Encrypting Email with Office 365 Exchange Server

First, a Word About Exchange

An Exchange Server hosts mailboxes that contain e-mail, calendar, contacts, tasks, and more. It’s an enterprise-grade system that now, thanks to Office 365, is available to small and solo firms at a reasonable price. You can use your own domain names with Exchange server and have anywhere from one to thousands of mailboxes on the system. You can access your Exchange data from Microsoft Outlook on the PC or Mac or from virtually any kind of modern mobile device: smartphones or tablets predominantly. Outlook Web Access is the web-based client that Exchange server offers so that you can access your data from any device that has a web browser and an Internet connection.

You can have multiple email addresses and multiple domain names on the same Exchange mailbox and you easily can share your Exchange data, such as your Inbox or your Calendar, with anybody else in your organization.

All of your Exchange data is encrypted between your client (Outlook or mobile) and the Office 365 Exchange server. It’s also encrypted while it’s sitting on the Exchange server. By extension, any mail you send people in your firm—since it’s always on that Exchange server or transiting to or from Outlook—is encrypted. However, you may want to send an encrypted email to an outside party as well. There are several ways to do it, but here are two options for encrypting email.

Exchange Hosted Encryption (Soon to Be Office 365 Message Encryption)

Microsoft offers a server-side, policy-based encryption solution that lets you encrypt any message sent to any party. You create transport rules on the server side that automatically encrypt messages if they meet certain criteria (such as being sent to or from particular people or containing certain key words in the subject line). The person on the other end receives a regular email message indicating that you’ve sent them an encrypted message. The email has an attachment to click so the recipient can read that message. After clicking the attachment, the browser opens, and the recipient is asked to log in with a free Microsoft account. If the recipient doesn’t have one, he or she will be prompted to create one the first time—after that it should be automatic. Once the recipient successfully authenticates, he or she will be able to read the encrypted message. If the recipient replies to the message, the reply is also encrypted.

Since Exchange Hosted Encryption is server-based, it works regardless of what client you send the email message from. You can send from Outlook, OWA, iPad, Android phone…it doesn’t matter. As long as the message meets the policy criteria you specified in the transport rule, the message will be encrypted. It also means that as long as your message meets the rule, the encryption is automatic—you can’t forget to click the Encrypt button. If you have an E-3 or E-4 plan, you get this encryption service for free. With the other Enterprise plans, including Exchange-only and Kiosk plans, you’ll need to buy the Azure Rights Management service for $2/mailbox/month.


S/MIME (Secure/Multipurpose Internet Mail Extensions) is a method to send secure email messages. It has been around since 1995 and made its Outlook debut in Outlook 97. It’s still available, in its updated version, in Outlook 2013. S/MIME uses public-key encryption to securely sign and encrypt your e-mail messages. Once you have a certificate, you go to (in Outlook) File > Options > Trust Center > Trust Center Settings > E-mail Security to get the dialog box:

Encrypting Email Screenshot

Click Import/Export to import your digital certificate. Once you’ve completed that process, you can encrypt an email message by starting an e-mail to somebody, then clicking File > Properties in that e-mail message to get to the Properties dialog box:

Encrypting email in Office 365

Click the Security Settings button to get the Security Properties dialog box and check the box for Encrypt message contents and attachments. Then OK/Close your way back out, and your message should be set for encryption. One catch…you have to already have the other person’s public key attached to their contract record in your Contacts. Once you’ve got that person’s public key—either as an attachment or a download, typically, go to his or her contact record in Outlook’s people record, and click Certificates on the Ribbon. Click the Import button on the right and import their public key file to their contact record. Now you’re ready to send them S/MIME encrypted e-mail.

Additional Encryption Geekery

Public-key encryption uses a combination of two separate keys to encrypt the message:

  1. A public key, which you can publish freely,
  2. A private key, which you keep very secret.

When you want to send an encrypted email to somebody, you encrypt it using a combination of your private key and the other person’s public key. When they receive the message, they decrypt it using a combination of their private key and your public key. Only the right pair of keys will decrypt the message. There are tools that will let you generate your own key pairs or, for added security, you can obtain a key pair from one of the well-established Certificate Authorities like Verisign or Thawte.


MO365_CoverGo Further with Office 365
This post was adapted from the Law Practice Division’s publication Microsoft Office 365 for Lawyers. Written by twenty-year legal technology veteran, Ben M. Schorr, this essential guide provides answers to the common questions asked by lawyers when migrating their offices to Office 365.

Learn More

Check Also

merger and acquisitions

Merging or Acquiring Another Firm? Your Technology Transition Plan Is Key

Is a firm merger or acquisition in your future? Consider these key points for planning a smooth technology integration.