Three Ways To Send A Secure Email In Outlook

August. 10, 2020

5:00-6:00AM PST

As email security challenges continue to present themselves, email providers like Microsoft Outlook -- which has experienced widespread, longstanding popularity in the professional sector -- are continuing to adapt, putting forth robust encryption offerings intended to protect both the platform and the emails that live within it. Compatible with three different email encryption methods -- ranging from built-in options to third-party add-ins, Outlook offers users great flexibility in terms of sending and receiving secure, protected messages. When weighing one’s options for email encryption, there are a lot of elements to consider. It is critical to consider the identity of the recipient, as well as the email account one intends to send encrypted emails from. Overall, the best-fit encryption method for a given individual is largely dependent on factors such as ease of use, costs, available features, and compatibilities.

Method 1: Using Certificates (S/Mime)

A more dated encryption option not available to those who are looking to send encrypted emails to users utilizing free webmail platforms like Gmail and Yahoo, S/Mime can only successfully encrypt emails when both the sender and the recipient have installed and shared their encryption certificates -- which has potential to be incredibly costly. Moreover, S/Mime is not a widely supported encryption method. It is made available to any individual with an email account incorporated into Outlook but does necessitate that one’s intended recipient is also an Outlook user or a user of an email platform that is similarly compatible with S/Mime. Unfortunately, this method can be “vulnerable to outside attacks, like message takeovers; it also increases risk because users need to exchange encryption keys. If that key is compromised for any reason, your emails are no longer secure.”

Initial Setup

To set up email encryption with S/Mime on Outlook, individuals should:

  • Acquire an email encryption certificate for oneself, import it into Outlook, and then share it with the intended recipient(s).
  • Verify that each intended recipient has purchased and installed an email encryption certificate into Outlook or an alternative S/Mime compatible email platform. This certificate should be shared with the sender.
  • Gain an understanding of the necessary steps required to send an encrypted email.

An email encryption certificate can be acquired from numerous certificate authorities (CAs). With that being said, Microsoft does encourage individuals to utilize one of its preferred CAs: Comodo, GlobalSign, or IdenTrust. No matter which CA the user chooses to go with, it is imperative to ensure that the email security certificate (also referred to an S/Mime encryption certificate or secure email certificate) is purchased, not the SSL certificate -- which is often more noticeably advertised.

Once the certificate is purchased, the individual will receive both the certificate and the password necessary to import it into Outlook. The user is should hold onto a backup of this certificate and its corresponding password. If the user’s computer or hard disk incurs damages, or Outlook email encryption must be set up on a new device, this certificate and password will be needed once again. If misplaced, previously sent and received encrypted emails will not be able to be accessed. Moreover, if a new certificate must be obtained, recipients will be required to undergo the most tedious task of updating the user’s old certificate with their new one.

Once purchased and backed up, the certificate can be imported into Outlook by completing the following:

  • Click File (located in the top left of the Outlook window).
  • Next, click Options.
  • Then, click Trust Center (in the new window that appears).
  • Next, click Trust Center Settings.
  • In the left pane, click Email Security.
  • Then, click Import/Export (located beneath the heading Digital IDs (Certificates).
    • Alternatively, if the certificate has been installed onto the device by an organization’s IT staff, click Settings instead. Based on guidance from the IT staff, select the correct certificate from the ones listed.
  • In the new window that appears, confirm that the option to Import existing ID from file is selected. Click Browse to select the certificate file. Following this, enter the password linked with the certificate file and press OK.
  • Finally, the Import/Export window will close on its own. To close the Trust Center window, click OK.
  • The certificate will have been successfully imported.

To share one’s certificate with an intended recipient, a digitally signed message must be sent to each recipient who one may -- at some point -- wish to send encrypted messages to. To complete this task successfully:

  • Begin composing a new message in Outlook.
  • In the top menu bar of the new message window that appears, click Options.
  • Then, click the small icon beside More Options.
  • Click Security Settings... (located in the new Properties window that appears).
  • Next, select Add digital signature to this message (located in the Security Properties window that appears).
    • Alternatively, click Change Settings to access the specific certificate being used to digitally sign the message. This certificate should be the newly imported one. On this window, click OK and then click Close (located on the Properties window).
  • Send the message to the intended recipient(s).

As a result of completing these steps, the public key associated with one’s certificate will have been sent. This allows others to encrypt messages that will be sent to the individual. To decrypt messages received, one needs a private key -- exclusively accessible to the user/intended recipient and imported only within that user’s Outlook application.

How to Send Encrypted

To send an encrypted message, the public key portion of the intended recipient’s certificate is required. Once recipients have acquired encryption certificates and have sent digitally signed messages via Outlook or an alternative S/Mime compatible email platform, their certificates can be added to one’s contact data. To do so:

  • Open the digitally signed message sent by this specific recipient.
  • Right-click the sender’s name and then click Add to Outlook Contacts (located where the From information corresponding to this message appears).
    • If this recipient is already a contact, the Edit/Update option can be utilized rather than creating an entirely new contact.
  • Next, click Certificates (located in the top ribbon of the contact card that appears).
  • Then, select the proper certificate for this contact from the list of certificates that appear.

Once this is completed successfully, encrypted messages can be sent to this contact by following these steps:

  • Begin composing a new message.
  • Click Options (located in the top menu of the new message window that appears).
  • Next, click the small icon located beside More Options.
  • Then, click Security Settings (located in the Properties window that appears).
  • Next, a Security Properties window will appear. In this window, select Encrypt message content and attachments. Click OK on this window. Then, click Close on the previous window.
    • Please note that message subjects are not encrypted. So, it is strongly advised that senders refrain from including sensitive material in subject lines.
  • Complete the email and add any attachments necessary. Click Send as one normally would. This email will be encrypted.

How Your Recipient Opens Your Encrypted Email

To open an encrypted email, a recipient may need to be on their desktop computer and use their Outlook application -- which will decrypt the message for them automatically. If the recipient decides to reply to this message and they have added the sender’s encryption certificate to the contact card, this reply will be automatically encrypted.  

Receiving Secure Email from Clients (Replies, New Emails)

After performing the initial setup process, recipients will have acquired all of the necessary encryption certificates, allowing them to seamlessly send encrypted replies with the utmost ease. Additionally, new encrypted messages can be sent by following the required steps to send an encrypted email. 

Features and Cost

Once the initial setup has been completed and certificates have been properly shared, email encryption using S/Mime is relatively user-friendly. “However, if you are considering encryption options for your business email, we recommend this option only for cases where your recipient explicitly asks for such encryption. That is only likely the case if your business or professional practice serves large enterprise clients or government agencies.” Companies working with small businesses or independent individuals are not likely to be able to use S/Mime, as these parties typically utilize free webmail accounts on platforms like Gmail and Yahoo, and may lack both the resources and knowledge necessary to purchase and set up this encryption option.

If S/Mime is used, it is important to note that users cannot access encrypted emails outside of the Outlook application. Moreover, recipients may be unable to forward encrypted emails to other users. And S/Mime is not compatible with G-Suite email accounts using GSSMO. Such G-Suite email accounts must instead use IMAP.

The cost of S/Mime varies greatly. In 2019, the certificate prices of Microsoft’s recommended CAs ranged from $39 to $369 annually. This is a recurring fee that has to be renewed each year, or every 2-3 years if multiple years are paid ahead of time. Furthermore, this is the cost of a single certificate for a specific user. Thus, each user within an organization must obtain a unique certificate.

Method 2: Office 365 Message Encryption (OME)

Without requiring the installation of certificates, Office 365 Message Encryption (OME) -- an exclusive option available to Office 365 email account users -- permits the sender to send encrypted emails to any recipient. Likely the most financially burdensome option, OME necessitates the installation of the Outlook application in conjunction with an Office 365 subscription. Also, OME requires the recipient to carry out several extra steps each time they receive a new message -- like requesting a special code and using that code to decrypt the email.

Initial Setup

To utilize OME, individuals must upgrade their Office 365 subscription to a plan that offers OME. It is crucial to be aware that Office 365’s widely popular Office 365 Business Essentials and Office 365 Business Premium plans do not include OME. The only plans that include OME are Office 365 Enterprise E3 or E5, Microsoft Enterprise E3 or E5, Microsoft 365 Business, Office 365 A1, A3, or A5, or Office 365 Government G3 or G5. Another option would be to add Azure Information Protection Plan 1 to one’s O365 subscription, but this can be extremely complicated and costly.

Individuals looking to upgrade their Office 365 subscriptions should closely follow these steps:

  • Visit https://www.office.com/, click Sign In, and log in with an Office 365 admin account.
  • Click Admin (located in the options titles that appear).
  • Next, click Billing (located in the left pane) and then click Subscriptions (located beneath that).
  • Finally, click Switch Plans to upgrade the subscription.

After upgrading, OME availability can be verified via one of the following methods:

  1. Visit www.outlook.com and sign in to one of the accounts linked with the Office 365 subscription. Begin composing a new email. Encryption is enabled if the Encrypt button (located in the top menu above the new message composition form) is not grayed out.
  2. Start/Re-start the device’s Outlook application. This application should be Outlook ProPlus. Begin composing a new email. Click Options (located in the top menu). The Encrypt button should be enabled.

 


How to Send Encrypted

Encrypted emails can be easily sent using OME, especially when compared with the lengthy process that S/Mime requires. Outlook offers an Encrypt button found within the Options tab on the new window that appears when composing a new message. So, to successfully send an encrypted message using OME:

  • Begin composing a new message.
  • In the top menu, click Options. Then, click Encrypt.
    • Additionally, users have the option of preventing forwarding of this encrypted message at this point by simply selecting the small arrow located beneath the Encrypt button.
  • A message should appear notifying the sender that encryption will be applied to the message.
  • Complete the email and click Send as one normally would.

How Your Recipient Opens Your Encrypted Email

When a recipient receives an email encrypted with OME, the initial email does not include any of the actual email content or attachments. Instead, they will be prompted to verify their identity via Office 365. After clicking Read the message, recipients will choose to do so with either a one-time passcode or by logging in to a school or work account. Users of free webmail services like Yahoo and Gmail may be prompted to log-in to their accounts on those platforms. Unless the recipient has an Office 365 account associated with the same email address that the email was sent to, recipients should choose the one-time passcode option, which will be delivered via a separate email from Microsoft Office 365 Message Encryption. After this code is copied and pasted into the initial webpage that requested it, the email contents will be decrypted. However, it is important to note that all attachments must be manually downloaded to be opened. 

Receiving Secure Email from Clients (Replies, New Emails)

By clicking either the Reply All, Reply, or Forward options on the secure message, the recipient begins an encrypted response. However, OME offers no option for recipients to send a new secure email to the initial sender. And secure responses cannot be sent as responses to non-encrypted emails.

Features and Cost

User-friendly and providing accessibility of encrypted messages outside of Outlook, OME certainly has its advantages. Moreover, OME does not require the backup of certificates or certificate passwords. Secure messages can be maintained on any device, so long as Outlook is installed and an Office 365 account is logged in to. And recipients can also forward secure messages to others, regardless of email address without the worry of certificates and passwords. However, the difficulties that OME poses for the recipient (e.g. passcode system), the need for Outlook ProPlus, and the inability to set expiration dates on secure messages are certainly flaws in OME.

The cost of OME is the cost associated with upgrading one’s Office 365 subscription. Depending on the subscription an individual starts with, this upgrade can vary in additional cost. Overall, OME is recommended for business email needs, specifically when dealing with vendors or parties required to abide by specific security requirements.

Method 3: Outlook Encryption Add-ins

The most seamless option for small organizations without large IT staff, Outlook Encryption Add-ins allows for secure emails to be sent to any users, even those who lack encryption themselves. This method does not require any setup, installation, or sign-in on the part of the recipient. Additionally, this approach is likely to be the most cost-effective option.

Initial Setup

The initial setup of an email encryption add-in is typically the install. After visiting the add-in’s website, download the installer. Installation should take a minute or so and will vary slightly depending upon which browser is used (Internet Explorer, Google Chrome, Firefox, etc.).

Start/restart the Outlook application and begin composing a new email. At this point, the Secure Send button should be visible at the top left of the window. If so, encrypted emails can then be sent from Outlook to any recipient’s email address, regardless of the platform used.

How to Send Encrypted

To send an encrypted email, click the New Email button in Outlook. Compose an email, adding in any attachments necessary, that should be encrypted. Next, rather than clicking Send, click the Secure Send button. This will encrypt both the email’s contents and attachments.

How Your Recipient Opens Your Encrypted Email

The subject of the email won’t be encrypted, but the body of the email will. Rather than opening your email and viewing its contents and attachments, the recipient will view a page prompting them to access the encrypted email. To sustain the heightened level of security, an external passcode is not required. Instead, the sender may set a time of expiration.

Receiving Secure Email from Clients (Replies, New Emails)

The web page that shows the secure message to the intended recipient may also offer an option for them to send a secure reply. Moreover, depending on the Encryption Add-in used, recipients may be able to send secure responses to non-encrypted messages.

Features and Cost

Features and pricing differ greatly from provider to provider. Trustifi, for example, empowers users to fully control their email security, tailoring services to each individual’s and organization’s needs. Trustifi’s NSA-grade encryption and full inbound and outbound protection offer an unmatched email encryption solution. Moreover, Trustifi allows users to easily and efficiently recall, block, modify, and set expiration times -- even on previously sent and delivered emails. And because Trustifi offers customized solutions, plans and pricing can be tailored to each organization’s needs and resources.

Conclusion

By using digital certificates (S/Mime), Office 365 Encryption (OME), or encryption add-ins, organizations are now positioned to best protect the content and attachments sent via Outlook. Combining the advantages of both S/Mime and OME, encryption add-ins offer the greatest ease of use and least economic burden. Compatible with any email account as the sender or recipient, Encryption Add-ins like Trustifi supply users with unmatched convenience and protection.

Try Trustifi Today

For Individuals

Our Free Trial Is Forever Free

For Business

See if Trustifi Is Right for Your Organization