๐ Key Takeaways
- Outlook doesn't scan subjects; an Exchange mail flow rule handles the outbound encryption action.
- The tenant needs Business Standard, Premium, or Enterprise; other plans block the encryption action.
- Bracketed tags like [secure] beat bare words because they rarely fire on accidental subject lines.
- The Encrypt button and the subject-line rule coexist and use the same Purview backend end to end.
- Silent typos ship PHI unencrypted; pair the rule with a body-scanning DLP fallback for safety.
The subject-line encryption trigger in Outlook is not a client feature. It is an Exchange mail flow rule that runs on the tenant side. Outlook itself sends whatever the user types. The encryption happens after the message leaves the client and hits the server rule.
This guide covers the exact setup, the plan requirements, the keyword patterns that work best, and the failure modes to watch for. For practices without Microsoft 365 plans that include Purview Message Encryption, a dedicated encrypted email service handles the same workflow without any tenant configuration.
The intent is a working setup, not a theoretical option. Administrators can follow the steps and verify each item.
The Trigger Lives on Exchange, Not in Outlook Itself
Outlook desktop, Outlook on the Web, and Outlook mobile do not scan the subject line for a keyword. The client sends whatever the user typed to the Exchange side. The rule that inspects the subject and applies encryption runs on Exchange after the client hands off the message.
That architecture matters for two reasons. First, the same rule applies regardless of which Outlook client the user composed in. Second, the client cannot report whether the rule fired, so verification requires checking the sent side or the message trace log.
The rule is called a mail flow rule in Exchange Online and a transport rule in on-premises Exchange. Both terms describe the same mechanism. Administrators create the rule once and it applies tenant-wide until disabled.
The Microsoft documentation on mail flow rules covers the underlying framework. The specific encryption action requires a plan that includes Purview Message Encryption on the tenant.
Verify the Plan Includes Purview Message Encryption
Before creating the mail flow rule, verify the tenant is on a Microsoft 365 plan that includes Purview Message Encryption. Business Standard, Business Premium, and several Enterprise plans qualify on current SKUs. Basic Business, standalone Exchange Plan 1, and personal Microsoft 365 subscriptions do not.
Check plan eligibility in the Microsoft 365 admin center under Licenses. Cross-reference against the Microsoft product feature matrix, which lists Purview Message Encryption entitlements per plan. The matrix updates when Microsoft changes plan structure, so check it at rule creation time rather than relying on memory.
Attempting to save a mail flow rule with an encryption action on an ineligible plan produces an error pointing to the license requirement. That prevents the rule from silently failing at runtime but does not help staff who assumed encryption was working before the error appeared.
Practices on ineligible plans have two paths. Add the required license across seats through Microsoft, or use a dedicated encrypted email service that provides equivalent functionality without a tenant plan change.

Create the Mail Flow Rule in Six Steps
The rule creation process takes about five minutes for an administrator familiar with the Exchange admin center. The screens have shifted several times over the last few years but the underlying flow stays consistent.
Follow these steps:
- Sign in to the Microsoft 365 admin center and open the Exchange admin center.
- Navigate to Mail flow, then Rules.
- Click the plus icon and select “Apply Office 365 Message Encryption and rights protection to messages”.
- Give the rule a descriptive name such as “Subject-line encryption trigger”.
- Set the condition to “The subject or body includes any of these words” and enter your chosen keywords such as secure, encrypt, [secure], and [encrypt].
- Choose the Encrypt template, save the rule, and enable it.
Some administrators tighten the condition to “The subject includes any of these words” instead of the body match. That prevents accidental encryption on messages that mention the keyword in the body but are not intended to trigger the rule.
Pick Keyword Patterns That Reduce False Positives
The specific keyword pattern matters more than most administrators expect. A bare word like secure fires on legitimate business subjects such as “Secure area badge renewal” or “Please secure the meeting room”. Bracketed tags reduce that noise significantly.
Common patterns in practice fall into three categories. Bare words like secure or encrypt are easy for staff to remember but produce more false positives. Bracketed tags like [secure] or [encrypt] rarely fire by accident because square brackets are uncommon in normal subject lines.
Custom identifiers like [PHI-SEND] or [ENC-HIPAA] work best for practices with formal compliance training. They eliminate false positives entirely but require staff to memorize the exact string.
A rule that fires on multiple variants catches loose staff conventions. Combine the bare word and the bracketed tag in one rule so both work. Document the accepted variants in the staff handbook so new hires learn the convention from day one.
Comparison of Subject Line Trigger vs Encrypt Button
Both the subject-line trigger and the Encrypt button on the Options ribbon use the same Purview Message Encryption backend. The differences are workflow and enforcement.
| Aspect | Subject line trigger | Encrypt button |
|---|---|---|
| Where the decision happens | Server side via mail flow rule | Client side per message |
| Failure mode | Silent when keyword mistyped | None when user clicks the button |
| Recipient experience | Purview portal or inline | Purview portal or inline |
| Setup effort | One mail flow rule per tenant | None, feature is present on eligible plans |
| Works in Outlook mobile | Yes, subject travels with the message | Yes, in newer mobile versions |
| Best for | Bulk staff conventions | Individual sensitive sends |
Most practices run both. Staff who prefer the button use it. Staff who prefer the keyword use that. High-risk lists get default-encrypt coverage through a targeted mail flow rule that fires on the list address rather than the subject.

Test the Rule Before Announcing It
Every new mail flow rule needs testing before staff-wide rollout. The test confirms the rule fires on the intended pattern, produces the expected recipient experience, and does not accidentally encrypt sends that should stay plain.
Send a test message from a mailbox covered by the rule to an external address with the trigger keyword in the subject. Verify the recipient receives a Purview portal notification rather than a plain send. Sign in as the recipient and read the message inside the portal.
Repeat with each keyword variant and each major recipient domain including Gmail, Outlook.com, and Yahoo. Note any variation in the portal experience. Some recipients need to request a one-time passcode. Others sign in with their existing provider account.
Use Exchange message trace under the mail flow admin panel to confirm the rule fired on each test message. The trace shows the rule name and action applied to each message, which is the audit evidence during a compliance review.
Silent Failures Are the Biggest Operational Risk
Subject-line triggers fail silently when the pattern does not match. A typo like “secre” or missing brackets on a tag-style trigger produces a plain send with no error, no warning, and no notification to the sender.
The failure mode is dangerous because staff assume the rule fired based on their intent, not their actual keystrokes. A busy front desk sending 40 messages in a shift can produce several silent failures without anyone noticing until an audit or a breach investigation surfaces the pattern.
Compliance-focused organizations pair the subject-line rule with a data loss prevention rule that scans the body for patient data patterns and applies encryption as a safety net. When the subject-line rule misses, the DLP rule catches. When both rules fire, only one encryption action applies to the message.
The Microsoft DLP documentation covers the pattern configuration. Combining DLP with the subject-line trigger produces a stronger posture than either control alone.
Strip the Trigger Tag from the Outbound Subject
The subject line usually travels in cleartext even when the body is encrypted. A trigger word like [secure] or ENC: appears in the recipient inbox alongside the sender name, which reveals the sensitivity of the exchange before the recipient opens anything.
Practices that care about that leak add a second mail flow rule that strips the trigger tag from the outbound subject after encryption fires. The rule looks for the tag and rewrites the subject to remove it.
Order matters. The encryption rule needs to fire before the rewrite rule so the encryption action sees the tagged subject. Mail flow rule priority in the Exchange admin center controls the sequence.
Test the sequence after configuration to confirm the recipient sees the cleaned subject rather than the tag. A rewrite rule that fires before the encryption rule produces a plain send with a clean subject, which defeats the entire purpose.
When Practices Use a Dedicated Encrypted Email Service Instead
The subject-line trigger and the Encrypt button both require a Microsoft 365 plan that includes Purview Message Encryption. Practices on lower plan tiers or on non-Microsoft mail platforms need a different path.
A dedicated encrypted email service layers on top of the existing mailbox and applies encryption to every outbound message by default. There is no keyword to remember, no rule to maintain, and no risk of silent failure through a mistyped trigger.
Mailhippo is a secure email service that works with existing Outlook, Gmail, and Yahoo accounts, applies TLS and client-side encryption to every outbound message, and includes a business associate agreement in the base plan. One brief mention here for administrators evaluating options where the mail flow rule approach does not fit.
The tradeoff between native and dedicated tools usually comes down to license cost, IT staff bandwidth, and the acceptable friction on the recipient side. Both approaches produce a compliant HIPAA email flow when configured correctly.
Related Setup Steps to Verify After Rule Creation
The subject-line trigger is one piece of an encryption program. Several related controls determine whether the trigger produces the intended result end to end.
Verify each item before treating the rule as production ready:
- The tenant plan actually includes Purview Message Encryption on every mailbox that will use the trigger.
- The signed BAA with Microsoft covers Exchange Online for the tenant.
- External recipients on major providers decrypt through the portal without extra setup.
- Sent items shows a lock icon or encryption indicator on triggered messages.
- A DLP rule provides backup coverage for sends that miss the subject-line pattern.
- Staff training documents the exact keyword conventions.
Related reading on how to encrypt an email subject line generally covers the equivalent patterns for Google Workspace and dedicated services. The how to encrypt email in Outlook overview gives broader context on the encryption paths inside the Outlook client.
Healthcare practices building patient communication programs benefit from aligning the encryption layer with the broader site and intake experience. A healthcare marketing agency can help ensure the patient-facing site messaging matches the security posture staff execute on outbound Outlook mail.