Overview
The purpose of this document is to provide guidance regarding encrypting emails to users of the University of Pittsburgh’s approved email system, Microsoft Outlook. University of Pittsburgh faculty, staff, and students must encrypt emails anytime restricted or private data, as defined by the University’s Data Risk Classification, is sent via email.
Encryption Options
Outlook for Windows, Outlook for Mac, and Outlook on the web provides several encryption options:
1. Encrypt-Only – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. Recipients cannot remove the encryption, so forwards and replies to the message remain encrypted.
2. Do Not Forward – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. Recipients can read this message but cannot forward, print, or copy content. The conversation owner retains full access to their messages and all replies.
3. University of Pittsburgh – Confidential – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. This content is proprietary information intended for internal (Pitt) recipients only. External recipients will not be able to open the message.
4. University of Pittsburgh – Confidential View Only – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. This content is proprietary information intended for internal (Pitt) recipients only. External recipients will not be able to open the message. Additionally, this content cannot be modified, copied, or printed.
Encryption Details
Outlook: Desktop Client
The Encrypt-Only option will encrypt the email message in both transit and at rest in the recipient’s mailbox, including any attachments. Recipients cannot remove the encryption. The entire email thread will remain encrypted.
If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”
Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.
For this example, the recipient selected the one-time password option and received the following email.
The recipient then enters the one-time passcode.
The recipient can now view the encrypted message within Outlook.office365.com. The recipient also has the option to reply, reply all, forward, and print.
When the initial email is sent encrypted, the entire chain of emails, including responses, will remain encrypted.
The Do Not Forward option will encrypt the email message both in transit and at rest in the recipient’s mailbox, including any attachments. This option allows the recipients to read the message, but the recipients cannot forward, print, or copy content.
If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”
Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.
For this example, the recipient selected the one-time password option and received the following email.
The recipient then enters the one-time passcode.
The recipient can now view the encrypted message within Outlook.office365.com. The recipient also has the option to reply, reply all, and print. However, the recipient cannot forward the message.
This option will encrypt the email message both in transit and at rest in the recipient’s mailbox, including any attachments. In addition, only email recipients with a pitt.edu email address may access the email. This content can be modified, copied, and printed.
If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”
Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.
For this example, the recipient selected the one-time password option and received the following email.
The recipient then enters the one-time passcode.
If the message was sent to an email address outside of pitt.edu, the recipient will get the following message and cannot access the email.
If the message were sent to a pitt.edu email address, the recipient would be able to access the email from Outlook. The recipient can also forward to other pitt.edu email addresses, reply, reply to all, and print.
This option will encrypt the email message in both transit and at rest in the recipient’s mailbox, including any attachments. In addition, only email recipients with a pitt.edu email address may access the email. This content cannot be modified, copied, or printed.
If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”
Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.
For this example, the recipient selected the one-time password option and received the following email.
The recipient then enters the one-time passcode.
If the message was sent to an email address outside of pitt.edu, the recipient will get the following message and cannot access the email.
If the message were sent to a pitt.edu email address, the recipient would be able to access the email from Outlook. However, the recipient will not be able to forward to any email addresses, even pitt.edu addresses, reply, reply to all, and print. Even screenshots will only produce a blank screen.
Outlook: Outlook on the Web
To access Outlook on the web, log in to office.com using your University of Pittsburgh credentials, click the three dots in the upper right, and click Outlook.
Once you are in Outlook, click New message.
A blank email will appear, then you can click Encrypt.
Once you click Encrypt, you will see a message that says, “Encrypt: This message is encrypted. Recipients can’t remove encryption. Change permissions | Remove encryption.”
If you click change permissions, the following box will appear. It offers the same options as the Outlook desktop client and operates in the same way.
The processes listed in the Outlook desktop client are then followed to access the secured emails.
Email Attachment Encryption Summary
|
Encryption Option
|
Attachment Type
|
Recipient’s Email Service and Client
|
|
University of Pittsburgh
Outlook.com and Microsoft 365 Accounts
|
Non-University of Pittsburgh
Outlook.com and Microsoft 365 Accounts
|
Mail Services Other Than
Outlook.com and Microsoft 365 Accounts
|
|
Encrypt-Only
|
Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)
|
Attachments can be downloaded without encryption.
|
Attachments can be downloaded without encryption.
|
A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
|
|
Other attachment types
|
Attachments can be downloaded without encryption.
|
Attachments can be downloaded without encryption.
|
A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
|
|
Do Not Forward
|
Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)
|
Encrypted Office attachments can be opened in Microsoft Office across platforms.
If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.
|
Encrypted Office attachments can be opened in Microsoft Office across platforms.
If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.
|
A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
Encrypted Office attachments can be opened in Microsoft Office across platforms.
If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.
|
|
Other attachment types
|
Attachments can be downloaded without encryption.
|
Attachments can be downloaded without encryption.
|
A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
Attachments can be downloaded without encryption.
|
|
University of Pittsburgh - Confidential
|
Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)
|
Attachments can be downloaded but cannot be opened unless the recipient is signed into Office 365 with a University of Pittsburgh account.
|
The recipient cannot access the email.
|
The recipient cannot access the email.
|
|
Other attachment types
|
Any user can open attachments without restriction.
|
The recipient cannot access the email.
|
The recipient cannot access the email.
|
|
University of Pittsburgh - Confidential View Only
|
Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)
|
Attachments cannot be opened unless the recipient is signed into Office 365 with a University of Pittsburgh account.
The recipient cannot edit or save the document with Microsoft Office.
|
The recipient cannot access the email.
|
The recipient cannot access the email.
|
|
Other attachment types
|
Any user can open attachments without restriction.
|
The recipient cannot access the email.
|
The recipient cannot access the email.
|
Other Email Encryption Options
Other options for encrypting emails or email files include using digital certificates to encrypt email messages and using SecureZIP to encrypt email files. Below are links for more information on these other options: