Send S/MIME and Microsoft Purview encrypted emails in Outlook
Applies To
Outlook for Microsoft 365 Outlook 2024 Outlook 2021 Outlook 2019 Outlook 2016 Office for business Microsoft Office New Outlook for Windows Outlook Web AppWhen you need to protect the privacy of an email message, encrypt it. Encrypting an email message in Outlook means it's converted from readable plain text into scrambled cipher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key sees indecipherable text.
Important: Message encryption and digital signatures are only available to work or school accounts with a Microsoft 365 qualifying subscription. Encryption and digital signatures are not available on free or personal Microsoft 365 accounts.
Depending on what type of encryption is available in your organization, you can choose between sending a message that's encrypted with S/MIME or with Microsoft Purview Message Encryption. It may be important to consider how the recipient will access your email.
S/MIME requires the recipient to unlock the message with a certificate on their computer. They might have to access the Keystore to obtain a certificate. If a certificate is available, the message will be decrypted when they open it.
Microsoft Purview Message Encryption can be read directly in new Outlook, Outlook on the web, Outlook for iOS and Android, Outlook for Windows versions 2019 and newer, and Microsoft 365. If your recipient is using another mail service, they'll see a message with instructions on how to open the message.
Ensure your message arrived unaltered
You can request an encrypted receipt for confirmation that an email message was received unaltered. It also includes information about who opened the message and when it was opened. This verification information is returned as a message in your Inbox. Because S/MIME receipt requests must include a digital signature, you must Set up Outlook to use encryption and digital signatures to request an S/MIME receipt.
To send a message with encryption, choose instructions based on the version of Outlook you're using. What version of Outlook do I have?
Note: Before you can send an encrypted email in Outlook, please Set up Outlook to use encryption and digital signatures.
In new Outlook you can:
Encrypt a single message and request receipts | Encrypt all messages using S/MIME | Encrypt a message with Microsoft Purview Message Encryption
Encrypt a single message and request receipts using S/MIME in new Outlook
You can add or remove digital encryption from an individual message that you're composing. Follow these instructions to access options to Request a read receipt, Request a delivery receipt, and Digitally sign this message.
-
In an email message, from the ribbon, select Options > More Options.
-
In Message options, you can choose the sensitivity level as well as the read or delivery receipt and S/MIME protection options. Choose from the following options. Note that if you request a receipt, you must also check the Digitally sign this message checkbox.
-
Request a read receipt
-
Request a delivery receipt
-
Encrypt this message (S/MIME)
-
Digitally sign this message (S/MIME)
-
-
Select OK.
-
If you encrypt an outgoing message and new Outlook can’t verify that all recipients can decrypt the message, you’ll see a warning highlighting those recipients who might not be able to read the encrypted message. You can send the message anyway, remove those recipients, or retry to check again.
-
Finish composing your email, and then select Send.
Need help viewing an encrypted message? See View and reply to encrypted messages in Outlook.
Encrypt all messages using S/MIME in new Outlook
-
Select Settings > Mail > S/MIME.
-
Choose from: Encrypt contents and attachment for all messages I send: Automatically encrypts all outgoing messages.Add a digital signature to all messages I send : Digitally signs all outgoing messages. Automatically choose the best certificate for digital signing: Allows Outlook to select a base certificate. If not checked, you'll be prompted to select the right certificate.
-
Select OK.
Note: All outgoing messages includes new messages, replies, and forwards.
Encrypt a message with Microsoft Purview Message Encryption in new Outlook
Microsoft Purview Message Encryption with IRM protection should not be applied to a message that is already signed or encrypted using S/MIME. Instead, to apply IRM protection, S/MIME signature and encryption must be removed from the message (see above). The same applies for IRM-protected messages; you should not sign or encrypt them using S/MIME.
Note: New Outlook supports Microsoft 365 Message Encryption as long as your email server has an Office 365 Enterprise E3 license. If not, you can encrypt messages using S/MIME.
-
In an email message, choose Options, and then select Encrypt.
-
Pick the encryption that has the restrictions you want to enforce, such as Encrypt or Do Not Forward.
-
Finish composing your email and then select Send.
Note: Before you can send an encrypted email in Outlook, please Set up Outlook to use encryption and digital signatures.
In classic Outlook you can:
Encrypt a single message using S/MIME | Encrypt all messages using S/MIME | Send an S/MIME receipt request | Send all messages with an S/MIME receipt request
Encrypt a single message using S/MIME in classic Outlook
-
In an email message, select Options > Encrypt.
-
Choose the encryption option that has the restrictions you'd like to enforce, such as Do Not Forward.
-
Finish composing your email and then select Send.
Encrypt all outgoing messages using S/MIME in classic Outlook
When you choose to encrypt all outgoing messages by default, you can write and send messages the same as with any other messages, but all potential recipients must have your digital ID to decode or view your messages.
Microsoft Purview Message Encryption (IRM) protection should not be applied to a message that is already signed or encrypted using S/MIME. Instead, to apply IRM protection, S/MIME signature and encryption must be removed from the message. The same applies for IRM-protected messages; you should not sign or encrypt them using S/MIME.
-
In classic Outlook, select File > Options > Trust Center > Trust Center Settings.
-
On the Email Security tab, under Encrypted email, select the Encrypt contents and attachments for outgoing messages check box.
-
To change additional settings, such as choosing a specific certificate to use, select Settings.
-
Once you're done selecting your settings, select OK to save your changes.
Note: All outgoing messages includes new messages, replies, and forwards.
Send an S/MIME receipt request in classic Outlook
-
In an open message, select Options.
-
In the More Options group, select the Message Options Dialog Box Launcher
-
Under Security, select Security Settings.
-
Select the Add digital signature to this message check box.
-
Select the Request S/MIME receipt for this message check box.
-
Select OK and Close on the Security Properties and Properties dialog boxes.
-
Send your message.
Send all messages with an S/MIME receipt request in classic Outlook
-
In Outlook, select the File tab.
-
Select Options.
-
Select Trust Center.
-
Select Trust Center Settings.
-
Select Email Security.
-
Under Encrypted e-mail, select the Request S/MIME receipt for all S/MIME signed messages check box.
Note: Before you can send an encrypted email in Outlook, please Set up Outlook to use encryption and digital signatures.
In Outlook on the web you can:
Encrypt a single message and request receipt | Encrypt all messages | Send a single message with a digital signature
Encrypt a single message and request receipt in Outlook on the web
You can add or remove digital encryption from an individual message that you're composing. Follow these instructions to access options to Request a read receipt, Request a delivery receipt, and Digitally sign this message.
-
Go to the top of the message and select More options > Message options.
-
In Message options, you can choose the sensitivity level as well as the read or delivery receipt and S/MIME protection options. Choose from the following options. Note that if you request a receipt, you must also check the Digitally sign this message checkbox.
-
Request a read receipt
-
Request a delivery receipt
-
Encrypt this message (S/MIME)
-
Digitally sign this message (S/MIME)
-
If you encrypt an outgoing message and Outlook on the web can't verify that all recipients can decrypt the message, you'll see a notice warning you which recipients might not be able to read the encrypted message. You can send the message anyway, remove those recipients, or retry to check again.
Encrypt all messages in Outlook on the web
After you've installed the S/MIME control, select Settings > Mail > S/MIME to configure S/MIME.
-
Select Encrypt contents and attachment for all messages I send to automatically encrypt all outgoing messages.
-
Select Add a digital signature to all messages I send to digitally sign all outgoing messages.
-
Select Automatically choose the best certificate for digital signing.
Note: All outgoing messages includes new messages, replies, and forwards.
Send a single message with a digital signature in Outlook on the web
To add or remove a digital signature from a message that you're composing:
-
Go to the top of the message and select More options > Message options.
-
Select or deselect Digitally sign this message (S/MIME).
If your certificate is stored on a smart card, you'll be prompted to insert the smart card to digitally sign the message. Your smart card may also require a PIN to access the certificate.
See also
View and reply to encrypted messages in Outlook
Secure messages by using a digital signature
Find digital ID or digital ID services
Send a digitally signed or encrypted message for Mac
Advanced Outlook.com security for Microsoft 365 subscribers
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
Find solutions to common problems or get help from a support agent.
