Outlook Email Encryption Security Guide

Overview

The purpose of this document is to provide guidance regarding encrypting emails to users of the University of Pittsburgh’s approved email system, Microsoft Outlook. University of Pittsburgh faculty, staff, and students must encrypt emails anytime restricted or private data, as defined by the University’s Data Risk Classification, is sent via email.

 

Encryption Options

Outlook for Windows, Outlook for Mac, and Outlook on the web provides several encryption options:

1. Encrypt-Only – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. Recipients cannot remove the encryption, so forwards and replies to the message remain encrypted.

2. Do Not Forward – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. Recipients can read this message but cannot forward, print, or copy content. The conversation owner retains full access to their messages and all replies.

3. University of Pittsburgh – Confidential – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. This content is proprietary information intended for internal (Pitt) recipients only. External recipients will not be able to open the message.

4. University of Pittsburgh – Confidential View Only – The message is encrypted in transit and at rest in the recipient’s mailbox, including any attachments. This content is proprietary information intended for internal (Pitt) recipients only. External recipients will not be able to open the message. Additionally, this content cannot be modified, copied, or printed.

 

Encryption Details

Outlook: Desktop Client

The Encrypt-Only option will encrypt the email message in both transit and at rest in the recipient’s mailbox, including any attachments. Recipients cannot remove the encryption. The entire email thread will remain encrypted.

sample screenshot

If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”

sample screenshot

Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.

sample screenshot

For this example, the recipient selected the one-time password option and received the following email.

sample screenshot

The recipient then enters the one-time passcode.

sample screenshot

The recipient can now view the encrypted message within Outlook.office365.com. The recipient also has the option to reply, reply all, forward, and print.

sample screenshot

When the initial email is sent encrypted, the entire chain of emails, including responses, will remain encrypted.

The Do Not Forward option will encrypt the email message both in transit and at rest in the recipient’s mailbox, including any attachments. This option allows the recipients to read the message, but the recipients cannot forward, print, or copy content.

sample screenshot

If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”

sample screenshot

Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.

sample screenshot

For this example, the recipient selected the one-time password option and received the following email.

sample screenshot

The recipient then enters the one-time passcode.

sample screenshot

The recipient can now view the encrypted message within Outlook.office365.com. The recipient also has the option to reply, reply all, and print. However, the recipient cannot forward the message.

sample screenshot

This option will encrypt the email message both in transit and at rest in the recipient’s mailbox, including any attachments. In addition, only email recipients with a pitt.edu email address may access the email. This content can be modified, copied, and printed.

sample screenshot

If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”

sample screenshot

Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.

sample screenshot

For this example, the recipient selected the one-time password option and received the following email.

sample screenshot

The recipient then enters the one-time passcode.

sample screenshot

 

If the message was sent to an email address outside of pitt.edu, the recipient will get the following message and cannot access the email.

sample screenshot

If the message were sent to a pitt.edu email address, the recipient would be able to access the email from Outlook. The recipient can also forward to other pitt.edu email addresses, reply, reply to all, and print.

sample screenshot

This option will encrypt the email message in both transit and at rest in the recipient’s mailbox, including any attachments. In addition, only email recipients with a pitt.edu email address may access the email. This content cannot be modified, copied, or printed.

sample screenshot

If the recipient uses a compliant email client (e.g., Outlook desktop or mobile) and is signed into Office 365, the message will be visible. Otherwise, the recipient will receive the following email and will need to click on “Read the message.”

sample screenshot

Next, the recipient will need to either sign in with an email provider ID or a one-time passcode.

sample screenshot

For this example, the recipient selected the one-time password option and received the following email.

sample screenshot

The recipient then enters the one-time passcode.

sample screenshot

If the message was sent to an email address outside of pitt.edu, the recipient will get the following message and cannot access the email.

sample screenshot

If the message were sent to a pitt.edu email address, the recipient would be able to access the email from Outlook. However, the recipient will not be able to forward to any email addresses, even pitt.edu addresses, reply, reply to all, and print. Even screenshots will only produce a blank screen.

 

Outlook: Outlook on the Web

To access Outlook on the web, log in to office.com using your University of Pittsburgh credentials, click the three dots in the upper right, and click Outlook.

sample screenshot

Once you are in Outlook, click New message.

sample screenshot

A blank email will appear, then you can click Encrypt.

sample screenshot

Once you click Encrypt, you will see a message that says, “Encrypt: This message is encrypted. Recipients can’t remove encryption. Change permissions | Remove encryption.”

sample screenshot

If you click change permissions, the following box will appear. It offers the same options as the Outlook desktop client and operates in the same way.

sample screenshot

The processes listed in the Outlook desktop client are then followed to access the secured emails.

 

Email Attachment Encryption Summary

Encryption Option

Attachment Type

Recipient’s Email Service and Client

University of Pittsburgh

Outlook.com and Microsoft 365 Accounts

Non-University of Pittsburgh

Outlook.com and Microsoft 365 Accounts

Mail Services Other Than

Outlook.com and Microsoft 365 Accounts

Encrypt-Only  

Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)

Attachments can be downloaded without encryption.

Attachments can be downloaded without encryption.

A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.

Other attachment types

Attachments can be downloaded without encryption.

Attachments can be downloaded without encryption.

A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.

Do Not Forward

Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)

Encrypted Office attachments can be opened in Microsoft Office across platforms.

If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.

Encrypted Office attachments can be opened in Microsoft Office across platforms.

If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.

A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.

Encrypted Office attachments can be opened in Microsoft Office across platforms.

If the attachments are downloaded and sent to another recipient, the recipient will not be able to open the attachments but has the option to request access.

Other attachment types

Attachments can be downloaded without encryption.

 

Attachments can be downloaded without encryption.

 

A Microsoft encryption compliant client or temporary passcode is required to access the email and download attachments from the Microsoft 365 Message Encryption portal.

Attachments can be downloaded without encryption.

University of Pittsburgh - Confidential

Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)

Attachments can be downloaded but cannot be opened unless the recipient is signed into Office 365 with a University of Pittsburgh account.

The recipient cannot access the email.

The recipient cannot access the email.

Other attachment types

Any user can open attachments without restriction.

The recipient cannot access the email.

The recipient cannot access the email.

University of Pittsburgh - Confidential View Only

Microsoft Office attachments (e.g., Word, Excel, PowerPoint files)

Attachments cannot be opened unless the recipient is signed into Office 365 with a University of Pittsburgh account.

The recipient cannot edit or save the document with Microsoft Office.

The recipient cannot access the email.

The recipient cannot access the email.

Other attachment types

Any user can open attachments without restriction.

 

The recipient cannot access the email.

The recipient cannot access the email.

 

Other Email Encryption Options

Other options for encrypting emails or email files include using digital certificates to encrypt email messages and using SecureZIP to encrypt email files. Below are links for more information on these other options:

Print Article

Details

Article ID: 1557
Created
Tue 6/18/24 8:23 AM
Modified
Thu 8/22/24 9:29 AM