.

Set up/management

Setting up Mailock for your organisation is simple. Depending on your choice of deployment (cloud/on-premise), you will be provided with an installation pack or guided through the process by a specialist.

The solution can then be managed using Mailock's company admin dashboard - a secure browser-based experience where you can manage your users, email domains, and trigger words.

Microsoft Purview Message Encryption (MPME) vs Mailock secure email

Every organisation has different requirements when it comes to choosing a secure email solution that fits, but in a nutshell:

• MPME can prevent email interception
• MPME has no recipient authentication
• MPME is limited in volume/throughput
• MPME setup requires PowerShell familiarity
• Mailock secures sensitive data at any scale
• Mailock offers recipient authentication
• Mailock has no send volume limitation
• Mailock is easy to deploy and manage

Want to learn more about Mailock?