Does Microsoft Outlook Use Email Encryption?

Microsoft Outlook, a widely used tool by over 400 million users globally, offers a level of email encryption to safeguard everyday emails.

But is this encryption sufficient for businesses that need to send sensitive information to their customers?

Let's take a look.

Understanding the Basics of Email Encryption

Encryption disguises the contents of your email, transforming messages and attachments into a code that human eyes can't read.

It achieves this through the use of 'keys' - strings of randomly generated numbers used to encode data.

Encryption is particularly relevant to business emails.

The UK Information Commissioner's Office (ICO) advises that all personal information sent by email should be protected using encryption. See the ICO guidance on encryption and data transfer.

"Email encryption is a cornerstone of secure communication, especially for businesses handling sensitive customer information.

Choosing the right encryption method makes sure your data is protected without compromising usability."

Paul Holland, Founder and CEO, Beyond Encryption (Mailock)

Email Encryption in Microsoft Outlook

Microsoft Outlook offers different levels of email encryption, depending on your preference and budget.

1. Transport Layer Security (TLS)

As one of the most basic encryption methods on the market, TLS is offered natively with the basic Outlook package.

It works by encrypting the connection between you and your recipients' email providers, preventing unwanted access to a message on its journey.

Emails using TLS encryption may not remain encrypted once they have reached the recipient's inbox, leaving them vulnerable to attacks.

TLS for email is also associated with known incompatibility problems with some email clients. That's why alone, it is not enough for sensitive data.

2. S/MIME (Secure/Multipurpose Internet Mail Extensions)

Unlike TLS, which encrypts the transmission, S/MIME encrypts the email content itself.

It requires that both sender and recipient have a mail application that supports S/MIME, and both must exchange 'digital certificates'.

S/MIME can provide solid protection for sensitive information.

However, it can be inconvenient for communication with recipients who may not have the necessary setup (for example, customers).

Setting up S/MIME certificates on devices may be difficult for people who aren't familiar with digital configuration and settings. 

Learn more about encrypting emails with S/MIME.

3. Microsoft Purview Message Encryption

Available with eligible Microsoft 365 and Office 365 plans, Microsoft Purview Message Encryption combines email encryption and rights management capabilities. Availability depends on licence, tenant configuration, and organisation policy.

Microsoft says Purview encrypted email can be read directly in supported Outlook clients, including new Outlook, Outlook on the web, Outlook for iOS and Android, and Outlook for Windows 2019 and newer. Recipients using other mail services receive instructions for opening the protected message.

This can reduce some risks posed by email account takeover attacks, especially when combined with account-level MFA and rights management policies.

However, Microsoft Purview Message Encryption can still be a challenge for some recipients.

It lacks a user experience simple enough to deliver documents to vulnerable customers or people with low levels of technological literacy.

That's why businesses tend to use purpose-built solutions designed to be easy to access when they send sensitive information to customers.

There may also be a concern from businesses that Microsoft Purview Message Encryption does not provide the same recipient-specific Q&A, SMS, or sector identity checks they may want for high-trust customer communications.

Learn more about Microsoft's secure email offering.

The Role of Email Encryption Add-Ins

Outlook add-ins are useful integrations created by third parties for use within Outlook, but support depends on whether the add-in is a modern web add-in or an older COM/VSTO add-in and whether the user is on new Outlook, classic Outlook, web, Mac, or mobile.

Add-ins can introduce additional security features such as email encryption and recipient authentication, in a user-friendly way.

For example, the Mailock Outlook add-in adds secure email controls inside supported Outlook environments.

It is designed for professionals or businesses to share information with their customers while protecting it in line with data regulations.

Prioritising Security with Data Classification

Before deciding whether Outlook's security is right for the information you need to email, it's important to understand data classification.

"Understanding the sensitivity of your data is the first step towards effective email security.

Data classification allows businesses to apply the right protection to the right information, ensuring efficiency and safety."

Michael Wakefield, CTO, Beyond Encryption (Mailock)

The process involves categorising your organisation's information based on its sensitivity.

Data Classification Levels

Classifying your data helps determine the most appropriate security measures for each type.

For example:

• Highly Confidential: This classification applies to information with severe consequences if leaked, such as financial data, trade secrets, or personal details.
• Confidential: This includes sensitive information that could still cause harm if exposed, like marketing strategies or internal reports.
• Internal: This covers company information intended for internal use only, such as meeting minutes or departmental updates.
• Public: This refers to information that can be publicly shared, like press releases or product information.

Security Measures Based on Classification

Once you've classified your data, you can choose the appropriate security measures.

Here's a guideline:

• Highly Confidential: This level might require a combination of advanced email encryption, such as Microsoft Purview Message Encryption or a third-party secure email platform, and other controls such as access restrictions, rights management, or tools that restrict copying or forwarding.
• Confidential: For this level, S/MIME or Microsoft Purview Message Encryption might be sufficient, alongside access controls within your organisation.
• Internal: You might choose to encrypt internal emails for additional security, but password protection or access controls might be enough depending on the information's sensitivity.
• Public: Public information typically doesn't require encryption.

Classifying your data helps to make sure your most valuable information receives the strongest protection.

It means you can prioritise your security efforts and avoid applying excessive security measures to less sensitive data.

Finding the Right Balance

Email encryption is a great tool for protecting sensitive information, but not all of Outlook's encryption methods are created equal.

You should carefully evaluate your requirements and choose the method that's right for you or your customers' data.

"Strong email security is not just a necessity - it's a critical component of building trust through your communications."

Adam Byford, COO, Beyond Encryption (Mailock)

Learn more about email encryption.

FAQs

What Is Email Encryption?

Email encryption transforms the content of emails into unreadable text to protect sensitive data during transmission.

How Does S/MIME Differ from TLS?

S/MIME encrypts the email content, while TLS encrypts the transmission path. Both have unique applications and limitations.

Are Email Encryption Add-Ins Worthwhile?

Yes, they provide enhanced security and usability, particularly for businesses handling sensitive data and requiring compliance with regulations.

References

Number of Sent and Received E-Mails per Day Worldwide from 2018 to 2027, Statista, 2024

Encryption and Data Transfer, ICO

Send S/MIME or Microsoft Purview Encrypted Emails in Outlook, Microsoft Support, 2026

Message Encryption FAQ, Microsoft Learn, 2026

Develop Outlook Add-ins for the New Outlook on Windows, Microsoft Learn, 2026

Microsoft 365 Secure Email vs Mailock: A Comparison, Beyond Encryption, 2024

How to Recall (or Revoke) an Email in Outlook, Beyond Encryption, 2024

Email Security: Sending Confidential Data Using Outlook?, Beyond Encryption, 2024

Reviewed by

Sam Kendall, 01.06.26

This content is for general information only and is not legal advice.