Encrypting Emails in Outlook

encrypting emails in outlook guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook Business Premium exposes the Encrypt button; lower tiers hide it entirely.
  • S/MIME works from Outlook 2013 up but needs a valid cert for sender and recipient.
  • Outlook on the web shows Encrypt only when Purview Message Encryption is active.
  • Microsoft signs the BAA, but sending PHI in plaintext still counts as a HIPAA breach.
  • Configure a DLP rule so PHI patterns trigger encryption when staff forget to click.

Outlook supports three encryption paths. The Encrypt button, S/MIME certificates, and layered third-party services. Each has a specific plan requirement and a specific recipient experience.

For healthcare organizations and any team handling regulated data, encrypting emails in Outlook means matching the method to the license, the recipient, and the compliance requirement.

This guide covers the setup for Outlook desktop and Outlook on the web across the main Microsoft 365 tiers.

The Encrypt Button Uses Microsoft Purview Message Encryption

The Encrypt button in the Outlook Options ribbon triggers Microsoft Purview Message Encryption. This is the native Microsoft option for sending encrypted mail to recipients outside the sender tenant.

The button appears on Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, and comparable Education plans. It does not appear on Business Basic or Business Standard because those tiers do not include Purview Message Encryption.

If the tenant is on a qualifying plan and the button is missing, an administrator needs to enable Azure Rights Management under the Microsoft 365 Admin Center. Once activated, the Encrypt button appears in Outlook within a few minutes.

According to Microsoft documentation, Purview Message Encryption meets HIPAA transmission requirements when combined with a signed BAA available on qualifying Microsoft 365 tiers.

Encrypt-Only and Do Not Forward Provide Different Levels of Control

Clicking the Encrypt button opens a dropdown with two main options. Encrypt-Only sends the message with encryption in transit and at rest. Do Not Forward adds rights-management controls that block the recipient from forwarding, copying, or printing.

Encrypt-Only is appropriate when the sender trusts the recipient to handle the message responsibly but wants to protect it from network interception and mailbox compromise. The recipient can forward it to others once they read it, in encrypted form.

Do Not Forward is stronger when the sender wants to limit downstream distribution. The rights-management layer prevents the recipient from forwarding or exporting the content. Screenshots still work, but the automated actions are blocked.

For HIPAA and regulated content, Encrypt-Only meets the transmission standard. Do Not Forward adds a layer of downstream control that is optional under HIPAA but often used as a matter of practice policy.

encrypting emails in outlook in article illustration one

Encrypt Button Step-by-Step in Outlook Desktop

Open Outlook desktop and click New Email. Fill in the recipient, subject, and body as usual. Click the Options tab in the ribbon.

Click Encrypt in the ribbon. A dropdown appears with Encrypt-Only and Do Not Forward. Select the option that matches the message. A banner appears at the top of the message confirming the selected encryption.

Click Send. Outlook encrypts the message through Microsoft Purview and delivers it to the recipient. Internal recipients on the same tenant see it inline in Outlook. External recipients receive a portal link.

  • The banner in the compose window confirms which encryption level is applied.
  • To remove encryption before sending, click Encrypt again and select the same option to toggle off.
  • The Sent folder shows a lock icon on the encrypted message.

Encrypt Button Step-by-Step in Outlook on the Web

Open Outlook on the web and click New Message. Fill in the recipient, subject, and body. Click the three-dot overflow menu at the top of the compose window.

Select Encrypt from the menu. A banner appears at the top of the message with the selected encryption level. The default is Encrypt-Only. To switch to Do Not Forward, click Change Permissions in the banner.

Click Send. The message is encrypted through Microsoft Purview and delivered. Internal recipients on the same tenant read it inline. External recipients on Gmail, Yahoo, iCloud, or other providers receive a link to the Microsoft portal.

If the Encrypt option does not appear in the overflow menu, the tenant has not enabled Purview Message Encryption. An administrator needs to activate it in the Microsoft 365 Admin Center before the option becomes visible.

Example

A cosmetic surgery office on Microsoft 365 Business Standard needs to send consent forms and pre-op instructions to patients. Business Standard does not include the Encrypt button, and upgrading eight staff to Business Premium would add $76 per user annually. Instead the office keeps Business Standard at $12.50 per user and adds a HIPAA-compliant portal service at $9 per user monthly. Total savings compared to a full Premium upgrade lands near $600 per year, and patients open messages with one click instead of a Microsoft portal sign-in.

S/MIME Setup for Outlook Desktop

S/MIME is the certificate-based encryption standard built into Outlook. It provides end-to-end encryption between sender and recipient without a portal step. Both parties need certificates from a trusted authority.

Get a certificate from DigiCert, Sectigo, IdenTrust, or another trusted authority. The authority delivers a .pfx file containing the public certificate and private key. Import the file into the Windows certificate store on Windows or the macOS keychain on Mac.

Open Outlook and navigate to File, Options, Trust Center, Trust Center Settings, Email Security. Click Settings under Encrypted email. In the dialog, select the certificate for signing and encryption from the dropdown. Click OK and restart Outlook.

When composing a message, click Options, then click Sign and Encrypt icons in the More Options section. If the recipient has a valid S/MIME certificate that Outlook can verify, the encrypted send works. If not, Outlook prompts to send unencrypted.

encrypting emails in outlook in article illustration two

HIPAA Coverage in Microsoft 365 Has Boundaries

Microsoft signs a business associate agreement covering Microsoft 365 core services, including Exchange Online, when the tenant has accepted the BAA under the Microsoft Trust Center. The BAA covers the transmission and storage of PHI in Outlook.

The sender remains responsible for enabling encryption on every PHI transmission. The BAA does not automatically encrypt every message. Sending a PHI message without clicking Encrypt still results in transmission over TLS or plaintext, which does not meet the HIPAA transmission standard for regulated data.

For consistent enforcement, administrators can configure a data loss prevention rule under the Microsoft 365 Purview compliance portal that scans outbound messages for regulated patterns and applies encryption automatically. This is not enabled out of the box.

For practices on Business Basic or Business Standard without Purview Message Encryption, the practical path is a layered encrypted email service. This pairs with broader work covered in healthcare website security features.

Recipient Experience Depends on Their Mail Provider

Recipients on the same Microsoft 365 tenant see the message inline in Outlook or Outlook on the web. They do not click a portal link. The message opens like any other, with a lock icon indicating encryption.

Gmail users get a notification email with a link. They click the link and either sign in with their Google account or request a one-time passcode by email. They read the message in a Microsoft portal in their browser.

Yahoo, iCloud, AOL, and other recipients receive a one-time passcode by email and view the message in the Microsoft portal. They cannot sign in with their mail provider because those providers do not federate with Microsoft identity services.

Test the workflow with a known recipient before relying on it for time-sensitive delivery. Some corporate mail gateways strip the notification link or block the Microsoft portal domain. Testing surfaces those issues before the first real send.

๐Ÿ’กPro Tip: Configure DLP Rules to Enforce Automatic Encryption

Manual Encrypt-button use fails when staff forget on a sensitive message. The single most common HIPAA breach cause is a sender forgetting to click Encrypt on a PHI message. Configure a data loss prevention rule in the Microsoft 365 Purview compliance portal that scans outbound messages for patterns like Social Security numbers or medical record numbers and applies Purview Message Encryption automatically. Human error drops out of the workflow.

Third-Party Services Close the Gap on Lower Microsoft 365 Tiers

Microsoft 365 Business Basic and Business Standard tenants do not have the Encrypt button. Upgrading every seat to Business Premium for the encryption feature is often more expensive than adding a purpose-built encrypted email service.

Mailhippo integrates with any Outlook or Microsoft 365 account through SMTP relay or a plug-in. The sender continues to write and send from Outlook. The service intercepts the message, encrypts it, and delivers over TLS or through a portal fallback.

The service includes a signed BAA in the base plan and logs every message access. The recipient experience is a single click and passcode. No key management, no software install for the recipient.

For healthcare organizations coordinating email with website work, this pairs with services covered in healthcare marketing.

Verify Encryption on Every Sensitive Send

Before hitting Send on a regulated message, verify the encryption is active. In Outlook desktop, the banner at the top of the compose window shows Encrypt-Only or Do Not Forward. In Outlook on the web, the same banner appears.

For S/MIME, the Sign and Encrypt buttons in the Options ribbon show as active. The message icon in the Sent folder shows a lock. If the message went out without those indicators, encryption did not apply.

Microsoft 365 administrators can audit encryption status in the Purview compliance portal under Message Trace. This shows every outbound message with its encryption status, useful for HIPAA risk assessments and periodic compliance reviews.

According to HIPAA Journal, the most common documented compliance failure is a sender forgetting to enable encryption on a PHI message. Verification per send is the single most effective preventive control.

Choose the Outlook Path Based on Plan and Recipient

Match the encryption approach to the Microsoft 365 tier and the target recipient. Business Premium and above have the Encrypt button for a Microsoft-native experience. Business Basic and Business Standard need either an upgrade or a layered service.

  • Business Premium or higher, external recipients: Encrypt button with Purview Message Encryption.
  • Any tier, internal certified users: S/MIME with corporate certificates.
  • Business Basic or Business Standard, external recipients: layered HIPAA-compliant service.
  • Any tier, mixed compliance needs, patients as recipients: layered service with portal fallback.

For deeper coverage on related methods, see the sibling guides encrypting email in Outlook, encrypting an email, and how to open encrypted emails in Outlook.

The final point is that Outlook makes encryption easy on the right plan and unavailable on the wrong plan. Match the tool to the tier, and verify every sensitive send.

Frequently Asked Questions

Which Outlook and Microsoft 365 plans include the Encrypt button? +

The Encrypt button appears on Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, and comparable Education plans. It does not appear on Business Basic or Business Standard. If the tenant is on a qualifying plan and the button is still missing, an administrator likely needs to enable Azure Rights Management under the Microsoft 365 Admin Center. Once activated, the Encrypt button appears in Outlook desktop under Options and in Outlook on the web under the compose window overflow menu within a few minutes.

What is the difference between Encrypt-Only and Do Not Forward in Outlook? +

Encrypt-Only encrypts the message in transit and at rest, so unauthorized viewers cannot read it, but the recipient can forward, copy, print, and download normally once they open it. Do Not Forward adds Microsoft Purview rights-management controls that block forwarding, printing, and copying by the recipient. Do Not Forward is the stronger control when the sender wants to limit downstream distribution. Both options require Microsoft Purview Message Encryption enabled at the tenant level to appear in the Outlook compose menu.

How do I install an S/MIME certificate in Outlook desktop? +

Get an S/MIME certificate from a trusted authority such as DigiCert, Sectigo, or IdenTrust. The authority delivers the certificate as a .pfx file with a private key. Double-click the .pfx file on Windows, or import it into Keychain Access on macOS. Open Outlook, navigate to File, Options, Trust Center, Trust Center Settings, Email Security, and click Settings under Encrypted email. Select the certificate for signing and encryption. Save and restart Outlook.

Does Microsoft 365 Business Basic support S/MIME? +

Microsoft 365 Business Basic is a web-only plan without the desktop Outlook client, and S/MIME on Outlook on the web has limited support. The Encrypt button on Business Basic is not available because Purview Message Encryption requires Business Premium or higher. Practices on Business Basic that need encryption typically use a browser-based encrypted email service or upgrade one or more seats to Business Premium. Layering a HIPAA-compliant service is often the lower-cost path for small practices.

Can I send an encrypted Outlook message to a Gmail user? +

Yes. Purview Message Encryption delivers the message through a Microsoft portal. The Gmail user receives a notification email with a link. They click the link and either sign in with their Google account or request a one-time passcode by email. They read the message in the Microsoft portal in their browser. The message stays encrypted at Microsoft servers and is not copied into the recipient Gmail account in plaintext. Portal-based reads leave the message on Microsoft infrastructure.

Does Outlook automatically encrypt sensitive messages? +

Not by default. Outlook does not scan message content and apply encryption automatically. An administrator can build data loss prevention rules in the Microsoft 365 Purview compliance portal that scan outbound messages for patterns like Social Security numbers or medical record numbers and enforce encryption on match. This is not enabled out of the box. It requires configuration of a DLP policy tied to a Purview Message Encryption action.

What happens if I forget to click Encrypt on a sensitive message? +

The message sends over TLS to the recipient server if the recipient supports TLS, or in plaintext if it does not. Neither of these paths meets HIPAA transmission standards for PHI. If the message contained regulated content, the sender may need to report a potential incident, depending on the organization breach response policy. This is one of the reasons many healthcare organizations layer an encrypted email service that enforces encryption regardless of user action.

Office 365 Email Encryption Setup and HIPAA Configuration

office 365 email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • Purview Message Encryption ships with Business Premium, E3, E5, or Apps for Enterprise plus AIP.
  • Admin activation runs in about 30 minutes: enable Azure RMS, verify Purview, set default template.
  • External recipients open through outlook.office365.com with Microsoft, Google, or passcode sign-in.
  • HIPAA on Office 365 needs four steps: sign the BAA, enable Purview, apply labels, retain audit logs.
  • For a few PHI senders, a per-seat HIPAA service beats a tenant-wide Business Premium upgrade.

Office 365 email encryption runs on Microsoft Purview Message Encryption. The service ships with Business Premium and higher plans. It powers the Encrypt button in the Outlook ribbon and handles external recipient delivery through a browser portal.

This guide covers the Office 365 email encryption setup, the license structure, the recipient experience, and the HIPAA configuration. It also covers the fit for a separate encrypted email service when the Office 365 plan does not include the Encrypt button.

The choice depends on plan level, seat count, and how many staff need to send PHI. Read each section and match the approach to the actual practice flow.

Purview Message Encryption Powers the Encrypt Button

Microsoft Purview Message Encryption is the underlying service for the Encrypt button in Outlook. The button appears in the Options ribbon on new messages. Users click Encrypt and pick Encrypt-Only or Do Not Forward.

Encrypt-Only encrypts the message content in transit and at rest. Recipients can reply, forward, and print. Do Not Forward applies rights management and blocks forward, print, and download. The sender picks based on the sensitivity of the content.

Both options deliver to internal Microsoft 365 recipients inline. Both options deliver to external recipients through a notification email with a browser tab open on outlook.office365.com. The recipient experience is consistent across the two options.

Detailed sender steps are in the Microsoft support guide for encrypted messages in Outlook.

License Tiers Determine Access to Encryption

The Encrypt button in Office 365 is not available on every plan. The license tier determines whether the feature appears in Outlook. Practices should confirm the plan level before assuming encryption is available.

The plans that include Purview Message Encryption are:

  • Microsoft 365 Business Premium
  • Microsoft 365 E3 and E5
  • Office 365 E3 and E5
  • Microsoft 365 Apps for Enterprise with Azure Information Protection Premium
  • Standalone Azure Information Protection Premium P1 or P2

Plans that do not include the Encrypt button are Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Apps for Business, and Office 365 E1. Users on these plans do not see the Encrypt button in Outlook.

Adding the button requires either a plan upgrade or a per-seat Azure Information Protection Premium license add-on. The choice depends on how many features of Business Premium the practice needs beyond encryption.

office 365 email encryption in article illustration one

Tenant Setup Takes Thirty Minutes on a Fresh Deployment

Enabling encryption on a fresh tenant takes about thirty minutes. The setup happens entirely in the Microsoft 365 admin center. No changes to individual mailboxes or client software are required.

The steps are: sign in as global administrator, activate Azure Rights Management under Settings and Org settings, verify Message Encryption availability under the compliance section, configure the default template that recipients see, and confirm license assignment for the users who will send encrypted mail.

Existing tenants with Azure Information Protection already licensed do not need additional activation. The Encrypt button appears in Outlook after the client restart. Administrators can push the setting through Group Policy or MDM to ensure consistent behavior across the fleet.

Test the setup with a small pilot group before rolling out to all users. Send an encrypted message to an external recipient. Confirm the notification, the browser tab, and the decrypted message. Fix any policy or template issues before wide rollout.

Comparing Office 365 Encryption Options at a Glance

Office 365 supports several encryption methods with different fit profiles. The right choice depends on recipient mix, plan level, and administrative overhead.

Method Recipient Setup Plan Required Best Fit
Purview Message Encryption Browser tab, sign-in or passcode Business Premium or higher External patient and vendor mail
S/MIME Certificate pre-installed Any plan with desktop Outlook Internal mail with managed PKI
Sensitivity Labels Depends on label configuration E3 or E5 Enterprise policy-based encryption
Mail flow rule Encrypt-Only Same as Purview portal Business Premium or higher Automated encryption on patterns
Third-party HIPAA service One-click portal link Any Office 365 plan Small practices on Business Basic or Standard

Practices with mostly external recipients on personal accounts choose Purview or a third-party HIPAA service. Practices with mostly internal or partner mail choose S/MIME. Enterprise deployments use Sensitivity Labels for policy-driven automation.

Map the send flow before committing. How many external recipients per week. How often the recipient list changes. How many staff need to send encrypted mail. The answers point to the right method.

Example

A 20-seat internal medicine group on Microsoft 365 Business Basic at $6 per seat needs the Encrypt button for four physicians who send referral records. Upgrading all 20 seats to Business Premium at $22 adds $320 per month. Adding Azure Information Protection Premium P1 at $2 per seat on the four physicians adds $8 per month, but the practice manager finds a dedicated HIPAA service at $10 per seat covers the same four physicians for $40 with a bundled BAA and simpler admin, and chooses that path.

The BAA Is Included in Every Microsoft 365 Tenant

Microsoft signs a business associate agreement covering the Microsoft 365 services under the standard BAA terms. The BAA is available at no extra cost. Administrators accept it in the Microsoft 365 admin center.

The BAA covers Exchange Online, SharePoint Online, OneDrive for Business, Teams, and the Purview compliance services. It applies to the tenant from the acceptance date forward. New services added to the tenant fall under the BAA automatically if Microsoft lists them as covered.

The BAA does not cover consumer services like Outlook.com or Hotmail. Practices using consumer accounts for patient mail need to move to a business tenant to fall under the BAA. This is a common misconfiguration that HIPAA auditors flag.

The HHS guidance on business associate agreements lists the terms required. Confirm the Microsoft BAA against the HHS requirements at the time of tenant setup.

office 365 email encryption in article illustration two

Sensitivity Labels Automate the Encryption Decision

Sensitivity Labels are the automated version of the Encrypt button. Administrators define labels in the Microsoft Purview compliance portal and configure rules that flag messages containing PHI or other regulated fields.

Applied labels can require encryption automatically, restrict forwarding, block download of attachments, and apply retention rules. The sender does not have to decide. The label is applied by policy based on the message content.

Deployment requires Microsoft 365 E3 or E5 licensing and Purview Information Protection configuration. Content patterns, sensitive information types, and label rules all need to be defined. This is a significant setup effort.

Sensitivity Labels pay back at enterprise scale where hundreds of users benefit from centralized policy. Small practices usually do not see the same payback and use the manual Encrypt button or a third-party service instead.

Mail Flow Rules Enforce Encryption on Patterns

Mail flow rules in Exchange Online provide a middle ground between manual Encrypt and full Sensitivity Labels. Administrators create rules in the Exchange admin center under Mail flow, Rules.

Rules match on conditions such as message subject containing a keyword, recipient domain matching a known partner, sender belonging to a specific group, or content matching a sensitive information type. Matched messages apply the Encrypt-Only or Do Not Forward template automatically.

This automation removes the sender decision on the most common regulated flows. A rule that encrypts every message with subject line containing [PHI] covers a large fraction of patient-record sends without training staff on the Encrypt button.

Mail flow rules also work as a safety net alongside manual Encrypt. If a sender forgets to click Encrypt but includes a PHI pattern in the body, the rule catches the message and applies encryption automatically.

๐Ÿ’กPro Tip: Do the license math on actual PHI senders only

The plan-wide upgrade calculation is the default vendor pitch. The correct calculation is per-mailbox for only the seats that actually send PHI. Count those seats, then compare three numbers: the Business Premium upgrade cost for that subset, the Azure Information Protection Premium P1 add-on cost for that subset, and a dedicated HIPAA service cost for that subset. The dedicated service often wins on small clinician counts because the BAA and admin are already bundled.

GoDaddy-Provisioned Office 365 Follows the Same Structure

Office 365 licenses provisioned through GoDaddy follow the same plan and feature structure as direct Microsoft licenses. The Encrypt button appears on the same Business Premium and higher plans. The BAA is available in the same admin center.

Practices that provisioned Office 365 through GoDaddy sometimes cannot find the compliance settings because the admin panel is a subset of the full Microsoft 365 admin center. In that case, administrators can access the full center at admin.microsoft.com using the same credentials.

The BAA and the Purview settings are available in the full admin center. GoDaddy does not restrict access to compliance features. The initial setup routes through the GoDaddy dashboard, but administrators can move to the Microsoft admin center for full configuration.

Practices that need the Encrypt button and are on a GoDaddy Business Basic subscription should upgrade to Business Premium in the GoDaddy dashboard, or add per-seat Azure Information Protection through the Microsoft admin center.

Practices on Lower Plans Have Three Practical Options

Practices on Business Basic or Business Standard face a choice when they need encrypted email for HIPAA. The Encrypt button is not available on their plan. They have three practical options.

Option one is a full plan upgrade to Business Premium. This adds encryption, advanced threat protection, and device management at around ten dollars extra per seat per month. It fits practices that will use the other Business Premium features beyond encryption.

Option two is a per-seat Azure Information Protection Premium P1 add-on. This adds encryption without upgrading the base plan. Cost runs about two dollars per seat per month. It fits practices that only need encryption and not the other Business Premium features.

Option three is a dedicated HIPAA email service that works alongside Office 365. The service handles PHI-containing mail through its own encryption and BAA. Office 365 handles general mail. This fits practices where only a fraction of staff handle regulated content.

Mailhippo Works Alongside Office 365 for HIPAA Mail

Mailhippo secure email service works alongside Office 365 without changing the plan structure. The signed BAA is included in the base plan. Practices keep Office 365 for general mail and use Mailhippo for patient-facing PHI.

The sender uses Office 365 for internal communication, scheduling, and vendor mail. When a message contains PHI, the sender routes it through Mailhippo either from a browser interface or from an Outlook add-in. The message encrypts, delivers to the recipient link, and logs the send in the audit trail.

The recipient opens the message through a one-click link with a one-time passcode delivered to the same email address. No account creation, no password reset, no software install. This is the shortest recipient path among common HIPAA options.

The broader compliance stack pairs encrypted email with HIPAA-compliant website design and patient portal configuration. Encrypted email is one layer of the stack. The full stack covers the practice end to end.

Frequently Asked Questions

How do I enable email encryption in Office 365? +

Sign in to the Microsoft 365 admin center as a global administrator. Navigate to Settings, then Org settings, then Microsoft Azure Information Protection. Activate Rights Management if it is not already active. Assign Azure Information Protection Premium licenses or confirm that Business Premium or E3 licenses are in place. Purview Message Encryption becomes available once the licenses are assigned. Users see the Encrypt button in Outlook on the next session. The activation applies at the tenant level and covers every licensed mailbox.

Is Office 365 email encryption HIPAA-compliant? +

Yes, when configured correctly. Microsoft signs a business associate agreement covering Exchange Online, SharePoint, OneDrive, Teams, and Purview services. Administrators accept the BAA in the admin center. Once accepted, Office 365 encryption meets the HIPAA transmission security standard. The covered entity is responsible for configuring policies to encrypt every PHI send, maintaining access logs, training staff, and applying access controls on mailboxes. HIPAA compliance is a shared responsibility between Microsoft and the covered entity.

What plans include Office 365 email encryption? +

Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 Apps for Enterprise with Azure Information Protection Premium, and Office 365 E3 and E5 all include Purview Message Encryption. Business Basic, Business Standard, and Microsoft 365 Apps for Business do not include the Encrypt button. Adding it requires either a plan upgrade or a per-seat Azure Information Protection Premium license. GoDaddy-provisioned Office 365 licenses follow the same tier structure as direct Microsoft licenses.

How much does Office 365 email encryption cost? +

The Encrypt button is included in Microsoft 365 Business Premium at around twenty-two dollars per user per month, Business Basic at six dollars, and Business Standard at twelve dollars. Upgrading from Business Standard to Business Premium adds ten dollars per seat per month. A per-seat Azure Information Protection Premium P1 license runs about two dollars per seat. Practices with dozens of seats often find the total cost of a plan upgrade higher than the cost of a dedicated HIPAA email service that includes the BAA.

How do external recipients open Office 365 encrypted emails? +

External recipients receive a notification email with a Read the message button. The button opens outlook.office365.com in a browser tab. The recipient signs in with a Microsoft account, signs in with a Google account, or requests a one-time passcode delivered to the same email address. The passcode arrives in a second email within a minute. Enter the passcode in the browser tab. The decrypted message displays inline with attachments listed below. Reply from the portal encrypts the reply back to the sender.

Can I set default encryption on every outgoing message? +

Yes, through Exchange Online mail flow rules. Administrators create a rule in the Exchange admin center under Mail flow, Rules. The rule applies to messages that match specific conditions, such as containing PHI patterns or being sent to a specific external domain, and applies the Encrypt-Only or Do Not Forward template. This automates encryption without requiring the sender to click the Encrypt button. Sensitivity Labels provide a more advanced version of the same automation with content-based classification.

What is the difference between Purview Message Encryption and S/MIME in Office 365? +

Purview Message Encryption is server-side and works with any recipient through a browser portal. S/MIME is client-side and requires certificates installed for both sender and recipient. Purview is easier for external recipients because they need no certificate. S/MIME provides true end-to-end encryption because only the recipient with the matching private key can decrypt, including Microsoft. Practices choose Purview for external mail and S/MIME for internal mail with high sensitivity, or use both in combination.

Encrypted Emails in Outlook Sending Guide and Troubleshooting Fixes

encrypted emails outlook guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook offers three encryption paths: Purview, native S/MIME, and third-party add-ins like Virtru.
  • Purview encryption is four clicks: Options, Encrypt, pick policy, Send. External users get a portal.
  • No Encrypt button usually means the wrong Microsoft 365 plan, not an Outlook bug.
  • S/MIME needs an X.509 cert on both sides, which clusters use in orgs with central PKI.
  • HIPAA practices need a Microsoft BAA plus Purview or S/MIME before routing any PHI through Outlook.

Sending encrypted emails in Outlook is straightforward once the correct license and configuration are in place. The confusion for most users starts with which encryption method their license supports and whether the Encrypt button in the ribbon is available at all.

This guide covers the three practical routes for encrypted email in Outlook: Microsoft Purview Message Encryption, S/MIME through certificates, and third-party add-ins. Each section includes step-by-step instructions and the license or setup requirement.

A dedicated troubleshooting section addresses the “cant send encrypted emails Outlook” errors that generate the most support tickets. Every fix is based on Microsoft’s current documentation and typical production configurations.

Three Encryption Routes in Outlook

Outlook supports encrypted email through three separate mechanisms. The right choice depends on the Microsoft 365 license, the recipient population, and whether the organization needs certificate-based zero-knowledge encryption.

Microsoft Purview Message Encryption is the most common route. It ships with Microsoft 365 Business Premium and Enterprise E3, E5, A3, and A5 licenses. Users encrypt messages with a single click in the Options ribbon.

S/MIME is the second route. It requires an X.509 certificate installed on the sender’s device and prior key exchange with the recipient. S/MIME is standards-based and interoperable across mail clients that support it, but the setup burden limits adoption.

Third-party add-ins are the third route. Virtru, Mailhippo, and Barracuda all publish Outlook add-ins that add encryption capability to Outlook regardless of the underlying Microsoft license. These add-ins fit tenants on lower license tiers or workflows that need features Microsoft native encryption does not cover.

Sending an Encrypted Email with Purview Message Encryption

Purview Message Encryption is the fastest route to encrypted email in Outlook for tenants with an eligible license. The sending workflow takes four steps.

Compose a new message in Outlook Desktop or Outlook on the web. Click the Options tab in the ribbon at the top of the compose window. Click the Encrypt button in the Options ribbon. Choose the encryption policy from the dropdown: Encrypt-Only for content encryption or Do Not Forward for encryption plus forwarding restrictions.

  • Compose the message as normal (recipient, subject, body, attachments)
  • Click Options in the ribbon
  • Click Encrypt, then select the policy
  • Click Send

Recipients on Microsoft 365 read the message inline in their inbox with no additional steps. External recipients receive a notification email with a link to Microsoft’s Message Encryption portal. They sign in with a Microsoft account, Google account, or a one-time passcode to read the message.

encrypted emails outlook in article illustration one

Sending an Encrypted Email with S/MIME in Outlook Desktop

S/MIME encryption in Outlook Desktop requires an X.509 certificate installed in the Windows certificate store on the sender’s machine. The certificate can be issued by an internal certificate authority or a commercial CA.

Once the certificate is installed, configure Outlook to trust it. Open Outlook, click File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings. In the Security Settings Name dropdown, name the profile. Under Signing Certificate and Encryption Certificate, click Choose and select the S/MIME certificate. Click OK.

To send an encrypted message, compose the message as normal. Click the Options tab and select Encrypt (or Sign, if digital signing only). Send. For encryption to work, Outlook needs the recipient’s public certificate. If the recipient has sent a previously signed message, Outlook captures the certificate automatically.

Our companion piece on how to send encrypted emails covers the S/MIME setup in more depth including certificate procurement from commercial CAs.

Understanding Encrypt-Only Versus Do Not Forward

The Encrypt button dropdown in Outlook offers two Purview policies: Encrypt-Only and Do Not Forward. The difference matters because it affects what recipients can do with the message after they read it.

Encrypt-Only applies message-level encryption to the content in transit and at rest. Recipients can read, reply, forward, print, and copy the content freely once decrypted. The encryption protects against server-side exposure and network interception.

Do Not Forward adds rights management restrictions on top of encryption. Recipients using compliant clients cannot forward, print, or copy the content. The restrictions are enforced by the recipient’s mail client, so they may not hold in all environments (particularly on mobile clients or non-Microsoft mail apps).

Choose Encrypt-Only when the concern is transport and mailbox exposure and the recipient needs full flexibility to work with the content. Choose Do Not Forward for messages containing internal deliberations, confidential negotiations, or sensitive personnel information where distribution controls matter.

Example

A 12-clinician orthopedic practice on Microsoft 365 Business Standard tried to send an MRI report to a referring surgeon and found no Encrypt button in the Outlook ribbon. IT verified the plan in the admin center, upgraded three clinical mailboxes to Business Premium at $22 per seat per month, and confirmed Azure Rights Management showed Activated. The Encrypt button appeared within 45 minutes of license assignment. A test send to a Gmail address delivered a portal link that opened after a one-time passcode.

Fixing “Cannot Send Encrypted Emails” Errors in Outlook

The most common cause of the “cant send encrypted emails Outlook” error is a license mismatch. Purview Message Encryption is not included in Microsoft 365 Business Basic or Business Standard. The Encrypt button in the ribbon does not appear when the license is not eligible.

Verify the license in the Microsoft 365 admin center at admin.microsoft.com. Navigate to Billing, Licenses, and confirm the assigned license is Business Premium, E3, E5, A3, or A5. If the license is Business Basic or Business Standard, upgrade to enable Purview Message Encryption.

The second common cause is Azure Rights Management being disabled at the tenant level. In the admin center, navigate to Settings, Org settings, Services, and confirm Rights Management is set to Activated. Microsoft’s documentation at learn.microsoft.com purview ome covers the tenant-level activation steps.

The third common cause is Outlook not being fully signed in to the Microsoft 365 mailbox. Check the account status in File, Account Settings and confirm the account shows as connected. Sign out and sign back in if the account shows as offline or unauthenticated.

encrypted emails outlook in article illustration two

Encrypted Emails in Outlook on the Web

Outlook on the web (outlook.office.com) supports Purview Message Encryption with the same license eligibility as Outlook Desktop. The compose window includes an Encrypt option in the toolbar.

Click New message. Compose the message. Click the ellipsis (three dots) in the message toolbar. Select Encrypt, then choose the policy. The recipient experience matches the Desktop workflow.

Outlook on the web does not support S/MIME as fully as Outlook Desktop. Some S/MIME features require the S/MIME extension for Edge or Chrome. Organizations relying on S/MIME should standardize on Outlook Desktop or accept the reduced feature set in the web client.

For workflows where users move between Desktop and web frequently, Purview Message Encryption provides a consistent experience. S/MIME works best when the user consistently uses Outlook Desktop.

Encrypted Emails in Outlook Mobile

The Outlook mobile app for iOS and Android supports Purview Message Encryption for both sending and reading. The interface mirrors the desktop workflow with an Encrypt option in the compose menu.

To send an encrypted message on mobile, tap New Message. Compose the message. Tap the three-dot menu. Tap Encrypt and select the policy. Tap Send.

S/MIME on mobile is more limited. iOS Mail supports S/MIME natively when a certificate is provisioned through a configuration profile. Outlook mobile has limited S/MIME support and generally requires organization-specific configuration through Intune or a similar mobile device management platform.

For practices where mobile use is heavy, Purview Message Encryption provides a smoother path than S/MIME. Users who need S/MIME on mobile should plan on iOS with MDM-managed certificates rather than trying to make it work on Android or Outlook mobile.

๐Ÿ’กPro Tip: Confirm the Azure Rights Management state first

License upgrades alone do not always surface the Encrypt button. Azure Rights Management must be Activated at the tenant level under Settings, Org settings, Services. Roughly one in five license-upgrade tickets stall here because the tenant was provisioned before automatic activation became default. Activating takes two clicks in the admin center, and the button appears in Outlook after the client resyncs licenses (usually within an hour).

Encrypted Emails in Outlook for HIPAA Compliance

Healthcare practices sending PHI through Outlook need a Business Associate Agreement (BAA) covering the Microsoft 365 tenant. Microsoft signs a BAA for Business and Enterprise plans but not for free Outlook.com accounts.

The BAA plus TLS in transit plus encryption at rest satisfies the HIPAA Security Rule’s transmission and storage safeguards. Adding Purview Message Encryption or S/MIME provides additional message-level protection. HHS publishes BAA guidance at the HHS BAA reference page.

Practices should confirm the BAA is signed before sending PHI. The Microsoft 365 admin center under Compliance shows the BAA status for enterprise agreements. For Business tier agreements, the BAA is typically part of the Microsoft Products and Services Data Protection Addendum available from the Microsoft Trust Center.

Our team at Redefine Web has published guidance on healthcare website security features for practices building broader HIPAA programs beyond email.

Third-Party Encryption Add-Ins for Outlook

Tenants on Microsoft 365 Business Basic or Business Standard cannot access Purview Message Encryption. Rather than upgrading the whole tenant license, some practices add a third-party encryption product that includes an Outlook add-in.

Common options include Virtru (browser and Outlook add-in), Barracuda Email Gateway Defense (Outlook add-in through the gateway), and inbox-native services such as Mailhippo (Outlook add-in with recipient inbox delivery).

These add-ins install through Microsoft AppSource and integrate into the Outlook compose window. Users click an encryption button in the ribbon or toolbar to route the outbound message through the service.

The trade-off is that the sender manages two encryption tools if the tenant also uses Purview. For small practices, standardizing on a single add-in and skipping Purview keeps the workflow simpler. Larger organizations that already own Business Premium or higher typically standardize on Purview and use add-ins only for niche workflows.

Opening and Forwarding Encrypted Emails in Outlook

Recipients on Microsoft 365 read Purview-encrypted messages inline in Outlook Desktop, Outlook on the web, or Outlook mobile. No additional steps are required.

External recipients receive a notification email with a Read the message button. Clicking opens Microsoft’s Message Encryption portal in a browser. The recipient signs in with a Microsoft, Google, Yahoo, or one-time passcode option. The decrypted message displays. Our companion piece on how to open encrypted emails in Outlook covers this flow.

Forwarding an encrypted email depends on the policy. Encrypt-Only messages can be forwarded and remain encrypted in transit. Do Not Forward messages are blocked from forwarding in compliant clients. S/MIME messages can be forwarded, but the forwarding recipient must have the original recipient’s public certificate for the encryption to reach them successfully.

For practices where forwarding is common (referrals, care coordination), Encrypt-Only is usually the correct default policy. Do Not Forward suits legal, personnel, and executive communications where distribution controls matter more than workflow flexibility.

Frequently Asked Questions

How do I send an encrypted email in Outlook? +

Open a new message in Outlook Desktop or Outlook on the web. Click the Options tab in the ribbon. Select Encrypt and choose either Encrypt-Only or Do Not Forward from the dropdown. Compose the message and click Send. Recipients on Microsoft 365 read the message inline. External recipients receive a portal link to read through Microsoft’s Message Encryption portal. This method requires the tenant to have Microsoft 365 Business Premium or higher, or an Enterprise E3, E5, A3, or A5 license.

Why can I not send encrypted emails in Outlook? +

The most common cause is a license issue. Microsoft Purview Message Encryption is not included in Microsoft 365 Business Basic or Business Standard. Upgrading to Business Premium or higher enables the Encrypt button in the ribbon. Other causes include Azure Rights Management being disabled at the tenant level, Outlook not being connected to the Microsoft 365 mailbox, or corporate policies blocking the encryption option. Verify the plan in the Microsoft 365 admin center and confirm the correct account is signed in to Outlook.

What is the difference between Encrypt-Only and Do Not Forward in Outlook? +

Encrypt-Only encrypts the message content in transit and at rest. Recipients can read, reply, forward, print, and copy the content. Do Not Forward encrypts the message and applies rights management restrictions that prevent forwarding, printing, and copying (for recipients using clients that honor those restrictions). Do Not Forward is enforced by the recipient’s mail client, so restrictions may not hold on all clients. Choose Encrypt-Only when the concern is transport and mailbox exposure. Choose Do Not Forward for additional distribution controls.

How do I set up S/MIME encryption in Outlook Desktop? +

Obtain an S/MIME certificate from an internal certificate authority or a commercial certificate authority such as Sectigo or DigiCert. Install the certificate in the Windows certificate store on the machine running Outlook. Open Outlook, go to File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings and select the certificate. Save. To send encrypted, compose a message, go to Options in the ribbon, and select Encrypt (S/MIME option) if the recipient’s certificate is already known to Outlook.

Can external recipients read encrypted emails from Outlook? +

Yes. External recipients read Purview-encrypted messages by clicking a link in the notification email that opens Microsoft’s Message Encryption portal. They sign in with a Microsoft account, Google account, or a one-time passcode. The portal displays the decrypted message. For S/MIME encrypted messages, the external recipient must have their own S/MIME certificate and a mail client that supports S/MIME. Not all external recipients meet those requirements, so Purview is more practical for mixed audiences.

Does encrypted email in Outlook satisfy HIPAA compliance? +

Encrypted email in Outlook satisfies HIPAA when three conditions are met. The Microsoft 365 tenant must be on a plan for which Microsoft signs a BAA (Business or Enterprise, not free Outlook.com). Encryption must be applied to PHI-containing messages using Purview Message Encryption or S/MIME. The organization must have documented policies and access controls consistent with the HIPAA Security Rule. Meeting all three keeps Outlook-based email HIPAA-compliant for most healthcare workflows. Practices should verify the BAA is signed before sending PHI.

What happens if I forward an encrypted email in Outlook? +

Forwarding behavior depends on the encryption method and policy. An Encrypt-Only message can be forwarded by the recipient and remains encrypted at the transport level. A Do Not Forward message is blocked from forwarding in clients that honor the restriction. An S/MIME encrypted message can be forwarded, but the forwarding recipient must have the original recipient’s certificate or the sender re-encrypts to the new recipient. Forwarding across encryption boundaries (Purview to S/MIME or vice versa) often falls back to unencrypted or requires re-encryption at the forwarding client.

How to Encrypt Email in Outlook (2026 Complete Guide)

how to encrypt email in outlook guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook has three encryption paths: Purview Message Encryption, S/MIME, and Office Message Encrypt.
  • The Encrypt button only appears on Business Premium, E3, E5, or A3/A5. Basic and Standard hide it.
  • S/MIME needs X.509 certs on both sides plus yearly renewal. Peer clinics keep it, patients drop it.
  • External recipients open Purview mail through a portal link. Sign in with Microsoft, Google, or OTP.
  • HIPAA needs a signed BAA, training, audit logs, and policies. Encryption alone is not compliance.

Outlook offers built-in encryption on most business plans, but the button only appears when the license, tenant configuration, and client version all line up. Missing one piece leaves the sender clicking on a feature that does nothing.

This guide walks through every path for how to encrypt email in Outlook, from the Encrypt button on Microsoft 365 to S/MIME certificates and Office Message Encryption rules. Where a healthcare team needs a simpler alternative, a secure email service with a BAA in the base plan often removes the recipient-side portal friction entirely.

Each method below includes the exact ribbon path, the license requirement, and the recipient experience. Skip to the section that matches your Outlook version and plan.

Outlook Supports Three Different Encryption Methods

Outlook does not have one encryption feature. It has three, and they behave differently at the recipient end.

Microsoft Purview Message Encryption is the modern default. It sits behind the Encrypt button in the ribbon on Microsoft 365 Business Premium and higher. External recipients get a portal link.

S/MIME uses X.509 certificates installed on each sender and recipient. It works entirely inside the client and produces a message that opens directly in Outlook without a portal step. Setup and certificate maintenance limit its practical reach.

Office Message Encryption is the older brand name for what is now Purview Message Encryption. Exchange Online admins can trigger it through mail flow rules based on subject keywords, recipient domain, or content sensitivity labels.

Picking the wrong path is the top cause of failed encryption rollouts. Read the recipient experience before deciding.

License Requirements Determine Which Method You Can Use

The Encrypt button in Outlook only appears on tenants with a qualifying license. Cheaper plans block the feature at the tenant level.

Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, A3, A5, and G3/G5 all include Purview Message Encryption. Business Basic and Business Standard do not. Personal and Outlook.com accounts have no access at all.

Admins verify entitlement in the Microsoft 365 admin center under Billing, then Licenses. The full breakdown lives in the Microsoft Purview Message Encryption documentation.

S/MIME has no Microsoft license gate. It works on any Outlook client, including consumer accounts, provided each user brings a valid certificate from a public or internal certificate authority.

Practices that need HIPAA-grade encryption and do not want to upgrade all seats to Business Premium often pair a lower-cost Microsoft plan with a dedicated encrypted email service.

how to encrypt email in outlook in article illustration one

The Encrypt Button in New Outlook and Outlook 365

The most common path is the Encrypt button on the ribbon of Outlook 365 and the New Outlook client.

Compose a new message. On the ribbon, click the Options tab. Click Encrypt. A dropdown offers Encrypt-Only, Do Not Forward, and any custom sensitivity labels the admin has published.

Pick Encrypt-Only for standard transmission protection. Pick Do Not Forward when you need to block forwarding, copying, and printing on the recipient side.

Add the recipient, subject, and message body. Attachments inherit the same protection. Click Send.

Internal recipients on the same tenant open the message directly in their Outlook client. External recipients receive a notification email with a portal link.

If the Encrypt button is grayed out, the license is missing or the client has not synced. Sign out and sign back in before opening a support ticket.

Encrypting Email in Classic Outlook 2016 and 2019

Classic Outlook 2016 and 2019 support Purview Message Encryption through the same ribbon path, with one extra permission menu.

In classic Outlook, the button lives under File, Properties, Security Settings while composing. On the ribbon, click Options, then Permission. Pick Encrypt-Only or Do Not Forward from the dropdown.

Older Outlook 2013 installs need a client update patch and Azure Rights Management activated on the tenant. Without the patch, the Permission button prompts for a rights management server that does not exist.

The rest of the workflow matches the new client. Recipient portal experience, attachment inheritance, and admin logging all behave identically across versions.

Teams on Outlook 2013 should plan a client upgrade. Microsoft ended mainstream support for Office 2013 in 2018 and extended support in 2023.

Example

A three-person dermatology practice on Microsoft 365 Business Standard tries to click Encrypt on a referral message and finds the button missing from the Options ribbon. The office manager verifies licenses in the admin center, upgrades one seat to Business Premium for the referral coordinator, waits 24 hours for the license to propagate, then signs out and back in. The Encrypt button appears. The coordinator picks Do Not Forward and sends the message. The specialist receives a portal link and reads it in the browser.

S/MIME Setup for Certificate-Based Encryption

S/MIME uses public-key cryptography. Each sender and recipient holds a certificate. The sender encrypts with the recipient public key. The recipient decrypts with their private key.

Obtain an X.509 certificate from a trusted CA or internal PKI. Import the certificate to the Windows certificate store under Personal. Match the certificate email address to the Outlook account email.

In Outlook, open File, Options, Trust Center, then Trust Center Settings, then Email Security. Click Settings under Encrypted email. Point Outlook to the installed certificate.

Before sending an encrypted message, exchange signed messages with each intended recipient. Each signed message carries the sender public key, which Outlook stores in the contact record for future encryption.

S/MIME certificates expire annually. Track expiration dates in a shared calendar. An expired certificate blocks all new encrypted sends until renewal.

how to encrypt email in outlook in article illustration two

Automatic Encryption Rules in Exchange Online

Manual clicking works for individual senders. Organizations that must encrypt every message matching a policy need mail flow rules.

An admin opens the Exchange Online admin center. Under Mail flow, then Rules, they create a new rule. Conditions can include subject contains PHI, recipient domain matches an external partner, or content contains a sensitive information type like Social Security number.

Action: Apply Office 365 Message Encryption and rights protection. Select Encrypt-Only or Do Not Forward. The rule fires server-side on every matching message without any sender action.

Rules cover the compliance gap when workforce members forget to click Encrypt. They also apply to messages sent from mobile clients that lack the ribbon.

Test the rule against a monitored test mailbox before pushing to production. False positives on internal messages create friction that pushes users to send from personal accounts.

Recipient Experience Determines Adoption

Encryption succeeds only when the recipient opens the message. Portal friction kills adoption.

Purview Message Encryption sends the external recipient a notification email. The email carries a link to the message portal. The recipient clicks, chooses a sign-in method, and reads the message.

Sign-in options include Microsoft account, Google account, or one-time passcode delivered to the same inbox. The passcode option adds thirty seconds and one extra click.

Elderly patients, referring physicians on legacy email systems, and vendor billing staff sometimes stall at the portal step. They call the practice for help. That call is the hidden cost of portal-based encryption.

Services like Mailhippo deliver encrypted email that opens like a normal message on the recipient side, which removes the support call entirely. Practices weighing tradeoffs should test both flows with a real referral partner.

๐Ÿ’กPro Tip: Verify the BAA before turning on Encrypt for PHI

The Encrypt button in Outlook satisfies the HIPAA transmission safeguard, but the practice is not compliant without a signed Business Associate Agreement with Microsoft on file. Sign the BAA through the Microsoft 365 admin center at no extra cost on eligible plans, then configure audit logging and document workforce training before staff start sending PHI. OCR audits routinely find the gap between working encryption and a missing BAA during breach investigations.

HIPAA Compliance Requires More Than Encryption

Purview Message Encryption satisfies the Security Rule transmission security safeguard. It does not make a practice HIPAA compliant on its own.

The covered entity must sign a business associate agreement with Microsoft. The BAA is available at no extra cost through the Service Trust Portal. Practices without a signed BAA on file are not compliant even when the encryption works correctly.

Additional requirements include audit logging on message access, workforce training records, sanction policies, and documented procedures for PHI email. The HHS Security Rule guidance covers each safeguard in detail.

Practices that build websites handling patient data face parallel obligations. A HIPAA-compliant intake form pairs with encrypted email. See healthcare website security features for the site-side controls.

Compliance is a program, not a checkbox. Encryption is one piece.

Common Errors and How to Fix Them

Three errors account for most encryption support tickets. Each has a specific fix.

  • Encrypt button missing after license upgrade. Sign out of Outlook, close the app, wait up to 24 hours for tenant propagation, sign back in.
  • Recipient cannot open the portal. Confirm the notification email did not land in spam. Ask the recipient to request a one-time passcode instead of Microsoft or Google sign-in.
  • Attachments download without protection. Convert Word and Excel files to PDF before attaching, or apply Do Not Forward instead of Encrypt-Only.
  • S/MIME send fails with a no valid certificate error. Verify the recipient sent a signed message first so their public key is in the address book.
  • Mail flow rule fires on internal messages. Add a sender is outside the organization is false exception or scope by recipient domain.

Run each fix in order. If the error persists, capture the message header and open a Microsoft support case. Include the tenant ID, the affected user UPN, and the exact error text.

Related guides in this series cover how to encrypt email across providers, how to encrypt an email in Outlook 365, and how to encrypt email in new Outlook.

When a Dedicated Encrypted Email Service Fits Better

Outlook encryption works well for organizations already standardized on Business Premium or higher with dedicated IT staff. It creates friction elsewhere.

Small practices on Business Basic or Business Standard face a cost jump per seat to unlock Purview. Multi-provider teams running Google Workspace and Microsoft 365 side by side hit sign-in friction on the recipient portal.

Mailhippo is a HIPAA-compliant email service that works with existing Gmail and Outlook accounts, includes a business associate agreement in the base plan, and delivers messages to recipients without a separate portal login. Client-side encryption plus TLS covers the transmission security safeguard without requiring per-recipient S/MIME certificates.

Practices running healthcare marketing sites often pair encrypted email with a compliant patient-facing web presence. See healthcare marketing services for the site-side counterpart.

Pick the tool that matches the workflow. Outlook Purview for standardized enterprise tenants. S/MIME for internal certificate-managed teams. A dedicated encrypted service for practices that want one-click send and one-click open across every recipient.

Frequently Asked Questions

Which Outlook plans include the Encrypt button? +

Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, Apps for Enterprise with add-on, A3, A5, and Government G3 and G5 all include Microsoft Purview Message Encryption. Business Basic, Business Standard, and Apps for Business do not include it and cannot use the Encrypt button without an add-on license. Personal plans and Outlook.com free accounts do not include Purview at all. The Encrypt button will appear grayed out or missing in the ribbon on plans that lack the entitlement.

Can I send an encrypted email to a Gmail address from Outlook? +

Yes. When you click Encrypt in Outlook and send to a Gmail address, the recipient gets a notification email with a link to a Microsoft-hosted portal. They open the portal, sign in with their Google account or request a one-time passcode, and read the message. Replies from the portal return encrypted. The recipient never needs an Outlook or Microsoft 365 account. The experience adds one click compared to a normal email but keeps the content protected end to end.

What is the difference between Encrypt and Encrypt-Only in the Outlook ribbon? +

Encrypt applies default protection, which prevents forwarding by unauthorized users and enforces sign-in for external recipients. Encrypt-Only allows the message to be forwarded by the recipient but keeps the content encrypted in transit and at rest inside the recipient mailbox. Do Not Forward is a stricter option that blocks forward, copy, and print. Practices sending PHI typically pick Do Not Forward for records requests and Encrypt-Only for routine coordination.

Does Outlook encrypt attachments the same way as the message body? +

Attachments inherit the same encryption applied to the message when Purview Message Encryption is active. Word, Excel, PowerPoint, and PDF files stay protected inside the recipient portal and cannot be downloaded outside it when Do Not Forward is selected. Other file types download with the protection removed, so senders should convert sensitive spreadsheets or notes to PDF before attaching. Attachment size still follows the standard 25 MB Exchange Online limit unless SharePoint delivery is triggered.

How do I set up S/MIME in Outlook for internal team encryption? +

The admin obtains X.509 certificates from a trusted certificate authority or an internal PKI and deploys them to each user Windows certificate store. Each user opens File, Options, Trust Center, Trust Center Settings, then Email Security, and points Outlook to their certificate. Before the first encrypted send, users exchange signed messages so public keys populate the address book. From that point, the Sign and Encrypt buttons in the message ribbon apply S/MIME per message.

Is Microsoft 365 encryption enough for HIPAA compliance? +

The encryption meets the HIPAA Security Rule technical safeguard for transmission security, but compliance requires more. The practice signs a business associate agreement with Microsoft, configures audit logging, trains workforce members on PHI handling, and documents policies. Administrative safeguards like access controls and workforce sanctions still belong to the practice. A practice that clicks Encrypt but skips the BAA or leaves auditing off is not compliant. A signed BAA is available through the Microsoft 365 admin center at no extra cost on eligible plans.

What if the Encrypt button is missing after I upgraded my license? +

Sign out of Outlook completely, close the application, and reopen it. If the button still does not appear, wait up to 24 hours for the license to propagate across the tenant. Confirm the license assignment under Users, Active Users in the admin center. Verify Azure Rights Management is activated under Settings, Org settings, Microsoft Azure Information Protection. On the desktop client, run Get-IRMConfiguration in Exchange Online PowerShell to confirm InternalLicensingEnabled is true.

O365 Email Encryption Explained for Admins

o365 email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • O365 encryption bundles TLS, at-rest, Purview portal delivery, and templates like Do Not Forward.
  • Purview reaches any inbox via portal; S/MIME decrypts inline where PKI is already deployed.
  • Business Basic and Standard skip the Encrypt button; Business Premium and E3 unlock Purview access.
  • Setup runs PowerShell for Azure RMS, then mail flow rules trigger encryption on keywords or domains.
  • Known limits: no inline branding, S/MIME cert pre-exchange friction, and Outlook 2013 add-in needs.

O365 email encryption is a bundle of features under Microsoft Purview Message Encryption, formerly known as Office 365 Message Encryption. It covers transport encryption, at-rest encryption on Exchange Online, and message-level encryption through a portal delivery model.

This guide walks through the licensing, setup, and known limits. If your tenant needs a supplementary encrypted email path for specific recipient groups or vertical compliance requirements, the vendor-neutral overview is a useful reference.

The audience assumed here is an IT admin or Microsoft 365 tenant owner setting up encryption for the first time or reviewing an existing configuration.

What O365 email encryption covers by default

Every Microsoft 365 tenant gets some encryption automatically. Exchange Online encrypts mail in transit using TLS 1.2 or higher between mail servers when both sides support it. This is the baseline any modern mail provider offers.

Exchange Online also encrypts mail at rest using BitLocker on the underlying storage and per-message encryption keys. This protects mail on disk against a physical theft or storage-layer attack.

The piece that is not on by default is the end-user Encrypt button. On-demand message-level protection requires a licensed feature, either Purview Message Encryption or S/MIME. Both are available on qualifying subscription tiers.

Compliance-covered communication requires the message-level layer in addition to the automatic transport and at-rest layers. Practices sending patient email cannot rely on the default alone. The Encrypt button is what makes the outbound message protected from server to recipient.

Licensing tiers and encryption features

Licensing determines which encryption features are available. The mapping is not obvious from the marketing pages, and admins routinely encounter tenants where the Encrypt button is missing because the license is wrong.

  • Business Basic and Business Standard: TLS and at-rest encryption only, no Encrypt button
  • Business Premium: full Purview Message Encryption including the Encrypt button
  • Enterprise E3: full Purview Message Encryption including the Encrypt button
  • Enterprise E5: Purview plus Advanced Message Encryption for branding, expiration, and revocation
  • Standalone add-on: Azure Information Protection Plan 1 or 2 adds Purview to lower tiers
  • Government: GCC and GCC High tenants have equivalent tiers with same feature mapping

Adding Purview to a Business Basic tenant through Azure Information Protection is technically possible but administratively awkward. Most tenants upgrade to Business Premium instead.

Confirm current licensing through the Microsoft 365 admin center before enabling encryption rules. Microsoft publishes the current feature mapping in the Microsoft Purview Message Encryption documentation.

o365 email encryption in article illustration one

Enabling Purview Message Encryption on the tenant

Enabling Purview requires a few specific steps. On new tenants provisioned after February 2019, Azure Rights Management is enabled by default. On older tenants, an admin needs to enable it through Exchange Online PowerShell.

Connect to Exchange Online PowerShell as a global admin. Run Enable-AadrmService to activate Rights Management on the tenant. Verify the state with Get-AadrmConfiguration. Once active, Purview Message Encryption is available to eligible users.

Assign Azure Information Protection or Message Encryption licenses to users through the admin center. Users see the Encrypt button in the Options ribbon in Outlook the next time they compose a message. Outlook on the web shows the same button in the compose interface.

Test with a compose to an external Gmail or Yahoo address before rolling out to end users. The test verifies the notification email arrives, the portal login works, and the message body renders correctly on the recipient side.

Automating encryption with mail flow rules

Mail flow rules in the Exchange admin center apply encryption automatically based on conditions. This removes the per-message decision from the sender and prevents the plaintext accident.

Common conditions include keyword lists in the subject or body, sender group membership, recipient domain matching, and attachment content patterns. A healthcare practice might trigger encryption on any outbound message to a patient domain list or containing terms like DOB, MRN, or diagnosis.

Configure the rule under Mail flow in the Exchange admin center. Add a new rule. Select Apply Office 365 Message Encryption and rights protection to the message. Choose the encryption template such as Encrypt or Do Not Forward. Save.

Test the rule with a message that matches the condition. Confirm the message is delivered encrypted. Then move on to the next rule. Complex mail flow with many rules can produce order-of-evaluation issues, so keep the rule set small and documented.

Example

A 40-user regional accounting firm moved from Business Basic to Business Premium at $22 per user per month specifically to enable Purview Message Encryption for client tax documents. The admin enabled Azure Rights Management through PowerShell, built a mail flow rule matching outbound messages containing SSN patterns, and set the rule to preview mode for one week. The rule caught 340 messages, six of which were false matches on internal replies. The admin refined the keyword list, moved the rule to enforced mode, and rolled encryption to all client-facing staff.

Comparing Purview Message Encryption to S/MIME in O365

Both Purview and S/MIME are supported in O365. They solve different problems and are often deployed together in the same tenant for different use cases.

Attribute Purview Message Encryption S/MIME
Recipient prerequisites None, portal-based Public certificate installed
Setup complexity Tenant-side only Sender and recipient certificate exchange
Recipient experience Portal login Inline in mail client
Reach to any address Yes Only PKI-equipped recipients
Typical fit Business to consumer Government, defense, enterprise PKI
Branding Portal branded on Enterprise E5 No portal to brand

Purview is the modern default for reaching external recipients on any platform. S/MIME is the preferred path when both sides already run PKI and inline decryption is required by policy.

Practices comparing broader alternatives can review the email encryption category overview alongside the Purview and S/MIME options.

Signing and encrypting in the same message

Signing and encryption are separate operations. Some organizations require both on the same message. O365 supports this through S/MIME with certificates installed in Outlook Trust Center.

Signing uses the sender’s signing certificate to hash the message and encrypt the hash with the sender’s private key. The recipient uses the sender’s public certificate to verify the signature. This proves sender identity and message integrity.

Encryption uses the recipient’s public certificate to encrypt the message content. Only the recipient’s private key can decrypt. Applying both operations on the same message provides authenticity and confidentiality together.

Sign-only, encrypt-only, and sign-and-encrypt are all valid options. Government and financial services organizations often mandate sign-and-encrypt as the default. Healthcare practices sending patient email usually apply encryption without signing because recipients are not verifying certificate chains.

o365 email encryption in article illustration two

Branding the recipient portal experience

Advanced Message Encryption on Enterprise E5 supports portal branding. This changes what an external recipient sees when they open the portal to read the encrypted message.

Configure branding through Exchange Online PowerShell using Set-OMEConfiguration. Parameters include OMEConfiguration for logo URL, background color hex, disclaimer text, portal text, and email text. Multiple configurations can be created and mapped to different mail flow rules.

Branding appears when external recipients open the portal. It does not appear on messages viewed inline in Outlook by internal recipients on the same tenant. Branding does not change the encryption itself. It changes the recipient trust signal.

Practices with a website and consistent visual identity often extend the same branding to the encrypted portal. Redefine Web covers the underlying identity work in the overview of healthcare web design.

Encryption at rest and mailbox-level protection

At-rest encryption in Exchange Online uses BitLocker on the underlying storage. This is transparent to admins and users. Every stored mail item is encrypted at the storage layer.

Customer Key is an option on Enterprise E5 and Advanced Compliance add-ons. It allows the customer to provide their own encryption keys used alongside Microsoft-managed keys. Losing the customer key results in permanent data loss, so key management overhead is significant.

Customer Key is a control for regulated industries that require key custody separate from the platform provider. For most healthcare and business use cases, Microsoft-managed keys are sufficient and much easier to operate.

Microsoft publishes the at-rest encryption architecture in the Microsoft Purview encryption reference. The design is aligned with NIST cryptographic guidance in NIST SP 800-52 Rev. 2.

๐Ÿ’กPro Tip: Run every mail flow rule in preview mode for one week

New encryption rules routinely match more messages than admins expect, catching normal internal replies alongside intended sensitive content. Preview mode logs matches without applying encryption, giving the admin real data on false-positive rates before staff experience broken workflows. Review the message tracking log daily during the preview week. Refine keywords, sender groups, or recipient conditions based on actual matches. Move the rule to enforced mode only after false matches drop below 1 percent of total volume.

Known limitations and workarounds

Every encryption system has limits. Documenting them in advance saves helpdesk hours later.

  • Branding does not appear on messages viewed inline in Outlook, only in the portal view
  • External recipients occasionally lose the portal notification to spam filtering
  • Outlook 2013 requires patching and the Message Encryption add-in for the Protect button
  • S/MIME needs certificate pre-exchange, which is not practical for ad hoc external sends
  • Some compliance frameworks require signing in addition to encryption, doubling the setup work

Workarounds include publishing a short recipient guide, allowlisting the Microsoft notification domain on partner mail servers, and upgrading beyond Outlook 2013. Each mitigation is small individually and adds up to a smoother user experience.

Some organizations supplement O365 encryption with a dedicated email encryption service for specific use cases where the portal experience is not suitable. The two can coexist through mail flow rules that route matching messages through the vertical vendor.

Operational monitoring and audit trails

Encryption is only useful if it stays on. Operational monitoring catches drift, misconfiguration, and user error before they turn into compliance events.

Enable audit log retention for at least six years in the Microsoft Purview compliance portal. HIPAA record-keeping applies to policies and procedures, and the audit log is the evidence trail during any Office for Civil Rights inquiry.

Monitor the Encrypt button usage through Message Trace and Advanced Message Encryption reports. Users who never use the button after a rollout are either not sending sensitive mail or are bypassing the encryption workflow. Both cases warrant follow-up.

Review mail flow rule hits monthly. A rule that produced regular hits then stopped may indicate an upstream change that broke the trigger. Diagnosing early prevents a silent gap in encryption coverage.

Practical rollout plan for a new O365 encryption deployment

A first-time O365 encryption deployment can run in one afternoon for a small tenant or across two weeks for a larger organization. The key stages are the same.

Confirm licenses cover the target user population. Enable Azure Rights Management if not already active. Configure mail flow rules for the initial triggers, such as external mail with specific keywords. Assign encryption-eligible licenses to pilot users.

Pilot with five to ten users for two to three weeks. Collect feedback on the sender workflow and the recipient portal experience. Adjust mail flow rules and branding based on the pilot findings. Roll out to remaining users in staggered groups.

Publish a one-page recipient guide for external partners describing the portal login process. Practices with a broader compliance program should coordinate the rollout with related work such as healthcare website maintenance to keep the whole patient communication stack aligned.

Frequently Asked Questions

Is O365 email encrypted by default? +

Yes for transport and at rest, no for message-level. Exchange Online encrypts mail in transit using TLS between servers when both sides support it. Exchange Online encrypts stored mail at rest using BitLocker on the underlying storage and per-message encryption keys. The Encrypt button for on-demand message-level protection is a licensed feature available on Business Premium and Enterprise tiers, not the default across all Microsoft 365 subscriptions. Compliance-covered communication requires the message-level protection in addition to the automatic transport and at-rest encryption.

Which O365 license do I need for email encryption? +

The end-user Encrypt button requires Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, or Microsoft 365 Apps for enterprise with an Azure Information Protection Plan 1 or 2 add-on. Enterprise E5 adds Advanced Message Encryption for portal branding, custom expiration, and message revocation. Lower tiers such as Business Basic, Business Standard, and Enterprise E1 include TLS and at-rest encryption but not the on-demand Encrypt button. Government tenants use GCC or GCC High equivalents of these tiers. Confirm current licensing through the Microsoft 365 admin center before enabling encryption rules.

How do I set up O365 email encryption in Outlook 2013? +

Outlook 2013 requires a specific patch level and the Message Encryption add-in to display the Protect button on the ribbon. Confirm Outlook is patched to the latest security update. Install the add-in through the Office 365 admin push or manual download. The Protect button then appears in the ribbon on new message composition. Choose Encrypt-Only or Do Not Forward from the dropdown. Modern Microsoft guidance recommends moving beyond Outlook 2013 because extended support ended April 2023. Practices still on Outlook 2013 should plan an upgrade.

How do I add signing to O365 email encryption? +

Signing and encryption are separate operations in Purview. To sign messages, use S/MIME with a signing certificate installed in Outlook Trust Center, Email Security. To encrypt with Purview, click the Encrypt button in the Options ribbon. Both can be applied to the same message. Signing verifies sender identity to the recipient. Encryption protects content confidentiality. Government and financial services organizations often mandate both. Small practices sending encrypted patient email usually only apply Purview encryption without signing because the recipient is not verifying sender identity through certificate chains.

How do I brand the O365 encrypted email recipient portal? +

Advanced Message Encryption on Enterprise E5 supports portal branding. Use Set-OMEConfiguration in Exchange Online PowerShell to configure logo URL, background color, disclaimer text, and portal title. Multiple configurations can be created and mapped to different mail flow rules for different sender groups. The branding appears when external recipients open the portal to read the message. It does not appear on messages viewed inline in Outlook by internal recipients. Branding does not change the encryption itself. It changes what the recipient sees at the sign-in screen.

Are there known flaws in O365 email encryption? +

Security researchers have published analyses of Purview Message Encryption over the years, and Microsoft has responded with updates. The most-discussed finding involved the use of Electronic Codebook mode in earlier implementations, which was replaced with more modern modes. Current Purview implementations use approved cipher modes and align with NIST guidance. No cryptographic system is guaranteed to be flaw-free, and administrators should apply Microsoft patches promptly and monitor Microsoft Security Response Center bulletins. For compliance-covered communication, layered defenses matter more than any single algorithm choice.

How to Encrypt an Email Containing PHI (Step by Step)

how to encrypt an email containing phi guide featured image

๐Ÿ”‘ Key Takeaways

  • Any email tying a patient to care falls under the Security Rule; TLS alone is not a safe baseline.
  • Three real methods: native Encrypt button, third-party gateway, or portal-only service beyond email.
  • Verify three things before sending: plan supports encryption, BAA is signed, recipient can decrypt.
  • Content-based DLP rules catch missed manual toggles; run them alongside staff-triggered encryption.
  • OCR asks for procedure, training, and audit logs; undocumented encryption looks the same as none.

An email that names a patient and mentions their care is protected health information. Send it outside the practice’s network and HIPAA’s Security Rule expects encryption.

How to encrypt an email containing PHI depends on the sender’s platform and plan tier. Some paths take one click, others need certificate setup, and a few require the practice to route mail through a HIPAA-compliant secure email service that handles the encryption automatically.

This guide covers the three practical methods, the setup steps for each, and the documentation the practice needs to prove the workflow to an OCR investigator if a question ever arises.

Recognize what makes an email a PHI email

PHI is any information tied to an identifiable person plus a health, treatment, or payment detail. Name and diagnosis. Name and lab result. Name and appointment for a specific service.

A chart number by itself qualifies if it can be linked back to a person. So does a birthdate paired with a partial name. So does a photo of a treatment site with any identifying context.

Internal messages count. A note to a colleague that says the patient in room three had an abnormal EKG is PHI. So is a scheduling note that includes a patient’s name and appointment reason.

The safest rule is to treat any message that could reveal a specific person’s care status as PHI. Encryption on a routine message costs nothing. Missing a PHI message and shipping it in cleartext can trigger a breach.

how to encrypt an email containing phi in article illustration one

Confirm the account and BAA before sending

An email account cannot handle PHI unless the provider has signed a business associate agreement with the covered entity. Personal gmail.com and outlook.com accounts do not qualify.

Google Workspace, Microsoft 365, Mailhippo, Paubox, and similar business-tier providers offer BAAs. The BAA takes effect only after the covered entity signs it, and it covers only the services listed in the agreement.

Check the BAA before sending. On Google Workspace, the acceptance record is in the Admin console under Account, Legal and compliance. On Microsoft 365, it is in the Service Trust Portal. Keep a copy in the practice’s compliance folder.

If the BAA is not in place, encryption alone does not solve the problem. The provider handling the message is a business associate under HIPAA, and without a BAA, that relationship is unauthorized.

Method one: encrypt from Gmail with a hosted service

The Gmail path most practices use combines a paid Google Workspace plan with a hosted encryption service. Mailhippo, Virtru, and Paubox all connect to a Gmail account and encrypt outbound mail without a plan upgrade to Enterprise Plus.

Setup takes about ten minutes. The user signs up with the service, authorizes access to the Gmail account through OAuth, and installs a browser extension if required. Some services work through SMTP relay and require no extension.

Once connected, the user composes messages in the normal Gmail interface. The service encrypts the message before delivery, and external recipients receive a portal link.

Test with a personal address on a non-compliant server before rolling out. Confirm the recipient sees the portal link, opens the message, and can reply. Practices comparing the manual and automated options often review can i encrypt an email guides to see how each toggle behaves.

Example An OB-GYN practice with 8 clinical staff relied on a training video and quarterly reminders to encrypt PHI-bearing email. An OCR audit triggered by an unrelated complaint asked for evidence that the encryption workflow was actually applied. The privacy officer produced training logs but no message-level audit trail because Purview logs had rolled off after 30 days. OCR issued a corrective action requiring six years of audit log retention. The practice enabled extended retention in the Purview compliance portal and set a monthly audit sample of 20 messages per clinician.

Method two: encrypt from Outlook with the Encrypt button

On Microsoft 365 Business Premium or higher, the Encrypt button appears on the message ribbon. Click it before sending to apply Purview Message Encryption.

Two options appear: Encrypt Only for standard message-level encryption, and Do Not Forward for encryption plus a restriction against the recipient forwarding or copying the message.

External recipients receive a link and sign in with Microsoft, Google, or a one-time passcode sent to their address. The message opens in a Microsoft-hosted portal.

If the button does not appear, Azure Rights Management may not be activated on the tenant. A super administrator can enable it under Settings, Org settings, Services, Microsoft Azure Information Protection.

how to encrypt an email containing phi in article illustration two

Method three: encrypt automatically with content rules

Both Google Workspace and Microsoft 365 support data loss prevention rules that trigger encryption based on message content. The rules run on the gateway, not on the client, so they apply regardless of whether the user remembered to toggle.

Common patterns to match: Social Security number formats, ICD-10 code prefixes, credit card patterns, and specific keywords like patient chart numbers or the phrase PHI in the subject.

Google Workspace calls the feature Content compliance and configures it under Apps, Google Workspace, Gmail, Compliance. Microsoft 365 calls it DLP policy and configures it in the Purview compliance portal.

Rules can encrypt, block, or warn. Most practices start with warn to see what the rule catches, then move to encrypt once the rule pattern is tuned. Content rules cover the human-error gap that manual toggling leaves open.

Verify the recipient can actually open the message

The most common encryption failure is a compliant send that the recipient cannot open. S/MIME messages arrive as a gibberish attachment on clients that do not support S/MIME. Portal messages require a working browser and a recipient willing to click a link.

Before sending PHI to a new external recipient, send a test message. Ask the recipient to confirm they received a readable message. Log the successful test in the patient’s chart if the practice audits patient communications.

For recipients who cannot open the encrypted message, the practice needs a fallback path. That is usually a phone call to walk through the portal, or a physical mail delivery, or a secure patient portal upload.

Never send PHI in cleartext as a fallback. The Security Rule does not accept convenience as a justification for skipping encryption.

๐Ÿ’กPro Tip: Combine gateway rules with manual toggles for coverageManual encryption toggles catch known-sensitive messages but fail whenever a clinician forgets. Content-based DLP rules on the gateway catch pattern matches automatically but miss unusual phrasings. Running both together closes the gap in either direction. Configure DLP rules to encrypt on ICD codes, MRN prefixes, and Social Security number patterns. Train staff to toggle Encrypt on any message they consider sensitive. The overlap is intentional. Redundant coverage is cheaper than a breach investigation.

Handle attachments the same way as body content

An unencrypted attachment on an encrypted email is still an unencrypted attachment. Some encryption tools encrypt the message body but leave attachments in the clear. Check the tool’s documentation.

Purview Message Encryption encrypts attachments. Mailhippo encrypts attachments. Native S/MIME encrypts the entire message including attachments. Gmail Confidential Mode does not encrypt attachments in any real sense.

PDF files, DICOM images, and lab reports are the common attachment types in clinical mail. Each contains PHI and each needs the same encryption coverage as the body.

For very large attachments, a secure file transfer service is often better than email. Practices that send imaging studies often route them through a dedicated portal rather than trying to email a 500-megabyte DICOM series.

Log every encrypted send for audit purposes

An OCR investigation asks for proof that the practice encrypted PHI messages. Proof means audit logs from the email platform showing which messages were encrypted, when, and to whom.

Google Workspace logs message-level actions in the Admin console under Reports, Audit, Email log search. Microsoft 365 logs are in the Purview compliance portal under Audit.

Hosted encryption services keep their own logs. Mailhippo, Virtru, and similar services show each encrypted send with a timestamp, recipient, and delivery status.

The HHS guidance on risk analysis and NIST SP 800-66 Rev. 2 both point to logging as a required component of Security Rule compliance. Practices without logs cannot prove they were compliant.

Document the workflow and train staff annually

A two-page written procedure covers most practice needs. Name the tool, the trigger, the recipient handling, the fallback for recipients who cannot open the message, and the annual review date.

Train every staff member who touches patient email at least once a year. Log the training. Track new hires through the same training within their first 30 days.

The training should include a live send to a personal address, so staff see what a compliant message looks like from both sides. Reading a policy is not the same as sending a real message.

Practices building the wider healthcare marketing and website posture around the email workflow often engage a specialist. Firms focused on healthcare marketing and healthcare website security features keep the intake forms, the patient portal, and the outbound clinical mail on the same compliance footing.

  • Confirm a signed BAA is in place before sending any PHI.
  • Choose one primary encryption method and one fallback.
  • Enable content-based DLP rules to catch missed manual toggles.
  • Test with a real external recipient before rolling out to staff.
  • Log every encrypted send and keep the logs for at least six years.

Knowing how to encrypt an email containing PHI is a combination of the right platform, the right method, and the discipline to apply it every time. Automated rules and gateway services do the last part more reliably than trained humans, and the practices with the cleanest audit records lean on both.

How Do I Send Encrypted Email in Outlook, Gmail, and Yahoo

how do i send encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook 365 Business Premium adds the Encrypt button; lower tiers need a license upgrade.
  • Gmail confidential mode is not real encryption; client-side S/MIME needs admin setup on both ends.
  • Outlook 2010 through 2016 encrypt with S/MIME certs, which fail for ad hoc consumer recipients.
  • Yahoo Mail has no message-level encryption; TLS in transit alone will not meet HIPAA.
  • Portal encryption reaches any inbox; S/MIME fits PKI-equipped internal and government mail.

Sending encrypted email is straightforward once you know which method your client supports. Outlook 365, Outlook 2010 through 2016, Gmail, and Yahoo each handle encryption differently, and the right method depends on both your sender platform and your recipient.

This guide walks through each client step by step, then compares the methods. If you need a service that layers on top of any of these clients with a signed business associate agreement, see the overview of encrypted email options.

The audience assumed here is a business user or clinician who wants to send an encrypted message today, not a developer building an integration.

How to send encrypted email in Outlook 365

Outlook 365 on Business Premium, Enterprise E3, or Enterprise E5 includes the Encrypt button in the Options ribbon. This is the fastest path if your account is on a qualifying plan.

Compose a new message. Click Options in the ribbon. Click Encrypt. Choose Encrypt-Only for a message the recipient can reply and forward. Choose Do Not Forward for a message where you want to restrict sharing.

Send the message. The recipient on your own tenant sees the message inline in Outlook with a lock icon. External recipients see a notification email with a Read the message button. Clicking the button opens the Office 365 message encryption portal in a browser.

Setup requires an admin to enable Azure Rights Management on the tenant. Full guidance is published by Microsoft in the Microsoft Purview Message Encryption reference. If Encrypt is missing from your ribbon, your tenant or license does not have Purview enabled.

How to send encrypted email in Outlook 2010, 2013, and 2016

These versions do not include the modern Encrypt button that appears in Outlook 365. Encryption uses S/MIME certificates and works well for organizations where both sender and recipient have certificates issued through corporate PKI or a public certificate authority.

Import your certificate through File, Options, Trust Center, Trust Center Settings, Email Security. Click Import Export and load your certificate file. Enter the password and complete the import. Outlook now has your certificate bound to your mailbox.

Compose a new message. In the message window, click Options in the ribbon, then click the small dialog launcher in the More Options group. In the Properties dialog, click Security Settings. Check Encrypt message contents and attachments. Click OK. Send.

The recipient needs a matching certificate to decrypt. This is where S/MIME breaks down for ad hoc external mail. For enterprise-to-enterprise and government correspondence, S/MIME works well. For consumer mail, use portal-based encryption instead. The how do I send an encrypted email in Outlook guide covers additional edge cases.

how do i send encrypted email in article illustration one

How to send encrypted email in Gmail

Gmail on Google Workspace offers two paths. Gmail on a personal account has no HIPAA-grade encryption option at all.

Confidential mode is available on every Gmail account. Click the padlock and clock icon in the compose window, set an expiration and a passcode option, and send. This restricts forwarding, printing, downloading, and copying. It does not encrypt content at rest inside Gmail systems.

Google Workspace client-side encryption applies true end-to-end encryption for qualifying tiers. An admin configures a client-side encryption identity for the account. Once configured, the sender can toggle client-side encryption on a message. Recipients must also be configured for client-side encryption to decrypt.

For the widest recipient reach and healthcare use, a dedicated secure email service that installs as a Gmail add-on gives you a Send Encrypted button that routes the message through the vendor. The recipient reads it in a portal. This is the simplest path for a solo practice or small clinic.

How to send encrypted email in Yahoo Mail

Yahoo Mail does not offer a built-in message encryption feature. There is no Send Encrypted button in Yahoo, and Yahoo does not sign a business associate agreement for HIPAA use.

Yahoo servers use TLS between mail servers, which protects messages in transit when the receiving server supports TLS. This is a baseline measure that any modern mail provider offers. TLS alone is not equivalent to end-to-end or message-level encryption.

To send encrypted email from a Yahoo address, you have two practical options. Use a third-party encryption service that can send on your behalf and reply through a portal. Or move the encrypted correspondence to a provider that supports encryption natively.

Yahoo is not a supported platform for HIPAA-covered mail. A therapist or medical office running client communications through a Yahoo address is not compliant regardless of what encryption is added on top of the sending experience. Change providers first.

Example A three-provider dental practice on Microsoft 365 Business Standard tried to send encrypted lab result summaries to patients on Gmail and Yahoo addresses. Staff assumed TLS was enough because IT mentioned it during onboarding. Six months in, the practice discovered the Encrypt button was missing because their tier did not include Purview. They upgraded 12 seats to Business Premium at $22 per user per month, activated Azure Rights Management, and rebuilt a mail flow rule that auto-encrypts any outbound message to non-corporate domains.

Comparing the encryption methods across clients

The methods trade off between ease of use, recipient reach, and compliance strength. This table lays out the practical differences.

MethodSender platformRecipient reachCompliance-grade
Outlook 365 Encrypt buttonBusiness Premium and upAny recipient via portalYes with BAA on tenant
S/MIME certificateOutlook 2010 to 2016 and 365Recipients with certificatesYes when configured
Gmail confidential modeAny Gmail accountAny recipientNo, not on its own
Gmail client-side encryptionQualifying Workspace tiersWorkspace with CSE identityYes with BAA on tenant
Yahoo nativeNone availableNot applicableNo
Dedicated encrypted email serviceAny client with plug-in or webAny recipient via portalYes with vendor BAA

Portal-based methods reach any recipient. Certificate-based methods only work between correspondents with matching PKI infrastructure. Choose based on who you actually send to.

For solo practices sending to patients on consumer email, portal-based encryption is the reliable default. The how to send encrypted email guide covers the sender workflow in more detail.

how do i send encrypted email in article illustration two

Choosing between Encrypt-Only and Do Not Forward in Outlook

Outlook’s Encrypt button gives two options that trip up new users. The right choice depends on how much control you need after the message leaves your outbox.

Encrypt-Only encrypts the message content and attachments. The recipient can reply and forward. Any forwarded copy remains encrypted. This is the right choice for a normal sensitive message where the recipient may legitimately need to share it with a colleague.

Do Not Forward encrypts the message and also blocks forwarding, reply-all, printing, copying, and attachment download. This is the right choice for a legal notice, an executive communication, or a message where you want tight distribution control.

Both options use Microsoft Purview Message Encryption underneath. The distinction is in the rights template applied to the message. Guidance on rights templates is in the Microsoft Azure Rights Management documentation.

Recipient experience across encryption methods

The sender picks the method. The recipient lives with it. Understanding the recipient experience for each method helps a sender choose the right one for the audience.

Portal-based encryption gives the recipient a notification email with a link. The recipient clicks, signs in with a one-time passcode or a linked account, and reads the message in a browser. First-time recipients often need a short explanation of the flow.

S/MIME opens the message inline in the recipient mail client once the recipient certificate is installed. There is no portal step. If the certificate is missing, the message body appears garbled or refuses to open.

Confidential mode from Gmail sends the recipient a link to a Google-hosted view where the message opens after optional passcode verification. Downloads and forwarding are blocked but the underlying storage is not encrypted at rest.

๐Ÿ’กPro Tip: Match the encryption method to the strictest recipientMethod choice fails when senders default to the easiest option for internal use. Portal-based encryption reaches any recipient without prerequisites, so treat it as the default for external clinical mail. Reserve S/MIME for correspondents with existing PKI infrastructure. Configure a mail flow rule that enforces encryption on any message leaving the practice domain, so untrained staff cannot accidentally send patient content in cleartext.

When each method is the right choice

Method choice comes down to who you send to and what compliance obligation applies. The following patterns match methods to typical use cases.

  • Sending to patients on any consumer email: portal-based encryption from Outlook 365 or a dedicated encrypted email service
  • Sending to another business on Microsoft 365: Outlook 365 Encrypt button, message opens inline for the recipient
  • Sending to a corporate or government recipient with existing S/MIME: import certificates and use S/MIME
  • Sending non-PHI internal-sensitive mail inside Google Workspace: Gmail confidential mode is acceptable for the sensitivity but not for HIPAA
  • Sending high-volume transactional email programmatically: a HIPAA-eligible email API through a vendor with a BAA

Match the method to the strictest requirement in the message flow. A healthcare practice that sends both internal-sensitive and patient-covered mail needs the patient-covered method for both, not the internal-sensitive method for the mix.

Practices with a website that also collects sensitive information should align their web infrastructure with the email choice. Redefine Web covers relevant patterns in the overview of healthcare website security features.

Troubleshooting common send failures

Encryption send failures usually trace back to configuration rather than the message itself. The following symptoms map to specific fixes.

Missing Encrypt button in Outlook 365 means the account is not on a qualifying plan or the tenant has not enabled Azure Rights Management. The fix is either a license upgrade or an admin action on the tenant.

S/MIME send fails with a certificate error means the recipient certificate is not available. Outlook cannot encrypt to a recipient whose public certificate has not been previously received. Ask the recipient to send you a signed message first so their certificate is captured.

Recipient reports the portal login fails with a one-time passcode. Passcodes expire after fifteen minutes. Ask the recipient to request a fresh code and use it immediately. Some corporate spam filters delay the passcode delivery past the expiration window, in which case an alternate email address is needed. The National Institute of Standards and Technology publishes recommended email security guidance in NIST SP 800-177 Rev. 1.

Setting up encrypted email once so future sends are easier

Sending encrypted email should not be a per-message decision. Configure the account once so the workflow is consistent across all correspondence.

For Outlook 365, ask your admin to set default encryption on messages to certain external domains through a mail flow rule. This means messages to patient addresses or partner accounts are always encrypted without the sender toggling the button.

For dedicated encrypted email services, install the Gmail or Outlook plug-in on every workstation used by clinical or administrative staff. Enable the default-encrypt behavior in the service settings so no untrained sender accidentally sends plain text.

Document the workflow in a one-page internal reference. Include screenshots of the Encrypt button, the confidential mode toggle, or the plug-in send button as appropriate. New staff can then reach compliant sending on their first day rather than after weeks of trial and error.

How to Encrypt an Email in Outlook via the Subject Line

how to encrypt email in outlook subject line guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook doesn't scan subjects; an Exchange mail flow rule handles the outbound encryption action.
  • The tenant needs Business Standard, Premium, or Enterprise; other plans block the encryption action.
  • Bracketed tags like [secure] beat bare words because they rarely fire on accidental subject lines.
  • The Encrypt button and the subject-line rule coexist and use the same Purview backend end to end.
  • Silent typos ship PHI unencrypted; pair the rule with a body-scanning DLP fallback for safety.

The subject-line encryption trigger in Outlook is not a client feature. It is an Exchange mail flow rule that runs on the tenant side. Outlook itself sends whatever the user types. The encryption happens after the message leaves the client and hits the server rule.

This guide covers the exact setup, the plan requirements, the keyword patterns that work best, and the failure modes to watch for. For practices without Microsoft 365 plans that include Purview Message Encryption, a dedicated encrypted email service handles the same workflow without any tenant configuration.

The intent is a working setup, not a theoretical option. Administrators can follow the steps and verify each item.

The Trigger Lives on Exchange, Not in Outlook Itself

Outlook desktop, Outlook on the Web, and Outlook mobile do not scan the subject line for a keyword. The client sends whatever the user typed to the Exchange side. The rule that inspects the subject and applies encryption runs on Exchange after the client hands off the message.

That architecture matters for two reasons. First, the same rule applies regardless of which Outlook client the user composed in. Second, the client cannot report whether the rule fired, so verification requires checking the sent side or the message trace log.

The rule is called a mail flow rule in Exchange Online and a transport rule in on-premises Exchange. Both terms describe the same mechanism. Administrators create the rule once and it applies tenant-wide until disabled.

The Microsoft documentation on mail flow rules covers the underlying framework. The specific encryption action requires a plan that includes Purview Message Encryption on the tenant.

Verify the Plan Includes Purview Message Encryption

Before creating the mail flow rule, verify the tenant is on a Microsoft 365 plan that includes Purview Message Encryption. Business Standard, Business Premium, and several Enterprise plans qualify on current SKUs. Basic Business, standalone Exchange Plan 1, and personal Microsoft 365 subscriptions do not.

Check plan eligibility in the Microsoft 365 admin center under Licenses. Cross-reference against the Microsoft product feature matrix, which lists Purview Message Encryption entitlements per plan. The matrix updates when Microsoft changes plan structure, so check it at rule creation time rather than relying on memory.

Attempting to save a mail flow rule with an encryption action on an ineligible plan produces an error pointing to the license requirement. That prevents the rule from silently failing at runtime but does not help staff who assumed encryption was working before the error appeared.

Practices on ineligible plans have two paths. Add the required license across seats through Microsoft, or use a dedicated encrypted email service that provides equivalent functionality without a tenant plan change.

how to encrypt email in outlook subject line in article illustration one

Create the Mail Flow Rule in Six Steps

The rule creation process takes about five minutes for an administrator familiar with the Exchange admin center. The screens have shifted several times over the last few years but the underlying flow stays consistent.

Follow these steps:

  • Sign in to the Microsoft 365 admin center and open the Exchange admin center.
  • Navigate to Mail flow, then Rules.
  • Click the plus icon and select “Apply Office 365 Message Encryption and rights protection to messages”.
  • Give the rule a descriptive name such as “Subject-line encryption trigger”.
  • Set the condition to “The subject or body includes any of these words” and enter your chosen keywords such as secure, encrypt, [secure], and [encrypt].
  • Choose the Encrypt template, save the rule, and enable it.

Some administrators tighten the condition to “The subject includes any of these words” instead of the body match. That prevents accidental encryption on messages that mention the keyword in the body but are not intended to trigger the rule.

Pick Keyword Patterns That Reduce False Positives

The specific keyword pattern matters more than most administrators expect. A bare word like secure fires on legitimate business subjects such as “Secure area badge renewal” or “Please secure the meeting room”. Bracketed tags reduce that noise significantly.

Common patterns in practice fall into three categories. Bare words like secure or encrypt are easy for staff to remember but produce more false positives. Bracketed tags like [secure] or [encrypt] rarely fire by accident because square brackets are uncommon in normal subject lines.

Custom identifiers like [PHI-SEND] or [ENC-HIPAA] work best for practices with formal compliance training. They eliminate false positives entirely but require staff to memorize the exact string.

A rule that fires on multiple variants catches loose staff conventions. Combine the bare word and the bracketed tag in one rule so both work. Document the accepted variants in the staff handbook so new hires learn the convention from day one.

Example A 30-seat dermatology practice set up a mail flow rule that fires on the keywords secure and [secure]. During week one of rollout, message trace logs showed 12 outbound messages containing PHI where the sender typed secur (missing the e) and the rule did not match. The security officer added a DLP rule that scans the body for date-of-birth patterns and applies Encrypt as a fallback. Over the next month, the DLP safety net caught 34 additional sends that the subject-line rule missed.

Comparison of Subject Line Trigger vs Encrypt Button

Both the subject-line trigger and the Encrypt button on the Options ribbon use the same Purview Message Encryption backend. The differences are workflow and enforcement.

AspectSubject line triggerEncrypt button
Where the decision happensServer side via mail flow ruleClient side per message
Failure modeSilent when keyword mistypedNone when user clicks the button
Recipient experiencePurview portal or inlinePurview portal or inline
Setup effortOne mail flow rule per tenantNone, feature is present on eligible plans
Works in Outlook mobileYes, subject travels with the messageYes, in newer mobile versions
Best forBulk staff conventionsIndividual sensitive sends

Most practices run both. Staff who prefer the button use it. Staff who prefer the keyword use that. High-risk lists get default-encrypt coverage through a targeted mail flow rule that fires on the list address rather than the subject.

how to encrypt email in outlook subject line in article illustration two

Test the Rule Before Announcing It

Every new mail flow rule needs testing before staff-wide rollout. The test confirms the rule fires on the intended pattern, produces the expected recipient experience, and does not accidentally encrypt sends that should stay plain.

Send a test message from a mailbox covered by the rule to an external address with the trigger keyword in the subject. Verify the recipient receives a Purview portal notification rather than a plain send. Sign in as the recipient and read the message inside the portal.

Repeat with each keyword variant and each major recipient domain including Gmail, Outlook.com, and Yahoo. Note any variation in the portal experience. Some recipients need to request a one-time passcode. Others sign in with their existing provider account.

Use Exchange message trace under the mail flow admin panel to confirm the rule fired on each test message. The trace shows the rule name and action applied to each message, which is the audit evidence during a compliance review.

Silent Failures Are the Biggest Operational Risk

Subject-line triggers fail silently when the pattern does not match. A typo like “secre” or missing brackets on a tag-style trigger produces a plain send with no error, no warning, and no notification to the sender.

The failure mode is dangerous because staff assume the rule fired based on their intent, not their actual keystrokes. A busy front desk sending 40 messages in a shift can produce several silent failures without anyone noticing until an audit or a breach investigation surfaces the pattern.

Compliance-focused organizations pair the subject-line rule with a data loss prevention rule that scans the body for patient data patterns and applies encryption as a safety net. When the subject-line rule misses, the DLP rule catches. When both rules fire, only one encryption action applies to the message.

The Microsoft DLP documentation covers the pattern configuration. Combining DLP with the subject-line trigger produces a stronger posture than either control alone.

๐Ÿ’กPro Tip: Pair every subject rule with a DLP safety netSilent typos are the single biggest risk of subject-line triggers. Add a DLP rule that inspects the message body for PHI patterns like date of birth, medical record numbers, or ICD codes and applies the same Encrypt action. The two rules coexist without double-encrypting. Test with a deliberately misspelled subject to a personal address and confirm the DLP fallback fires. Document both rules in the risk assessment so auditors see the compensating control.

Strip the Trigger Tag from the Outbound Subject

The subject line usually travels in cleartext even when the body is encrypted. A trigger word like [secure] or ENC: appears in the recipient inbox alongside the sender name, which reveals the sensitivity of the exchange before the recipient opens anything.

Practices that care about that leak add a second mail flow rule that strips the trigger tag from the outbound subject after encryption fires. The rule looks for the tag and rewrites the subject to remove it.

Order matters. The encryption rule needs to fire before the rewrite rule so the encryption action sees the tagged subject. Mail flow rule priority in the Exchange admin center controls the sequence.

Test the sequence after configuration to confirm the recipient sees the cleaned subject rather than the tag. A rewrite rule that fires before the encryption rule produces a plain send with a clean subject, which defeats the entire purpose.

When Practices Use a Dedicated Encrypted Email Service Instead

The subject-line trigger and the Encrypt button both require a Microsoft 365 plan that includes Purview Message Encryption. Practices on lower plan tiers or on non-Microsoft mail platforms need a different path.

A dedicated encrypted email service layers on top of the existing mailbox and applies encryption to every outbound message by default. There is no keyword to remember, no rule to maintain, and no risk of silent failure through a mistyped trigger.

Mailhippo is a secure email service that works with existing Outlook, Gmail, and Yahoo accounts, applies TLS and client-side encryption to every outbound message, and includes a business associate agreement in the base plan. One brief mention here for administrators evaluating options where the mail flow rule approach does not fit.

The tradeoff between native and dedicated tools usually comes down to license cost, IT staff bandwidth, and the acceptable friction on the recipient side. Both approaches produce a compliant HIPAA email flow when configured correctly.

Related Setup Steps to Verify After Rule Creation

The subject-line trigger is one piece of an encryption program. Several related controls determine whether the trigger produces the intended result end to end.

Verify each item before treating the rule as production ready:

  • The tenant plan actually includes Purview Message Encryption on every mailbox that will use the trigger.
  • The signed BAA with Microsoft covers Exchange Online for the tenant.
  • External recipients on major providers decrypt through the portal without extra setup.
  • Sent items shows a lock icon or encryption indicator on triggered messages.
  • A DLP rule provides backup coverage for sends that miss the subject-line pattern.
  • Staff training documents the exact keyword conventions.

Related reading on how to encrypt an email subject line generally covers the equivalent patterns for Google Workspace and dedicated services. The how to encrypt email in Outlook overview gives broader context on the encryption paths inside the Outlook client.

Healthcare practices building patient communication programs benefit from aligning the encryption layer with the broader site and intake experience. A healthcare marketing agency can help ensure the patient-facing site messaging matches the security posture staff execute on outbound Outlook mail.