Widely utilized across nearly every corner of the business world, Outlook is a prominent tool through which “organizations send emails, plan meetings and share files.” However, the popularity and versatility of Outlook necessitate the implementation of effective security measures in order to properly protect sensitive and valuable user data. Encryption, which has become the data protection industry standard, can take numerous forms. Outlook offers three different native encryption options, all of which are dependent on both the recipient and the email account being used: (1) the use of digital IDs, (2) Office 365 Message Encryption, or OME, and (3) the use of email encryption add-ins.
Using Digital IDs
This encryption option is available with any email account that has been added to Outlook. “A Digital ID is an electronic signature that you can use to ‘sign’ your messages, to prove that the sender is in fact you and you alone.” The use of digital IDs requires that the recipient either uses Outlook or another S/Mime compatible email option. Both the sender and recipient must install and share encryption certificates as well. It is critical to verify that each recipient has an email encryption certificate or other S/MIME compatible email application installed and that that certificate is shared with the sender. But this option cannot be properly utilized if the desired recipient uses a free webmail provider such as Yahoo, Gmail, etc.
The initial setup of digital IDs is considered to be rather difficult because both the sender and recipient must buy and install certificates. The first step is to purchase an email encryption certificate, import it into Outlook, and then share it with the intended recipient. Individuals are encouraged to purchase these certificates from one of three Certificate Authorities (CAs) recommended by Microsoft: Comodo, GlobalSign, and IdenTrust. Nevertheless, these certificates can also be purchased from other CAs. The most important thing to keep in mind when obtaining this certificate is to ensure that it is an email security certificate (often referred to as an S/Mime email certificate or secure email certificate) rather than an SSL certificate.
After this certificate is purchased, a file including the certificate and the password required to import said certificate will be received. At this point:
- Both the certificate and password should be backed up, in the event that the individual’s computer or hard drive sustains damages, or Outlook email encryption needs to be installed on an additional device. Previously sent or received encrypted emails will not be able to be accessed if a certificate is lost. Furthermore, obtaining a replacement certificate will create unnecessary work for recipients, requiring them to update the sender’s old certificate with the new one.
- The certificate should be imported into Outlook. In order to do so, (1) click File in the top left of the application; (2) click Options; (3) click Trust Center in the new window that appears; (4) click Trust Center Settings; (5) click Email Security, found in the left pane of the window; (6) and then click Import/Export, found under the heading Digital IDs (Certificates). This will prompt a new window to appear. After confirming that Import existing ID from file is selected, (7) click Browse to search for the certificate file. Once the correct file is located, (8) enter the password linked with the certificate and press OK.
- The certificate should be shared with each recipient. Individuals should send “a digitally signed message to each email recipient to whom you intend to send encrypted email in the future.” This is done in Outlook by (1) composing a new email, (2) clicking Options in the top menu bar of the new message window, (3) clicking the icon next to More Options, (4) and then clicking Security Settings in the new Properties window that appears. Following this, select Add digital signature to this message within the Security Properties window. To confirm that the correct certificate is being used to sign the message, (5) click Change Settings. Next, (6) click OK and exit the Properties window. Finally, (7) send the message to its intended recipients. In this message, individuals might wish to include instructions to assist the recipient in adding the sender’s certificate to their contact data within their address book.
With the initial setup completed, the public key element of the sender’s certificate is sent, enabling others to encrypt messages that they might send to this individual. In this instance, you -- the intended recipient -- would be the only party capable of decrypting such a message by utilizing the private key imported exclusively within your Outlook application.
Sending Encrypted Emails
In order to send an encrypted message to a recipient, it is necessary that you have the public key portion of their email encryption certificate. Recipients’ certificates can be added to your contact data rather easily when adhering to the following:
- Open the recipient’s message, which they have digitally signed using their email encryption certificate.
- Next, right-click on the sender’s name where it appears in the From field and press Add to Outlook Contacts.
- Click Certificates in the top ribbon of the new contact card window that appears.
- This contact card should present you with a list of certificates, one being the certificate for that contact. When this specific certificate is selected, a message will appear which describes how the certificate can be utilized to encrypt messages sent to this contact.
Once the certificate is added to the contact card, you may proceed with sending an encrypted email to this user. To do so:
- Click Options in the window that appears when you compose a new message.
- Click the icon located beside More Options.
- Click Security Settings in the Properties window that appears. Then, select Encrypt message contents and attachments. Next, click OK and close out of the window.
- Complete your message, add any attachments, and click Send.
In following the aforementioned steps, your email will be successfully encrypted. And “any copies of the email message saved on intermediate email servers are also encrypted since only your recipient has the certificate with the private key to decrypt this message.” However, it is important to note that this encryption approach has a tendency for security vulnerabilities. An attacker can impersonate you, intercepting your message and adding in their own signature, in an approach known as a message takeover attack. Although the attacker will not be able to decrypt your original message, this interception allows for the successful decryption of replies and subsequent messages on a given email thread.
Recipients Opening Encrypted Emails
Outlook will prevent you from sending messages to recipients for who you haven’t obtained certificates. With that being said, you can rest assured that the intended recipient has the necessary certificate to decrypt your encrypted email if Outlook allows the message to be sent. Since the Outlook application performs automatic decryption, recipients may need to open encrypted messages on their desktop rather than on a mobile device. Furthermore, if the recipient decides to reply to the encrypted email, their reply with be automatically encrypted as long as they have added your certificate to their address book.
Pricing and Features
Email encryption certificates from the CAs approved and recommended by Microsoft vary greatly in price. And the cost of a certificate is recurring, as it must be renewed annually. Moreover, a certificate is required for each user within an organization. Thus, each certificate must be paid for separately. Additionally, the use of digital IDs requires the recipient to purchase a certificate as well.
This method of encryption is encouraged in cases where recipients request it directly, as it can be rather complicated and costly. In cases where organizations work with government entities or large enterprise clients, this encryption method may be required. More often than not, small businesses do not have the expertise nor the resources to obtain and install email encryption certificates.
Office 365 Message Encryption (OME)
With Office 365 Message Encryption (OME), users can send encrypted emails to virtually any email address. In other words, the intended recipient is not required to use Outlook or have any email encryption certificates installed. However, OME does have two limitations:
- Only Microsoft email account users, set up as part of an Office 365 subscription, can utilize OME.
- This encryption method requires the recipient to carry out some additional steps with each encrypted email received. Usually, the recipient must request a special code that will be sent via an additional email. Then, they will have to input this code into a field displayed on the webpage of the encrypted email.
The first step to setting OME is to upgrade your Office 365 subscription plan to a plan that includes Office 365 Message Encryption. The most popular Office 365 plans, Office 365 Business Essentials, Office 365 Business Premium, and even Office 365 Enterprise E1 do not include OME. So, in order to reap the benefits of OME, you must upgrade your plan to one of the following: Office 365 Enterprise E3 or E5, Microsoft Enterprise E3 or E5, Microsoft 365 Business, Office 365 A1, A3, or A5, or Office 365 Government G3 or G5. Another option is to add Azure Information Protection Plan 1 to your Office 365 subscription, but this is typically a very pricey and complicated solution.
After you’ve upgraded your Office 365 subscription, you can confirm that OME is accessible by proceeding with one of the following options.:
- Visit www.outlook.com and sign in under your Office 365 subscription. When you begin composing a new message, the Encrypt button in the top menu should appear enabled.
- Start/restart the Outlook application, which must be the upgraded Outlook ProPlus, on your computer and begin composing a new message. Click Options, located in the top menu, and the Encrypt button should appear enabled.
Once you have confirmed that OME is enabled, you are all set to begin sending encrypted emails.
Sending Encrypted Emails
Sending encrypted emails with OME is much simpler than sending encrypted emails with certificates or the S/Mime method. This is, in part, thanks to the Outlook Encrypt button located within the Options menu of the new message window. This method of encryption can be simply achieved by:
- Begin by composing a new email.
- Next, click Options (located in the top menu) and then select Encrypt.
- Then, a message should appear informing you that the message will be encrypted.
- Lastly, complete the email and click Send.
Recipients Opening Encrypted Emails
When your recipient receives your OME encrypted email, they do not receive the email content or attachments. Instead, they receive an email that readies them to read the protected message. Once the recipient clicks Read the message, they are taken to a new web page that prompts them to sign in with their work or school affiliated Office 365 account or to sign in with a one-time passcode. Users can only sign in with their work or school affiliated Office 365 account if it is the same account that the email was sent to. However, users of free webmail providers like Yahoo and Google will be prompted to sign in to their accounts on those platforms.
If neither of these is the case, recipients must sign-in with a one-time code. An additional web page will appear requiring a passcode that will be sent to the user by a Microsoft email address. Once this code is received, it should be copied into the field on the web page. Next, they will click Continue, decrypted your secure message and attachments. Do keep in mind that any attachments must be manually downloaded in order to be properly accessed after decryption.
Pricing and Features
The cost of OME is purely the cost of upgrading your Office 365 subscription. And so, depending on your initial plan, the added cost can vary quite largely. For this reason, OME is considered to be one of the more pricey email encryption solutions on the market.
With that being said, OME is quite a user-friendly option, allowing senders to access secure emails outside of Outlook. Moreover, OME enables the encrypted forwarding of your emails to additional recipients. OME does have its drawbacks though. The need for recipients to request passcodes can create difficulties, the need for Outlook ProPlus can be frustrating and feel excessive, and there is no option to set an expiration date on secure messages.
Using Email Encryption Add-ins
This email encryption option combines all of the advantages of both digital ID encryption and OME. On top of that, more often than not, email encryption add-ins are the most cost-effective option -- sometimes free of charge -- which makes it the best fit for small businesses without robust IT teams. And with just the right email encryption add-in, encrypted emails can be sent from any email account to any recipient.
The initial setup of an email encryption add-in is most commonly the install. After visiting the add-in’s website, you would download the installer. Installation should take a minute or so and will vary slightly depending upon which browser is used (Internet Explorer, Google Chrome, Firefox, etc.). Once that is completed, close out of the window.
Next, start/restart the Outlook application. To confirm that the add-in was installed correctly, begin composing a new email. At this point, the Secure Send button should be visible at the top left of the window. If so, you are all set to begin sending encrypted emails from Outlook to any recipient’s email address, regardless of the platform used.
Sending Encrypted Emails
In order to send an encrypted email utilizing an add-in, click the New Email button in Outlook. Write your email as you normally would, adding in any attachments necessary, that you would like to be encrypted. Next, rather than clicking Send, you’ll click the Secure Send button. This will encrypt both the email’s contents and attachments.
Recipients Opening Encrypted Emails
The subject of the email you sent won’t be encrypted, but the body of the email will. Rather than opening your email and viewing its contents and attachments, the recipient will view a page prompting them to access the encrypted email. In an effort to sustain the heightened level of security, an external passcode is not required. Instead, a time of expiration, generated by the sender, may be put in place.
How Trustifi Can Help
As the easiest and most comprehensive email security solution on the market, Trustifi can be easily deployed with Outlook as an add-in. Functioning as an added layer of email security, Trustifi’s add-in option for Outlook empowers users to fully control their email security, tailoring services to each individual’s and organization’s needs. Trustifi’s NSA-grade encryption and full inbound and outbound protection offer an unmatched email encryption solution. Moreover, Trustifi allows users to easily and efficiently recall, block, modify, and set expiration times -- even on previously sent and delivered emails. Trustifi’s seamless integration into Outlook allows users to maintain the same ease of use of the application they love, all while staying protected. And with cloud-based offerings, users get all of the convenience and money-saving benefits of the cloud without cutting corners on security.
Try Trustifi Today
Our Free Trial Is Forever Free
See if Trustifi Is Right for Your Organization