How to encrypt email in Office 365 (Microsoft 365) in 2025

Encrypting email with Microsoft products can be very confusing. And expensive. The maze of licensing and product options can make it very difficult to determine the best way to secure your email for personal use or for your business. This article will show you how to encrypt email in Outlook, Outlook.com, and Microsoft 365, using Microsoft's built-n options, as well as using our Microsoft-approved SecureMyEmail™ service.

The bewildering world of Microsoft

Microsoft basically treats their customers like they have all worked in Microsoft product management for 5 years and have a computer science degree.🙂The product options alone are dizzying.

Just for email, you're dealing with Outlook (the software), Outlook.com (the web service), Microsoft 365 (formerly, Office 365) and Exchange.

Then, there are all the service levels, variants, and license options.

And, let us not forget all the legacy consumer email services such as Hotmail, MSN Mail, Windows Live Mail, and now, Outlook.com.

It's as if their product management people are at war with each other and the borders are constantly changing.

Microsoft is a great company in so many ways, but all this almost seems like satire. It's like they doubled down on the old "I'm a Mac, I'm a PC" reputation.

But, we got it all figured out for you. We'll walk through the various encryption options available with Microsoft, including:

1. TLS (Transport Layer Security)
2. S/MIME (Secure/Multipurpose Internet Mail Extensions)
3. Microsoft Purview Message Encryption (OME)
4. SecureMyEmail

TLS (Transport Layer Security)

Many email providers, Microsoft included, use something called "opportunistic" Transport Layer Security. Despite what is implied, this should not be mistaken for actual email encryption.

• TLS only encrypts the "connection" and not the email or attachments.
• It cannot be guaranteed as both the sender's and recipient's email server must support it.
• The email and contents are not protected or encrypted after they arrive.
• Emails and attachments are not encrypted "at rest" on the email server so they are vulnerable, especially when they are saved or archived.

Suffice it to say that if you want encrypted email, TLS is not sufficient and not "real" email encryption. It is certainly not strong enough for HIPAA, GDPR, or other legal compliance.

Microsoft has two "built-in" options for actual email encryption. But, only one is practical and both rely on what license you have.

They don't really tell you this up front. Most articles just say that to send an encrypted email, you just do something like:

1. Compose a new email.
2. Click Options > Encrypt and select the encryption option.
3. Send your message as usual.

What you'll find is either you won't be able to find the encryption option or it will say you lack a "certificate." This is mostly because you don't have the correct license. Fear not. Below are the details.

Microsoft built-in option #1:

S/MIME (Secure/Multipurpose Internet Mail Extensions)

This is the option you don't want to deal with unless you're a masochist. :) The setup and maintenance alone is extremely complicated and antiquated. Here are some details:

• S/MIME requires each user to generate, manage, and maintain public-private key pairs and digital certificates.
• S/MIME certificates are issued by trusted Certificate Authorities (CAs), which often require payment, particularly for enterprise-grade certificates.
• If a Certificate Authority is compromised, the entire trust model is undermined.
• Compatibility issues are common between different email clients or platforms.
• To exchange encrypted email, you must first exchange public keys or certificates with every single person you wish to exchange encrypted email with.
• While S/MIME is supported on some mobile platforms, configuration is challenging.
• S/MIME is not compatible with other email encryption methods such as those based on OpenPGP.

If that doesn't convince you it's not a good choice, here is a Microsoft support article on how to set up S/MIME in the Outlook web app. Take if from people who know. It's a non-starter and you don't have to do it this way.

So, why would anyone use S/MIME to encrypt their Microsoft email?

The only real advantage is, when done properly, S/MIME does offer end-to-end encryption (E2EE) while Microsoft's second built-in choice, Microsoft Purview Message Encryption (OME), does not.

End-to-end encryption is the highest email encryption standard and means that only you and the recipient can decrypt the messages and contents. Even Microsoft cannot.

Without end-to-end encryption, Microsoft maintains access to your email for legal compliance, policy enforcement, etc.

Unfortunately, that could also mean that if there was a data breach, your email and attachments could be vulnerable.

For the record, SecureMyEmail provides MUCH easier access to end-to-end encryption. But, we'll get to that later.

Microsoft built-in option #2:

Microsoft Purview Message Encryption (OME)

Microsoft Purview Message Encryption is the latest "big consolidation" of Microsoft's email security and encryption services and is the only logical choice of the built-in options...once you work out the licensing.

Microsoft Purview Message Encryption is included in:

• Microsoft 365 Enterprise E3, E5
• Office 365 Enterprise E3, E5
• Microsoft 365 Business Premium (basic encryption features)

Only the E5 license (or, you can purchase an add-on if you have an E3 license) has what Microsoft calls "Advanced Message Encryption." This has additional features such as allowing you to set an expiration date for messages, revoke messages, and custom branding.

It's important to note, that message expiration and revocation is something included in SecureMyEmail, again, at a much lower cost than the Microsoft Enterprise licenses. This is discussed more below.

If you already have the proper license, here is what you do to enable encryption for your organization:

1. Sign in to the Microsoft 365 Admin Center (admin.microsoft.com) using your administrator credentials.
2. Navigate to Settings > Org settings > Security & privacy > Encrypt email.
3. Toggle the option to enable encryption for email communications.

From there on, your users "should" see the encryption options appear.

Microsoft Purview Message Encryption is actually pretty good. But, it's not perfect.

• Not end-to-end encrypted (still pretty secure, but not as secure as it could be)
• Little bit clunky for recipients, but not terrible.
• To access the encrypted email, recipients will need to sign in with a Microsoft account or, if they do not have one, they can request a one-time-passcode.
• Can be VERY expensive. This is probably the biggest issue. More below.

How do I encrypt Outlook, Outlook.com, or Microsoft 365 Email if I don't have or want a Business Premium or Enterprise (E3, E5) License?

SecureMyEmail is the easiest answer, and it comes with a no-hassle free trial. You could be sending encrypted Microsoft email a few minutes from now. But, if you would like to hear our own journey, read on.

As mentioned, we're a Microsoft customer. As much as we like Google apps, and all the other cool kid apps out there, many of us are Gen X and we love our Word, Excel, and Powerpoint.

Our Microsoft Admin page shows we pay for a plan that is called "Exchange Online (Plan 1)," but is in the "Product Family" of "Office 365 Global," with a "Product SKU" of "Microsoft 365 Apps for Business." :)

Therefore, we "think" what we have now is basically a Microsoft 365 Business Basic account at $6.00/month per user. If you review the Microsoft 365 plans here and jump from Home accounts to Business, you can see what we have.

Our basic plan includes all the Microsoft products we want, but to even get basic email encryption with Microsoft, we would need to buy the Microsoft 365 Business Premium plan at $22.00/month per user. That's a HUGE jump in pricing.

Worse, to get "Advanced Email Encryption" with Microsoft, which, again, has additional features such as allowing you to expire and revoke messages, we would have to jump to an Enterprise plan and spend up to $54.75 a month per user!!

I mean, that's a lot of money. Especially for email that is still not end-to-end encrypted.

Now, those more expensive Microsoft plans come with a lot of other applications you may see a lot of value in, or even need. But, for us, we find our basic Microsoft plan at $6.00 a month (paid annually) to be quite sufficient.

So, what is the cost to add SecureMyEmail to a Microsoft subscription?

Let's do the math using us as the example.

$6.00 for MS Basic Business plan + $2.50/month for email encryption from SecureMyEmail = only $8.50/month. That is a pretty significant savings for email encryption if you don't need the additional applications in the more expensive Microsoft plans. Plus, you get access to end-to-end encryption. Which you want.

Or, even if you do want/need some of the other features offered in the higher cost plans, you can use SecureMyEmail with any of those too with only the additional $2.50/month per user (annual plan) or $3.99/ month-to-month.

And, just to break in here really quickly... if you also happen to be in the market for a VPN service, we also offer VPN+SecureMyEmail bundles at very low cost.

It's also important to mention that if you don't have your own email domain, and use outlook.com, or one of the other older Microsoft domains, such as hotmail.com, msn.com, live.come, etc., you can even potentially use SecureMyEmail for free. Forever.

But, affordability is not even the best part. SecureMyEmail comes packed with features to make your email security second-to-none.

Why SecureMyEmail™ is the best way to encrypt email for Microsoft Outlook, Outlook.com, and Microsoft 365 (previously Office 365).

• Fully integrated with Microsoft. Use your Microsoft sign-in to set up.
• Immediately send encrypted email to any email address on Earth
• Zero burden on recipients. No need to download anything, register, or even use a password with our unique password-less option.
• Beautiful inbox for your recipients to keep all their encrypted messages and reply encrypted back to you, including attached files.
• Free forever with a single Microsoft email ending in outlook.com, hotmail.com, MSN.com, live.com, including their international variants. Also Gmail.com and Yahoo.com.
• No hassle 30-day instant free trial for paid plans.
• Paid plans work with any email address or carrier. Manage all your email accounts in one place.
• Zero-knowledge End-to-end encryption. No one, not even Microsoft, can access your encrypted email and attachments.
• Send and Receive your encrypted email from all your devices - Apps for Windows, Mac, iPhone, iPad, and Android included at no cost.
• Encrypted at rest
• Attached files are encrypted too.
• Message Expiration
• Message Revocation
• Paid plans are only $2.50/month (with annual subscription) or $3.99/month-to-month.

In Summary

Microsoft is a huge company with many great products and services. But, so much variety can also make things confusing, and potentially expensive. This is especially true when it comes to encrypting email. If you want the easiest and lowest cost way to send encrypted email with your Microsoft Outlook software, Outlook.com, or Microsoft 365 (formerly Office 365) service, SecureMyEmail is the best choice. It's also fully approved and integrated with Microsoft authentication and sign in so the setup is super easy. Feel free to try it right now with an instant 30-day free trial. No payment info, webinar, or talking to a salesman is required.