Outlook Email Encryption Security Guide

Outlook Encrypt Security email

Overview

This document provides guidance to users of the University of Pittsburgh’s approved email system, Microsoft Outlook, on proper encryption practices required for securing email communications. University of Pittsburgh faculty, staff, and students must encrypt messages anytime restricted or private data is sent via email, as defined by the University’s Data Risk Classification and Compliance Operating Standard (opens in a new tab).

Encryption Options

Outlook for Windows, Outlook for Mac, and Outlook on the web provide a few built-in encryption options:

1. Encrypt – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. Recipients cannot remove the encryption, so forwards and replies to the message remain encrypted.

2. Do Not Forward – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. Recipients can read this message but cannot forward, print, or copy content. The conversation owner retains full access to their messages and all replies.

Pitt Digital also publishes several sensitivity labels that can be used to encrypt and further protect email messages. More details about these labels and how to use them can be found in Pitt Digital's Data Sensitivity Labels Security Guide.

Encryption Details

The Encrypt option will encrypt the email message in both transit and at rest in the recipient’s mailbox, including any attachments. Recipients cannot remove the encryption. The entire email thread will remain encrypted.

Outlook desktop client ribbon showing the Encrypt option highlighted under the Options tab

If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”

Encrypted message notification email received by an external recipient with a “Read the message” button

Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.

Microsoft sign-in prompt offering options to sign in with a Microsoft account or request a one-time passcode

For this example, the recipient selected the one-time password option and received the following email.

Email containing a one-time passcode sent to the recipient to verify their identity and access the encrypted message

The recipient then enters the one-time passcode.

One-time passcode entry screen where the recipient types the code received in their email

The recipient can now view the encrypted message within Outlook.office365.com. The recipient also has the option to reply, reply all, forward, and print.

Encrypted email displayed in Outlook on the web, showing reply, reply all, forward, and print options available to the recipient

When the initial email is sent encrypted, the entire chain of emails, including responses, will remain encrypted.

The Do Not Forward option will encrypt the email message both in transit and at rest in the recipient’s mailbox, including any attachments. This option allows the recipients to read the message, but the recipients cannot forward, print, or copy content.

Outlook desktop client ribbon showing the Do Not Forward option highlighted under the Options tab

Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.

For this example, the recipient selected the one-time password option and received the following email.

The recipient then enters the one-time passcode.

The recipient can now view the encrypted message within Outlook.office365.com. The recipient also has the option to reply or reply all. However, the recipient cannot forward the message or print it.

Encrypted email displayed in Outlook on the web, showing reply and reply all options but no forward or print options available to the recipient

Outlook: Outlook on the Web

Outlook on the Web

To access Outlook on the web, log in to office.com using your University of Pittsburgh credentials, click on Apps in the left side panel, and click Outlook.

Office.com homepage with the Apps menu open in the left panel and Outlook highlighted

Once you are in Outlook, click New.

Outlook on the web interface with the New message button highlighted in the upper left corner

In the blank email window, click Options and Encrypt to select between the Encrypt and Do Not Forward options.

New message compose window in Outlook on the web showing the Options menu open with Encrypt selected, revealing Encrypt and Do Not Forward choices

From there, the behavior is the same as within the Outlook desktop client.

Email Attachment Encryption Summary

**Email Attachment Encryption Summary**
Encryption Option	Attachment Type	Recipient’s Email Service and Client
Encryption Option	Attachment Type	University of Pittsburgh Outlook.com and Microsoft 365 Accounts	Non-University of Pittsburgh Outlook.com and Microsoft 365 Accounts	Mail Services Other Than Outlook.com and Microsoft 365 Accounts
Encrypt-Only	Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)	Attachments can be downloaded without encryption.	Attachments can be downloaded without encryption.	A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
Encrypt-Only	Other attachment types	Attachments can be downloaded without encryption.	Attachments can be downloaded without encryption.	A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
Do Not Forward	Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)	Encrypted Office attachments can be opened in Microsoft Office across platforms. If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.	Encrypted Office attachments can be opened in Microsoft Office across platforms. If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.	A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal. Encrypted Office attachments can be opened in Microsoft Office across platforms. If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.
Do Not Forward	Other attachment types	Attachments can be downloaded without encryption.	Attachments can be downloaded without encryption.	A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal. Attachments can be downloaded without encryption.

Other Email Encryption Options

Other options for encrypting emails or email files include applying sensitivity labels, using digital certificates to encrypt email messages, and using SecureZIP to encrypt email files and attachments. Below are links for more information on these other options:

0 reviews

Print Article