How to Encrypt Email in Outlook & Microsoft 365 (2025 Guide)

You will find SO MANY official Microsoft (and third-party blog) articles that supposedly explain what should be a simple question -- how to encrypt an email in Outlook. Unfortunately, most of them are super out of date or totally confusing tech jargon. We know this for a fact because we read about a hundred of them (seemed like a thousand) to figure out how to send an encrypted email with Outlook software, Outlook for Mobile, Outlook.com, Outlook on the web, Microsoft 365, Office 365, and Exchange.

The Good News

Thanks to our painfully exhaustive research we can now not only provide you the best methods to encrypt email in Outlook, and all other Microsoft products and services, but explain why you may not be able to send an encrypted email with your current Microsoft or Outlook setup even though many articles say you should be able to.

Quick Summary (TL;DR)

• Encrypting email in Outlook or Microsoft 365 depends entirely on your license — many users can’t encrypt email because they lack the proper Microsoft subscription.
• You have two real options:
  
  1. Pay for a Microsoft 365 Business Premium, E3, or E5 license (up to $657/year per user) to access Microsoft Purview encryption.
  
  2. Use SecureMyEmail, a Microsoft-approved, low-cost, end-to-end encrypted solution that works with any email address, Outlook included — free for most Microsoft consumer email accounts and just $29.99/year otherwise.
• S/MIME and PGP are outdated and extremely complex — not recommended unless you're very technical or enjoy suffering.
• TLS is not real email encryption — it only encrypts the path, not the message itself, and it can fail without notice.
• SecureMyEmail offers:
  - True end-to-end encryption with no Microsoft license needed
  - Instant setup and beautiful apps for all devices
  - A great experience for recipients — no portals, no passwords
  - Free plan for Outlook.com, Hotmail.com, MSN.com, and Live.com users
• Microsoft Purview is powerful but pricey and not zero-knowledge — Microsoft still holds the encryption keys, and recipient experience can be clunky.
• Other options like Zix and Virtru are enterprise-focused, expensive, or lack full compatibility with non-Microsoft accounts.

👉 Bottom line: Unless you're already paying for a premium Microsoft license, or need the additional tools a premium license offers, SecureMyEmail is the fastest, easiest, and most affordable way to encrypt your Outlook or Microsoft email.

The two most common issues with encrypting email in Outlook

Most Microsoft articles will tell you to simply:

1. Compose a New Email
2. Go to Options
3. Select "Encrypt"

Or, if using web-based email, or mobile Outlook, something very close to the above. The issue is that many Microsoft users will either find they receive an error, or cannot find the encryption option at all. Here's why:

1. Invalid Certificate Error

If you actually see an option to encrypt an email (many of you will not because of the second common issue) you may receive an error like below, or some other reference to a "digital ID" or "certificate."

“Invalid Certificate - Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the email address ‘[myname] @ [company domain].com. Either get a new digital ID to use with this account, or use the Accounts button to send the message using an account that you have certificates for.”

This refers to a type of email encryption called "S/MIME" which Microsoft allows you to use in place of their built-in encryption. 

Our advice? Don't do it. S/MIME is EXTREMELY complicated to set up as well as many other drawbacks which we discuss later. Again, the better options are Microsoft's built-in email encryption (which requires proper license) or SecureMyEmail™. Let's go through the licensing issue.

2. No Encryption Option Available

Many people will discover they can't find an encryption option or button available at all. This is almost certainly because you don't have the correct license in your Microsoft 365, Office 365, Outlook, or Exchange plan. Or, you DID have the proper license, but due to Microsoft reshuffling their products and licensing around, you don't have the correct license anymore. Unfortunately, the new licensing requirements have exploded costs for many users, especially business users, needing an email encryption solution for their Microsoft-managed email.

What are the current best options and costs to encrypt email in Outlook, Microsoft 365 (formerly Office 365), and Exchange?

The best two options are Microsoft's built-in email encryption and SecureMyEmail. Later on, we'll go into greater detail about these options, as well as the bad ones, namely S/MIME, TLS, and PGP. Again, making the best choice really comes down to whether the higher cost of the Microsoft licenses are justified by the other services that are included with them, OR encrypting your email with SecureMyEmail™, and not having to upgrade your Microsoft license, is best for you or your business.

For Personal and Home Users

Microsoft does offer a consumer-grade email encryption service if you have one of the below licenses.

• Microsoft 365 Personal
• Microsoft 365 Family

SecureMyEmail offers a free plan, as well as a low-cost paid plan, with no requirement for a Microsoft license. So, if you are a personal or home user of Microsoft email, here are your best options for email encryption:

Option 1 - Purchase the correct license from Microsoft. This will enable the encryption option.

Option 2 - If your email ends in outlook.com, hotmail.com, MSN.com, or live.com, sign up for SecureMyEmail's "Free Forever" Plan and enjoy free email encryption forever. Yay!

Option 3 - If you have a different email address, or need to encrypt multiple email addresses (even from different providers), sign up for SecureMyEmail's free trial of the premium service and purchase a subscription through the software if you like it. It's that simple.

For Business Users

We need to do a little background here first. Microsoft has been working on a massive consolidation of all their email encryption and protection services under what is now called Microsoft Purview Information Protection. You just know that's not going to be good news.

They started this consolidation with the deprecation of Office 365 Message Encryption (OME) in July 2023. The consolidation continued with not allowing new purchases of the popular Azure Information Protection (AIP) P1 add-on license as of January 2024.

The AIP license had previously allowed email encryption at low cost for many business users, especially those under Exchange plans. The add-on license was also popular with Managed Service Providers (MSPs) managing email encryption for their Microsoft users. Here is a Microsoft Community post detailing the phaseout of the AIP license where it is referred to as a "modernization and integration journey."(yuck)😉

Beyond the confusion this caused, the real issue was the much higher costs. While the AIP add-on plans had only cost $2-3 USD per month per user, the new plans (that allow email encryption under Microsoft's new Purview Message Encryption) cost a GREAT deal more. Some users may be grandfathered in, but new users are not able to purchase the AIP licenses any longer despite what many articles may suggest.

So, at this point, if you are a business using Outlook, Office 365, Microsoft 365, or Exchange for email, the below are your current best options for email encryption:

Option 1 - Microsoft's built-in email encryption (Purview Information Protection)

Purview Information Protection is Microsoft's new consolidated approach to encrypting email in Outlook software, Outlook on the web, and Microsoft 365 (formerly Office 365). It is WAY better than S/MIME, which we will cover again in a sec, but has some limitations.

• For business users, it requires an expensive Business Premium, E3, or E5 Microsoft Enterprise License per user.
• Not end-to-end encrypted like more modern email encryption solutions such as SecureMyEmail and ProtonMail.
• Not Zero-Knowledge (Microsoft can still access all emails and attachments in transit AND when stored/saved) as Microsoft controls all the encryption keys.
• A bit "clunky" in operation for recipients who do not have a Microsoft account, or email ending in gmail.com, as they are forced to request a one-time passcode (OTP) to read every single email they receive. This can be cumbersome in conversations that take more than one email.

But the real issue are the costs. Every user in the organization will need at least a Microsoft 365 Business Premium License (approximately $264 per year per user) or a Microsoft 365 Enterprise License (approximately $405-$657 per year per user).

The good news is that once the licenses are in place, the Administrator should be able to enable Microsoft Purview Information Protection and configure the email encryption options for all users.

Once complete, all Outlook software, Outlook on the Web, Microsoft 365/Office 365, and Outlook Mobile users in the organization should see the option to encrypt emails. Administrators also have a number of tools available for policy management via "sensitivity labels," monitoring email content, and data loss prevention.

It does get complicated fast though, so here are some helpful links: 

https://learn.microsoft.com/en-us/purview/set-up-new-message-encryption-capabilities

https://learn.microsoft.com/en-us/purview/purview-portal

https://learn.microsoft.com/en-us/purview/ome

What licenses include Microsoft Purview Information Protection?

Below is the full list of licenses that include Microsoft Purview Information Protection:

• Microsoft 365 E3
• Microsoft 365 E5 Information Protection and Governance
• Microsoft 365 E5
• Office 365 E3
• Office 365 E5
• Enterprise Mobility and Security E3
• Enterprise Mobility and Security E5
• Microsoft 365 F3 and Business Premium

So, Microsoft's Purview email encryption can be complicated but it is comprehensive. It may not meet expectations of the most security-conscious as it is not end-to-end encrypted, and the experience for recipients can be cumbersome due to many having to wait for a separate one-time passcode (OTP) for every email received. But, it does work.

Probably the biggest decision point are the costs. The Microsoft premium licenses do come with many additional services and features that may be helpful for your business, but they are quite pricey. If you don't need the additional services, and just need email encryption with a simpler approach and end-to-end encryption, SecureMyEmail is the best option.

Option 2 - SecureMyEmail™

SecureMyEmail is a Microsoft-approved email encryption solution that works with ANY (not just Microsoft-managed) email address, business or personal. SecureMyEmail is tied directly into Microsoft's OAuth system so you can use your Microsoft login to set it up seamlessly.

• Super easy setup. You will be sending and receiving encrypted email in minutes.
• Instant 30-Day Free trial with no payment info necessary.
• Free Forever for most Microsoft consumer email users (Outlook.com, Hotmail.com, etc.).
• No Microsoft License required.
• Easy Apps for Windows, Mac, iOS, iPadOS, and Android.
• End-to-End encryption
• Compatible with all email providers
• Great experience for recipients. No downloads, registration, passwords, etc. Very attractive interface. Replies and attachments are encrypted too!
• HIPAA and GDPR Compliant
• Constantly adding new features.

But, perhaps the very best "feature" of SecureMyEmail is the pricing. It's only $3.99/month-to-month or $29.99 a year per user. This allows you to have a lower-cost Microsoft plan, but still have email encryption.

If you are so inclined, you can try SecureMyEmail™ out anytime for free. No payment info, boring webinar, or talking to a salesperson is required. Or, if you want a quote for your business, or have any questions, Contact our Sales Team.

Are there any drawbacks to choosing SecureMyEmail?

Perhaps the only possible drawback, although SecureMyEmail provides better encryption, a better recipient experience, and tremendous cost savings, is that the plugin for Outlook and Microsoft 365 is still being developed. Until it's released, you'll need to use the SecureMyEmail apps to send and read encrypted email. You'll still see the encrypted email in your Microsoft software, but it will be encrypted. Of course, that also means it's working and Microsoft, nor anyone else, can access it. :)

It's not that big a deal as the SecureMyEmail software can be run simultaneously with your existing mail client or webmail. Just leave SecureMyEmail running in a browser tab if you send a lot of encrypted email. Or, because SecureMyEmail is a fully functional email client itself, you're also welcome to use it as your main email software. It's up to you.

Ok, so what about the "other" options to encrypt Outlook and Microsoft email?

Sure. To be comprehensive, let's go through the other options, as well as one that isn't really email encryption at all, although it is promoted as though it is.

1. TLS (Transport Layer Security) - Not really Email Encryption.

Unfortunately, many email providers hype TLS up as "email encryption," or worse, a feature of their service, when in reality it is neither. Because they hype it up, we have to talk about it.

TLS is simply the latest evolution of SSL, a general use internet security protocol created in the 90's. It was developed, and is currently managed, by the IETF (Internet Engineering Task Force), a standards organization for the internet at large. It is NOT anything special Microsoft, or any other email provider, is doing for you. It is a security protocol that anyone running an email server should deploy.

• TLS only *attempts* to encrypt the "path" of an email but not the email or contents themselves.
• Every mail server in the path must support TLS, which many mail servers do not.
• Worse, even servers that represent they support TLS regularly fail (certificate issues, misconfigurations, fallbacks to non-TLS-capable servers, downgrade attacks) leaving your email with zero protection whatsoever.
• The biggest drawback is that TLS provides no protection for the email or contents once they arrive at the destination or are saved/stored at rest.

TLS is definitely an improvement over what was, for decades, ZERO protection for email as it was transmitted over the internet, but that's all. It is not meant to be a substitute for real email security or email encryption. Most importantly, it absolutely does NOT comply with email security and privacy regulations such as HIPAA or CCPA. So don't get yourself in trouble by relying on it.

2. S/MIME (Secure/Multipurpose Internet Mail Extensions)

You can tell by the catchy name, it's going to be super easy and fun.😉 In short, don't do it.

S/MIME is a generally available email security protocol and is what Microsoft offers to encrypt email in Outlook and Microsoft 365 (formerly Office 365) if you don't purchase the more expensive licenses for Microsoft Purview Messaging Encryption.

It's a 1995 technology that is MUCH too complicated for the average user to implement and manage. And, even if you have a huge IT dept., and love wasting money, S/MIME is still an inefficient, unscalable, and antiquated way to encrypt your email.

• Each individual user must install a unique Digital ID (S/MIME Certificate) for EACH email address from which they wish to exchange encrypted email.
• S/MIME certificates must be purchased from a third party Certificate Authority (CA) and the good ones aren't cheap.
• Installation of the Digital ID (S/MIME Certificate) is per device through a complicated export/import procedure.
• You can only send encrypted email to others that have also set up S/MIME AND that you have performed a "certificate exchange" with!
• S/MIME certificates expire every 1-2 years meaning you'll have to buy new ones and do the installs and certificate exchanges all over again. Yippee!

Seriously. Don't even think about S/MIME unless you truly hate yourself.

3. PGP (Pretty Good Privacy)

Ah. There is one in every crowd.🙂  Actually, PGP works great for encryption. If managed properly it is theoretically unbreakable and offers end-to-end encryption. In fact, we use it as the foundation of SecureMyEmail along with symmetrical encryption through the ChaCha Poly-1305 cipher suite. Yes, we're nerds.

The issue is, unless you have a comprehensive program like SecureMyEmail to make it easy, PGP suffers from all the nightmarish complexity and hassles that S/MIME is plagued by.

• Complex Key Management
  Users must generate, exchange, verify, and store public/private keys manually.
• Recipient Must Also Setup and Use PGP
  Encryption only works if both sender and recipient use compatible PGP setups and perform a manual key exchange.
• Limited Mobile and Web Support
  Using PGP on mobile devices or through webmail is clunky, often requiring browser extensions or special apps.
• No Built-in Revocation or Access Control
  PGP offers limited options for expiring messages or revoking access once a message is sent.

Essentially, with S/MIME you are purchasing and managing "certificates." With PGP, you are generating and managing "keys." Unless you have a great deal of spare time, and you, and everyone you want to email, are highly technical, life is too short to mess with raw PGP.

4. Other Third Party Email Encryption Offerings like SecureMyEmail

There are a few other solutions, other than SecureMyEmail, that can encrypt Outlook and Microsoft email. They have their advantages and disadvantages. As is popular today, we'll say you should "do your own research" but this is a quick summary of the best two choices.

a. Zix

Zix is an older email encryption provider. After many years in business, they were acquired by OpenText in 2021 and, according to their website: "Zix Email Encryption is now Webroot™ Advanced Email Encryption powered by Zix™"

Ok. Bit of a mouthful.🙂  Nevertheless, Zix has a long-standing reputation in email encryption so they are certainly worth consideration. If you are a larger business with good IT support and are already using Microsoft Exchange or Microsoft 365, Zix can provide policy-based encryption, as well as archiving, DLP, and secure message tracking. All that does come with some caveats, however:

• Requires server-side setup
  Zix must be integrated at the email gateway level, meaning IT configuration is mandatory. This likely makes it unsuitable for individuals, small businesses, or anyone without technical support. This "gateway approach" is also considered a bit old-fashioned by some. 
• Not true end-to-end encryption
  Zix decrypts messages on its servers before re-encrypting for delivery, meaning your data isn't fully private end-to-end.
• Relies on portals for recipients
  Non-Zix users must access encrypted emails via a web portal, often requiring the hassle of account creation and login.
• No user-level control
  Encryption decisions are typically policy-driven — users can’t choose to encrypt an email on the fly unless predefined triggers exist.
• No mobile apps or native client
  Zix doesn’t offer standalone iOS or Android apps, making mobile access less seamless.

They don't publicly post their pricing or provide a trial, but do allow you to request a demo on their website to see if they are a fit.

b. Virtru

Virtru was founded in 2012 and like SecureMyEmail and Zix, provides encryption services for email, versus offering their own encrypted email service that you would have to switch to, like ProtonMail.

They provide end-to-end encryption and may be a good choice for larger Microsoft customers as they focus on enterprises that use Outlook software, Microsoft 365, and Google Workspace.

Being enterprise-focused, they have a comprehensive array of features that help with compliance, data loss prevention, audit trails, etc. That being said, here are some things you should be aware of that could be drawbacks to using Virtru to encrypt Outlook and Microsoft 365:

• Requires browser extension or plugin
  Virtru depends on add-ons for Gmail and Outlook, which can be a barrier for some users or incompatible in locked-down environments.
• No standalone desktop or mobile app
  There’s no native Virtru email client — users must rely on supported platforms and extensions to encrypt and manage email.
• Limited IMAP support
  Virtru doesn’t offer full IMAP integration or work with other email providers, unlike SecureMyEmail, which supports nearly any IMAP account. This will likely be okay if you only use Microsoft as your email provider, but if you wish to use Outlook software or Microsoft 365 to manage and encrypt other non-Microsoft email providers, Virtru cannot do this.
• More enterprise-focused pricing and setup
  It’s priced for large businesses, not individuals or SMB, and setup is heavier for teams (SSO, policy controls, admin dashboards).
• End-to-end encryption depends on settings
  Some features (like DLP, watermarking) can cause messages to be processed server-side, breaking the full end-to-end encryption model in certain workflows.

Virtru does not offer a free trial but does publicly display their pricing. You can book a demo on their website if you think it might be a match for your needs. 

Summary

Email encryption is more important than ever but figuring out the best way to encrypt email in Microsoft Outlook or Microsoft 365 (formerly Office365) can be difficult.

While Microsoft Purview and legacy tools like S/MIME and PGP offer encryption options, they come with complexity, high licensing costs, or limited usability. TLS, meanwhile, is not a real email encryption solution at all and only protects messages in transit — not after they arrive or when they are at rest, saved, or archived. And, that is if it works at all. :)

In this guide, we compared the top email encryption options available in 2025 — Microsoft Purview, Zix, Virtru, and SecureMyEmail — looking at security, simplicity, compatibility, and cost.

Our take is if you have ample IT budget and resources, and are in need of Data Loss Prevention tools, granular auditing, and monitoring of emails for policy enforcement, that paying Microsoft for a premium license is the best choice, especially if those licenses come with other useful services for your business.

For users seeking true end-to-end encryption, with no IT setup, a wonderful experience for their recipients, and full compatibility with any email address, SecureMyEmail offers a far simpler and much more affordable alternative — including a free trial to get started. And, if you have any questions, whatsoever, or want a quote for multiple users, just email us and we'll get right back to you.