How Microsoft 365 Encrypts Company Emails for Complete Security


The fact that Microsoft 365 is encrypted by default — without needing to configure anything, and without turning to third-party services — is often seen as one of the service’s strong points. The TLS (Transport Layer Security) protocol that Microsoft 365 enables automatically was revolutionary when it first emerged, but today, it’s ubiquitous.

If you want complete control over the security and confidentiality of your company emails (and you do, because the results of a breach could be devastating), you do have a few additional encryption options within Microsoft 365’s ecosystem.

Enabling these more advanced security protocols does not require the use of third-party services, although that, too, is an option for companies who wish to do so.

Company Email Encryption Options Within Microsoft 365

  • Office 365 Message Encryption (OME)

    Microsoft 365’s native encryption protocol, is a secure and easy way to send company emails to outside parties — and it enables users to use strong encryption regardless of the email provider recipients use. OME works, for instance, with the top email provider Gmail, as well as with any smaller email provider.

    Transport rules are determined by admins, and confidential emails are forwarded in the form of an HTML document that users access through a web portal that requires credentials or a one-time password.

    No special software is needed to make it work.
  • Information Rights Management  (IRM)

    This security protocol additionally allows admins to prevent confidential company emails from being forwarded to outsiders or being printed.
  • S/MIME, or Secure/Multipurpose Internet Mail Extensions

    This an encryption system that requires a public as well as a private key, and this ensures that only the intended recipient can view the contents of the email.

Benefits of Advanced Email Encryption Options in Microsoft 365

Each of the encryption options Microsoft 365 offers serves a specific purpose.

  • OME is, for instance, recommended in situations where confidential information is sent to third parties — like clients or patients. This protocol doesn’t require the recipient to use a Microsoft 365 account.
  • IRM prevents confidential information from leaking as a result of recipients forwarding or printing confidential information.
  • S/MIME is most commonly used for extremely sensitive information, such as communication with government agencies.

While the configuration of these company email encryption options requires a skilled admin, they offer an additional layer of security that all but guarantees that your emails are as confidential as you need them to be.

Data at rest is, meanwhile, protected through Bitlocker Drive Encryption, preventing malicious actors from accessing your sensitive data while your data is not in transit.

Want to learn how to improve your organization’s security?

Our comprehensive MSP solution not only covers email security but also considers your entire company’s IT risk assessment.

What Settings Should Be Enabled for More Secure Company Email?

To further protect confidential company emails, users should be required to enable MFA, or multifactor authentication. Microsoft 365 pairs beautifully with secure hardware tokens such as Yubikeys, which offer more security compared to 2FA text messages.

Mailbox audit logging should be enabled, as well as SPF, DKIM, and DMARC to stop would-be impersonators in their tracks. POP3 and IMAP4 and automatic forwarding options should be disabled. Most importantly of all, employees should be given regular security awareness training — because no email encryption option can be impenetrable on its own, and human error will always pose a threat unless your workforce is kept up to date.