How to Encrypt Email in Outlook (2026)

How to Encrypt Email in Outlook (2026)

OutlookEmail EncryptionSecurityMicrosoft 365How-toCompliance

Outlook supports two main email encryption systems: Microsoft 365 Message Encryption (OME), which is built into Outlook and works for almost any recipient, and S/MIME, an older certificate-based standard mostly used in regulated industries. Both keep email confidential in transit and at rest, but they work differently and have different setup requirements.

Neither is end-to-end encryption in the way Signal or ProtonMail are — Microsoft holds keys for OME, and S/MIME relies on certificate authorities. For most business use cases, that tradeoff is fine. For genuinely zero-knowledge encryption, you’d need a different tool.

Here’s how to encrypt in every Outlook version, what recipients see, and how to fix the most common issues.

1. Microsoft 365 Message Encryption (OME)

OME is the default encryption built into Outlook. It works in new Outlook, Outlook on the web, classic Outlook for Windows, and the Outlook mobile apps. You don’t need certificates or extra setup — if your license includes OME, the Encrypt button just appears.

Send an encrypted message

New Outlook & Outlook on the web:

  1. Click New mail.
  2. Click the Encrypt button in the toolbar (sometimes under the three-dot menu).
  3. Pick an encryption option (see below).
  4. Compose and Send.

Classic Outlook for Windows:

  1. Click New Email.
  2. In the message window, go to the Options tab.
  3. Click Encrypt and pick an option.
  4. Compose and Send.

Outlook for iOS / Android:

  1. Tap the compose button to start a new message.
  2. Tap the three-dot menu in the compose view.
  3. Tap Set permissions and pick an option.
  4. Compose and Send.

Encryption options

Microsoft 365 ships four built-in options, plus any custom labels your admin has configured:

  • Encrypt-Only — Encrypts the message in transit and at rest. The recipient can still forward, copy, and print.
  • Do Not Forward — Encrypts the message and prevents the recipient from forwarding, copying, or printing.
  • Confidential / All Employees — Restricts the message to people in your organization. Adds a visible “Confidential” marking.
  • Highly Confidential / All Employees — Same as above with stricter restrictions: no forwarding, no copying, no printing.

The exact labels depend on what your organization’s compliance admin has set up in Microsoft Purview. Some orgs see different names (e.g., “Internal”, “Restricted”, or industry-specific labels).

Note: OME encrypts the message body and attachments. Subject lines are not encrypted — anyone who intercepts the message can still see the subject. Don’t put sensitive details in the subject line.

2. What Recipients See

The recipient experience depends on whether they’re inside Microsoft 365 or not.

Microsoft 365 recipient

If your recipient uses Outlook with a Microsoft 365 mailbox, the encrypted message lands in their inbox like any other email. Outlook decrypts it transparently, and they see:

  • The message body, attachments, and any restrictions (e.g., “Do Not Forward” disables those actions in the UI).
  • A small banner at the top noting the encryption or sensitivity label.

Gmail, Yahoo, or other external recipient

External recipients (Gmail, Yahoo, personal Outlook.com without M365, custom domains) get a different experience:

  1. They receive a plain email with a message that says something like “You have received a protected message from [sender].”
  2. They click Read the message.
  3. They’re taken to a web portal (outlook.office365.com/encryption or office365.com/encrypted).
  4. They sign in with a one-time passcode (sent to their email) or with their Google/Microsoft account.
  5. They read the message in the browser. Forwarding, copying, and printing follow the restrictions you set.

The portal experience is the most common reason recipients don’t read encrypted email — it’s an extra step. If you encrypt frequently with external partners, consider whether Encrypt-Only is worth it, or whether a sensitivity label with weaker restrictions reads more cleanly.

Replies

External recipients can reply to encrypted messages from within the web portal. Their reply comes back encrypted as well. They cannot start a new encrypted thread on their own — only respond.

3. S/MIME (Classic Outlook for Windows)

S/MIME is a public-key encryption standard that predates Microsoft 365 by decades. It requires:

  • A certificate for each user (issued by your IT or a public CA like DigiCert, Sectigo, GlobalSign).
  • The certificate installed in the Windows certificate store.
  • Both sender and recipient to have S/MIME certificates and have exchanged public keys (typically by sending each other a signed message first).

S/MIME is most common in financial services, healthcare, defense, and government. For most modern business use cases, OME is easier and more compatible.

Set up S/MIME

  1. Get a certificate from your IT admin or a public CA. They’ll send you a .pfx or .p12 file (the private key) or install it directly into the Windows certificate store.
  2. Open classic Outlook for Windows.
  3. Go to File > Options > Trust Center > Trust Center Settings.
  4. Click Email Security.
  5. Under Encrypted email, click Settings.
  6. In Security Settings Name, enter a name (e.g., “My S/MIME”).
  7. For Signing Certificate, click Choose and pick your certificate.
  8. For Encryption Certificate, click Choose and pick the same (usually) certificate.
  9. Click OK > OK > OK.

Send a signed or encrypted S/MIME message

  1. Click New Email.
  2. Go to the Options tab.
  3. Click Sign to digitally sign (recipient verifies the message came from you and wasn’t altered).
  4. Click Encrypt > Encrypt with S/MIME to encrypt the message body.

To encrypt to a specific recipient, you must already have their public key. The easiest way: ask them to send you a digitally signed S/MIME message first. Outlook attaches their public certificate to that message, and Outlook saves it to their contact card.

S/MIME in new Outlook & web

The new Outlook for Windows and Outlook on the web added S/MIME support in 2024-2025, but the experience is more limited than classic Outlook. Setup happens through your admin via the Microsoft 365 admin center; users typically can’t install certificates themselves.

S/MIME on mobile

Outlook for iOS and Android support S/MIME for Microsoft 365 / Exchange accounts when configured by the admin. End users can’t manually install S/MIME certificates on the mobile apps — it requires MDM or admin provisioning.

4. Sensitivity Labels (Microsoft Purview)

Sensitivity labels are the modern, organization-wide replacement for ad-hoc encryption choices. Admins configure labels in Microsoft Purview, and users apply them with one click.

A label can:

  • Apply OME encryption automatically.
  • Apply visible markings (header, footer, watermark).
  • Restrict permissions (no forwarding, no printing, expiration date).
  • Auto-classify based on content (credit card numbers, SSNs, etc.).

Apply a label

New Outlook & web:

  1. Compose a new message.
  2. Click Sensitivity in the toolbar (looks like a tag icon).
  3. Pick a label.

Classic Outlook:

  1. Compose a new message.
  2. Click Apply Sensitivity Label in the message header banner, or go to Options > Sensitivity.
  3. Pick a label.

If your organization has set up labels like “Confidential — All Employees” or “Highly Confidential — Legal Only”, picking that label is usually the right choice, since it applies the encryption your compliance team has standardized on.

5. Important: Outlook is Not End-to-End Encrypted

Both OME and S/MIME protect email in transit and at rest, but they’re not end-to-end encrypted in the strict sense.

  • OME: Microsoft holds the encryption keys. Microsoft can decrypt messages for legal requests, eDiscovery, and compliance scanning. This is by design — it’s what allows admin-controlled DLP and recovery.
  • S/MIME: The private key sits on the user’s device or HSM, so the cryptography is closer to true end-to-end. But it’s only as good as the certificate authority and key management around it. If a user’s device is compromised, the key is compromised.

If you need true zero-knowledge encryption (e.g., for whistleblowing, legal privilege between unrelated parties, or jurisdictions where you don’t trust Microsoft), use a dedicated tool like Signal or PGP. Don’t rely on Outlook for that.

6. License Requirements

Microsoft 365 Message Encryption requires one of these licenses on the sender’s account:

  • Microsoft 365 Business Premium
  • Microsoft 365 E3
  • Microsoft 365 E5
  • Office 365 E3 or E5
  • Microsoft 365 A3, A5 (education)
  • Azure Information Protection Plan 1 or 2 (standalone)

Recipients do not need a license — anyone can receive and read OME messages.

S/MIME doesn’t require a Microsoft 365 license, but it requires:

  • An Exchange Online or on-premises Exchange mailbox.
  • A valid S/MIME certificate (which costs money if from a public CA).

If you don’t see the Encrypt button, license is the most common cause. Ask your admin to confirm what plan your account is on.

7. Troubleshooting: Encrypt Button Is Missing

A few common causes and fixes:

License doesn’t include OME

The fix: ask your admin to upgrade or assign you a license that includes Message Encryption (see list above).

Cached client state

  1. Sign out of Outlook completely.
  2. Sign back in.
  3. For web: clear browser cache and try a private/incognito window.
  4. For desktop: update to the latest version (File > Office Account > Update Options > Update Now).

Account is shared / delegated

OME doesn’t always work cleanly from shared mailboxes or delegated accounts. Send from your own account when encryption is required.

IRM not provisioned

If your tenant has never used encryption before, an admin may need to run a one-time provisioning step in the Microsoft 365 admin center (Settings > Org settings > Microsoft Azure Information Protection > activate).

S/MIME-specific issues

  • Certificate expired — check Trust Center > Email Security > Settings and look at the expiration date.
  • Wrong certificate selected — re-pick the right one in Settings.
  • Recipient’s public key not in your contact list — ask them to send you a signed message first.

Quick Reference

MethodAvailable inSetup neededRecipient experienceLicense
OME — Encrypt-OnlyAll versionsNoneNative if M365; web portal if externalBusiness Premium, E3, E5
OME — Do Not ForwardAll versionsNoneNative if M365; web portal with restrictionsBusiness Premium, E3, E5
OME — Sensitivity LabelAll versionsAdmin sets up labelsSame as OME, plus visible markingsBusiness Premium, E3, E5
S/MIMEClassic Outlook (full), new Outlook & web (limited), mobile (admin-provisioned)Certificate per userNative in any S/MIME-compatible clientExchange + certificate

Stop Sending Sensitive Replies in the First Place

Encryption protects email you’ve already decided to send. Carly is an AI assistant that connects to 200+ apps, drafts and routes replies, and helps you avoid sending sensitive information to the wrong recipient by auto-checking against your CRM and contact data. Carly is $35/month with no free tier on the main service.

More on Outlook: How to report phishing in Outlook · How to block emails in Outlook · How to create rules in Outlook · How to set up email forwarding in Outlook · How to flag emails in Outlook · How to categorize emails in Outlook · How to archive emails in Outlook · How to use Quick Steps in Outlook

Ready to automate your busywork?

Carly schedules, researches, and briefs you—so you can focus on what matters.

Get Carly Today →

Or try our Free Group Scheduling Tool or Free Booking Page

Related Articles

How to Report Phishing in Outlook (2026 Guide)
Guides

How to Report Phishing in Outlook (2026 Guide)

How to Categorize Emails in Outlook (Every Version, 2026)
Guides

How to Categorize Emails in Outlook (Every Version, 2026)

How to CC in Outlook (Every Version, 2026)
Guides

How to CC in Outlook (Every Version, 2026)