Sending sensitive information like financial details or personal data via email requires an extra layer of security. This guide shows you how to encrypt email in Outlook to protect your message from being read by anyone other than the intended recipient. We'll cover the straightforward, built-in encryption available with Microsoft 365 subscriptions, as well as the more traditional S/MIME method for advanced users. Following these steps ensures your private communications stay private.
Fast Answer
- Easiest Method: In a new email, go to the Options tab and click the Encrypt button.
- Subscription Needed: This feature requires a Microsoft 365 subscription that includes Message Encryption.
Before You Start
- A compatible Microsoft 365 Account: The simplest encryption method is only available with certain subscriptions, such as Microsoft 365 Family, Personal, or specific Business and Enterprise plans.
- The Outlook Application: You will need the Outlook desktop app for Windows or Mac, or access to Outlook on the web.
- Recipient's Email Address: Make sure you have the correct email address for the person you are sending the encrypted message to.
- For S/MIME (Advanced): You and your recipient will each need a digital certificate configured in your email clients. This is common in corporate environments but rare for personal use.
Step-by-Step Instructions
We'll cover two primary methods for encrypting email in Outlook. The first uses Microsoft's built-in service, which is easy and works for sending to anyone. The second, S/MIME, is a more traditional standard that requires some setup from both you and your recipient.
Method 1: Using Microsoft 365 Message Encryption (The Easy Way)
This is the recommended method for most users. It relies on your Microsoft 365 subscription and is very user-friendly.
- Start a New Email: Open your Outlook desktop application and click the New Email button to compose a new message.
- Navigate to the 'Options' Tab: In the new message window, look at the ribbon menu at the top. Click on the Options tab.
- Select 'Encrypt': In the Options tab, find the Encrypt button (it often has a lock icon). Clicking this button will apply default encryption. You may also see a dropdown arrow next to it.
- Choose Your Encryption Level: If you click the dropdown, you will see different permission levels.
- Encrypt-Only: This is the standard setting. It encrypts the message, and recipients who use Outlook or Outlook.com can read it seamlessly. Other recipients will get a secure link to view the message in a web browser.
- Do Not Forward: This option encrypts the message and also prevents the recipient from forwarding, printing, or copying the content. This is useful for highly sensitive information.
- Other Options: If you are using a work account, you may see other labels like "Confidential" or "Secret," which are set by your company's IT administrator.
- Compose and Send: Once you've selected your encryption level, you'll see a confirmation message at the top of the email, such as "This message is encrypted." Write your subject line, add your message text and any attachments, and click Send. The attachments will be encrypted along with the message body.
Method 2: Setting Up and Using S/MIME (The Advanced Way)
S/MIME (Secure/Multipurpose Internet Mail Extensions) is an older but widely supported standard for email encryption. It requires more setup, as both the sender and receiver must have a digital certificate.
- Obtain a Digital Certificate: For S/MIME to work, you need a personal digital certificate (also called a digital ID or key). For a corporate account, your IT department will usually provide this. For personal use, you would need to acquire one from a commercial Certificate Authority (CA).
- Install the Certificate: Once you have the certificate file (often a .pfx or .p12 file), you need to install it on your computer. On Windows, you can usually double-click the file and follow the Certificate Import Wizard. This adds it to the Windows Certificate Store.
- Configure S/MIME in Outlook:
- In Outlook, go to File > Options > Trust Center.
- Click the Trust Center Settings... button.
- Select Email Security from the left-hand menu.
- Under the "Encrypted email" section, click the Settings... button.
- Click the Choose... button next to "Signing Certificate" and select your newly installed certificate. Do the same for the "Encryption Certificate." The same certificate is typically used for both.
- Click OK to save your settings.
- Exchange Public Keys with Your Contact: This is a critical step. To send someone an S/MIME encrypted email, you need their public key. The easiest way to get this is to have them send you a digitally signed email first. When you receive it and open it, Outlook automatically stores their certificate. You must also send them a digitally signed email so they have your public key.
- Encrypt a Message with S/MIME:
- Compose a new email.
- Go to the Options tab.
- In the "Permission" group, click the Encrypt button (it looks like a blue lock). You can also choose to Sign the message (a red seal icon).
- When you send the message, Outlook will use the recipient's public key (which you obtained in the previous step) to encrypt it. Only they can decrypt it with their private key.
Step-by-Step Instructions
Apply the change in order
Work through the task one piece at a time and confirm each result before moving to the next step.
Test the result
Verify the outcome against the original goal and fix any warning signs before treating the task as complete.
Document what changed
Save the final settings, decisions, or checks so the same process is easier to repeat later.
Quick Reference
| Situation | Use this | Why |
|---|---|---|
| Sending sensitive data to a client who uses Gmail or another non-Outlook service. | Microsoft 365 Message Encryption | It's the easiest experience for them. They'll get a secure link to view the message without needing any special software or setup. |
| Communicating within a company that requires S/MIME for all secure messages. | S/MIME Encryption | This adheres to your organisation's security policy, and your IT team will have already handled the certificate setup. |
| Sending an internal report that should not be shared outside the team. | Microsoft 365 Encryption with 'Do Not Forward' | This provides strong protection by preventing recipients from easily sharing the content via forward, copy, or print. |
| You want to prove your identity and ensure the message wasn't tampered with, but secrecy isn't the top priority. | S/MIME Digital Signature Only | A digital signature confirms the sender's identity and message integrity without encrypting the content, so anyone can read it. |
Common Problems When You Encrypt Email in Outlook
-
Problem: The "Encrypt" button is missing or disabled.
Solution: This almost always means your version of Office or Microsoft 365 subscription does not include the necessary features. For personal accounts, you may need to upgrade to a plan like Microsoft 365 Personal or Family. For work accounts, contact your IT administrator to confirm if your license includes Azure Information Protection or Office 365 Message Encryption.
-
Problem: My recipient cannot open the encrypted email.
Solution: For Microsoft 365 encryption, guide your recipient to look for a link in the email that says "Read the message." This will take them to a secure web page where they can sign in with their email provider (e.g., Google, Yahoo) or use a one-time passcode to view the message. For S/MIME, this error means you don't have their correct public key, or their certificate has an issue. You both need to exchange digitally signed emails again.
-
Problem: Outlook gives a warning about an invalid S/MIME certificate.
Solution: This can happen if the recipient's certificate has expired, was issued by an untrusted authority, or doesn't match their email address. You can choose to proceed, but it's not secure. The best course of action is to contact the recipient and ask them to resolve the issue with their certificate or IT department.
-
Problem: I get an error saying Outlook cannot find the recipient's certificate for S/MIME.
Solution: This means you have not successfully received a digitally signed email from this person yet. Ask them to send you one. Once you receive and open it, Outlook will add their certificate to your contacts, and you will be able to send them encrypted messages.
Advanced Tips for how to encrypt email in outlook
- Encrypt All Messages by Default: If you exclusively handle sensitive information, you can set Outlook to encrypt all outgoing emails. In the Trust Center settings (File > Options > Trust Center > Trust Center Settings > Email Security), check the box for "Encrypt contents and attachments for outgoing messages." Be warned, this can be inconvenient for casual conversations.
- Check Encryption on a Sent Email: To confirm an email was sent encrypted, go to your "Sent Items" folder and open the message. You should see a banner at the top indicating that the message is encrypted and what restrictions apply.
- Use Encryption in Outlook on the Web: The process is very similar on the web version of Outlook. When composing a new message, look for the "Encrypt" button in the toolbar at the top of the message window. This uses the same Microsoft 365 Message Encryption service.
- Understand Digital Signatures: Encryption hides the content, while a digital signature verifies the sender. You can apply both to a single email for maximum security. A signed email proves it came from you and wasn't altered in transit. An encrypted email ensures only the recipient can read it.
How To Encrypt Email In Outlook FAQ
Is Outlook email encryption completely secure?
When used correctly, both Microsoft 365 Message Encryption and S/MIME provide very strong, industry-standard security. They make it practically impossible for an unauthorized third party to read your message in transit. However, security also depends on the end-user; if the recipient's email account is compromised, the encrypted message could be accessed after they have opened it.
What is the difference between S/MIME and Microsoft 365 Message Encryption?
Think of it like this: Microsoft 365 Message Encryption (OME) is a modern, all-in-one service. It's easy to use and manages the keys for you. S/MIME is a universal standard, like a passport. It works across many different email systems, but it requires you and your contact to manually get and exchange credentials (certificates) beforehand.
Can I encrypt emails in the free version of Outlook.com?
No, the robust encryption features described here are part of premium Microsoft 365 subscriptions. The free version of Outlook.com does not include the one-click "Encrypt" button or support for S/MIME configuration.
Does encrypting an email also encrypt the attachments?
Yes. Both methods encrypt the entire message package-the body text and any files you have attached. The recipient must decrypt the main message to gain access to the attachments.
Can a recipient reply with an encrypted message?
Yes. If you send an email using Microsoft 365 encryption, their reply will also be encrypted to protect the entire conversation. If using S/MIME, they can reply with encryption as long as they have your public key (which they got when you sent them the encrypted email).
Final Checklist for how to encrypt email in outlook
- Confirm Your Subscription: Double-check that your Microsoft 365 plan supports encryption before you try to send a message.
- Choose the Right Method: Use Microsoft 365 Message Encryption for ease of use and compatibility with all recipients. Use S/MIME only when required by policy or when all parties have it configured.
- Select the Permission Level: Decide if you just need to "Encrypt" the message or if you also need to "Do Not Forward" to restrict sharing.
- Verify Recipient Address: Encrypted emails can't be recalled easily. Make sure you're sending sensitive information to the correct person.
- Prepare Your Recipient: If it's their first time receiving an encrypted email from you, a quick heads-up can prevent confusion about why they have to click a link to view the message.
- Check for Confirmation Banner: Before clicking send, look for the banner at the top of the compose window confirming that encryption is active on the message.



