Overview
This document provides guidance to users of the University of Pittsburgh’s approved email system, Microsoft Outlook, on proper encryption practices required for securing email communications. University of Pittsburgh faculty, staff, and students must encrypt messages anytime restricted or private data is sent via email, as defined by the University’s Data Risk Classification and Compliance Operating Standard.
Encryption Options
Outlook for Windows, Outlook for Mac, and Outlook on the web provide a few built-in encryption options:
1. Encrypt – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. Recipients cannot remove the encryption, so forwards and replies to the message remain encrypted.
2. Do Not Forward – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. Recipients can read this message but cannot forward, print, or copy content. The conversation owner retains full access to their messages and all replies.
Pitt Digital also publishes several sensitivity labels that can be used to encrypt and further protect email messages. More details about these labels and how to use them can be found in Pitt Digital's Data Sensitivity Labels Security Guide.
Encryption Details
Outlook: Desktop Client
The Encrypt option will encrypt the email message in both transit and at rest in the recipient’s mailbox, including any attachments. Recipients cannot remove the encryption. The entire email thread will remain encrypted.
If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”
Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.
For this example, the recipient selected the one-time password option and received the following email.
The recipient then enters the one-time passcode.
The recipient can now view the encrypted message within Outlook.office365.com. The recipient also has the option to reply, reply all, forward, and print.
When the initial email is sent encrypted, the entire chain of emails, including responses, will remain encrypted.
The Do Not Forward option will encrypt the email message both in transit and at rest in the recipient’s mailbox, including any attachments. This option allows the recipients to read the message, but the recipients cannot forward, print, or copy content.
If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”
Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.
For this example, the recipient selected the one-time password option and received the following email.
The recipient then enters the one-time passcode.
The recipient can now view the encrypted message within Outlook.office365.com. The recipient also has the option to reply or reply all. However, the recipient cannot forward the message or print it.

Outlook: Outlook on the Web
To access Outlook on the web, log in to office.com using your University of Pittsburgh credentials, click on Apps in the left side panel, and click Outlook.
Once you are in Outlook, click New.
In the blank email window, click Options and Encrypt to select between the Encrypt and Do Not Forward options.
From there, the behavior is the same as within the Outlook desktop client.
Email Attachment Encryption Summary
|
Encryption Option
|
Attachment Type
|
Recipient’s Email Service and Client
|
|
University of Pittsburgh
Outlook.com and Microsoft 365 Accounts
|
Non-University of Pittsburgh
Outlook.com and Microsoft 365 Accounts
|
Mail Services Other Than
Outlook.com and Microsoft 365 Accounts
|
|
Encrypt-Only
|
Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)
|
Attachments can be downloaded without encryption.
|
Attachments can be downloaded without encryption.
|
A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
|
|
Other attachment types
|
Attachments can be downloaded without encryption.
|
Attachments can be downloaded without encryption.
|
A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
|
|
Do Not Forward
|
Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)
|
Encrypted Office attachments can be opened in Microsoft Office across platforms.
If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.
|
Encrypted Office attachments can be opened in Microsoft Office across platforms.
If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.
|
A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
Encrypted Office attachments can be opened in Microsoft Office across platforms.
If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.
|
|
Other attachment types
|
Attachments can be downloaded without encryption.
|
Attachments can be downloaded without encryption.
|
A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.
Attachments can be downloaded without encryption.
|
Other Email Encryption Options
Other options for encrypting emails or email files include applying sensitivity labels, using digital certificates to encrypt email messages, and using SecureZIP to encrypt email files and attachments Below are links for more information on these other options: