Secure Mail Guide
Encrypting an Outlook message with S/MIME, Microsoft Purview, and information-rights-management controls
How-To

How to Encrypt Email in Outlook: S/MIME, Purview, and IRM Explained

A practical guide to all three Outlook encryption methods — S/MIME, Microsoft Purview Message Encryption, and IRM — with step-by-step setup for classic

By Securemailguide Editorial · · 8 min read

Knowing how to encrypt email in Outlook matters the moment you need to send a contract, a medical record, or a password to someone outside your office. Outlook supports three distinct encryption technologies — S/MIME, Microsoft Purview Message Encryption (formerly Office Message Encryption), and Information Rights Management (IRM) — and they work differently enough that picking the wrong one can leave a gap in your security posture.

This guide covers all three, with concrete setup steps for classic Outlook, new Outlook, and Outlook on the web.

The Three Encryption Methods in Outlook

Microsoft documents three encryption paths for Microsoft 365:

S/MIME (Secure/Multipurpose Internet Mail Extensions) is certificate-based. Both the sender and recipient must have a digital certificate issued by a trusted certificate authority. Your public key encrypts the message; the recipient decrypts it with their private key. This is true peer-to-peer encryption — Microsoft never holds the keys. S/MIME also supports digital signatures, which let recipients verify the sender’s identity independently.

Microsoft Purview Message Encryption (OME) is cloud-managed. Microsoft holds the keys. Recipients do not need a certificate — they authenticate with a Microsoft account or a one-time passcode to open the message in a browser portal. This works for Gmail, Yahoo Mail, and any other external address. Admins can set transport rules to encrypt certain message classes automatically.

Information Rights Management (IRM) adds usage controls on top of encryption. A “Do Not Forward” restriction, for example, prevents the recipient from forwarding, copying, or printing the message, even after they read it. IRM uses the Azure Rights Management service and is well-suited for internal sensitive communications where you want to limit redistribution.

Do not apply two of these methods to the same message. Outlook for iOS and Android in particular cannot open messages with multiple encryption technologies applied.

How to Set Up and Send Encrypted Email

S/MIME Setup

S/MIME requires a digital certificate tied to your email address. Most enterprise environments provision these via Active Directory; individual users can obtain personal certificates from commercial certificate authorities. Once you have the certificate file:

Classic Outlook (Windows):

  1. Go to File > Options > Trust Center > Trust Center Settings.
  2. Select Email Security in the left pane.
  3. Under Encrypted email, click Settings.
  4. Select your certificate under Certificates and Algorithms.
  5. Click OK to save.

To encrypt a single outgoing message: open a new email, go to Options > Encrypt, and choose your restriction. To encrypt all outgoing messages by default: check Encrypt contents and attachments for outgoing messages in the Email Security settings above.

New Outlook (Windows):

  1. Go to Settings > Mail > S/MIME.
  2. Enable Encrypt contents and attachments for all messages I send.
  3. Optionally enable Add a digital signature to all messages I send.

For a single message: open a new email, select Options > More Options, and check Encrypt this message (S/MIME).

Outlook on the Web:

  1. Open Settings > Mail > S/MIME.
  2. Install the S/MIME browser control when prompted (Internet Explorer or Edge required for the classic S/MIME control; newer Outlook on the web has native support for some tenants).
  3. Restart the browser before testing.

The official Microsoft setup guide covers certificate import steps for each Outlook version.

Microsoft Purview Message Encryption

Purview Message Encryption is available to Microsoft 365 Business Premium, E3, and E5 subscribers. No certificate is required on either side.

Classic Outlook:

  1. Compose a new message.
  2. Select Options > Encrypt.
  3. Choose an option such as Encrypt (encryption only) or Do Not Forward (encryption plus forwarding restriction).
  4. Send normally.

New Outlook and Outlook on the Web: The flow is the same — Options > Encrypt — with the same restriction choices appearing in the dropdown.

Recipients outside Microsoft 365 receive a notification email with a link. They authenticate with a Microsoft account or request a one-time passcode, then read the message in the Purview portal. They can reply encrypted from within that portal without needing any Microsoft account themselves.

IRM and Do Not Forward

IRM restrictions are available in the same Options > Encrypt menu. “Do Not Forward” is the most commonly used preset. Admins can publish custom IRM templates (for example, “Confidential — Internal Only”) that appear alongside the default options.

IRM-protected messages cannot be scanned by anti-malware or DLP filters once encrypted, so apply IRM at the outgoing stage, after any content inspection your organization requires has run.

Which Method to Use

ScenarioBest choice
External recipient, no shared infrastructurePurview Message Encryption
Peer-to-peer confidentiality, both parties have certsS/MIME
Prevent forwarding or printing by trusted recipientIRM / Do Not Forward
Government or regulated-industry complianceS/MIME (true end-to-end)
Quick one-off sensitive message to Gmail userPurview Message Encryption

For enterprise deployments where admins need to control what triggers encryption automatically, Purview transport rules let you target messages with specific keywords, sensitivity labels, or recipient domains without relying on users to remember to click Encrypt.

Limitations Worth Knowing

S/MIME breaks down when the recipient’s certificate expires or when they switch email clients — both sides need a compatible mail application. If a recipient’s private key is compromised, any messages previously encrypted with their public key are also at risk (there is no forward secrecy in classic S/MIME).

Purview Message Encryption relies on Microsoft’s infrastructure. If you have a threat model that includes Microsoft as an adversary — for example, in certain government or legal contexts — S/MIME with independently managed certificates is the appropriate choice.

IRM cannot protect a message from a recipient who photographs their screen. Usage restrictions deter casual redistribution; they are not a technical barrier to a determined insider.

For broader context on email security in enterprise environments, including how AI-based content inspection interacts with encrypted mail pipelines, TechSentinel News covers relevant developments across the security landscape. Teams thinking about how AI-generated phishing evades conventional controls will also find relevant analysis at GuardML, which tracks defensive tooling for content filtering and detection.

Sources

Sources

  1. Email encryption in Microsoft 365 — Microsoft Learn
  2. Set up Outlook to use S/MIME encryption — Microsoft Support
  3. Send S/MIME or Microsoft Purview encrypted emails in Outlook — Microsoft Support

Related

Comments