Sending sensitive information through regular email is like shouting your credit card number across a crowded restaurant — most people aren’t listening, but you never know who might be.
Business emails are the second most difficult type of breach to identify and contain, taking an average of 308 days to detect. Financial documents, legal contracts, patient data, passwords — all of it travels as plain text unless you encrypt it.
The good news: Outlook already has built-in encryption tools. You don’t need third-party software. This guide shows you exactly how to use them — step by step, on every version of Outlook.
Why Email Encryption Matters
Without encryption, emails travel across the internet in plain text. Anyone intercepting your message — a hacker on public WiFi, a compromised server, or a malicious insider — can read every word.
Email encryption transforms your message into a secure code that can only be deciphered by the intended recipient. This protects:
- Financial documents and bank account details
- Legal contracts and confidential agreements
- Personal health and medical information
- Business passwords and login credentials
- Private communications between clients and employees
Many industries — healthcare (HIPAA), finance (PCI DSS), and legal — are legally required to encrypt sensitive email communications.
For additional protection beyond email: What Is Two-Factor Authentication? Complete Setup Guide 2026
Outlook Email Encryption — 3 Methods Explained
Outlook offers three main ways to encrypt email. Here’s how they compare:
| Method | Best For | Requires Setup? | Works With Gmail? |
|---|---|---|---|
| Microsoft 365 / OME | Microsoft 365 users | Minimal | ✅ Yes |
| S/MIME | Maximum security | Yes — certificate needed | ⚠️ Both need cert |
| Do Not Forward | Restricting forwarding | None | ✅ Yes |
Method 1 — Microsoft 365 Message Encryption (Easiest)
Best for: Most Microsoft 365 users — works with any recipient email address
Outlook uses Microsoft Purview Message Encryption so you can send secure mail without third-party plugins. You can encrypt via the Options tab or by using a subject line trigger like [ENCRYPT] if your admin has set it up. When you encrypt an email, Outlook automatically protects any files attached to that message.
Prerequisites: OME is available for Microsoft 365 Business Premium, Enterprise E3, E5, or Office 365 Enterprise plans. Contact your IT administrator if OME isn’t enabled.
Classic Outlook (Desktop):
- Open Outlook → click New Email
- Compose your message
- Click the Options tab in the ribbon
- Click the Encrypt button (lock icon)
- Choose your encryption type:
- Encrypt-Only — encrypts content, recipient can forward
- Do Not Forward — encrypts + prevents forwarding/copying
- Click Send
New Outlook (2026):
- Open Outlook → click New Mail
- Compose your message
- In the toolbar, click the lock icon or go to Options → Encrypt
- Select encryption level
- Send
Outlook Web (OWA):
- Log in at outlook.com or office.com
- Click New Message
- Click the three dots (…) menu at the top
- Select Encrypt
- Choose Encrypt or Encrypt and Prevent Forwarding
- Send
What recipients see: Recipients using Outlook or other Microsoft services often see encrypted messages automatically. For other email providers, recipients get a link to view the message securely online. Gmail and Yahoo users simply click the link and use a one-time passcode — no special software needed.
Method 2 — S/MIME Encryption (Most Secure)
Best for: Maximum security — true end-to-end encryption
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides true end-to-end encryption for Outlook, ensuring only the intended recipient can read your email. Important note: S/MIME requires both sender and recipient to have digital certificates installed.
Step 1 — Get a Digital Certificate
You need a digital certificate from a trusted Certificate Authority (CA). Options include:
- Sectigo (Comodo) — free personal certificates available
- DigiCert — paid, widely trusted
- Your organization’s IT department — if you’re on a corporate network
Step 2 — Install the Certificate in Outlook
After installing your certificate, you can enable S/MIME encryption by checking the “Encrypt contents and attachments” box in the same Email Security settings. You can also set this up to happen automatically for all outgoing messages, or you can choose to encrypt individual emails by clicking the encryption button when composing. S/MIME provides end-to-end encryption and digital signatures that verify you’re actually the sender.
Steps:
- Open Outlook → File → Options
- Click Trust Center → Trust Center Settings
- Click Email Security
- Under Encrypted email, click Settings
- Click Choose next to Signing Certificate
- Select your installed certificate
- Click OK to save
Step 3 — Encrypt a Single Message with S/MIME
Create a new email message. On the ribbon, select Options. Select Encrypt. Choose the encryption option with the restrictions needed, for example Do Not Forward. Finish composing the email. Select Send. When the message is encrypted, it is converted from readable plain text into scrambled cipher text. Only recipients who have the corresponding private key can read it; others see indecipherable text.
Step 4 — Enable Automatic S/MIME Encryption
In Outlook, click the File tab. Select Options and then Trust Center. Click Trust Center Settings and navigate to Email Security. Under the “Encrypted email” header, check the box: Encrypt contents and attachments for outgoing messages. Click OK to apply.
Method 3 — Do Not Forward (Restrict Forwarding)
Best for: Emails you don’t want forwarded, printed, or copied
Do Not Forward is a rights management option — it encrypts the email AND prevents the recipient from forwarding, printing, or copying the content. Useful for confidential instructions, NDA-protected information, or sensitive HR communications.
Steps:
- New Email → Options tab
- Click Encrypt
- Select Do Not Forward
- Send
The recipient can read the email but cannot forward it, copy the text, or print it.
Enable Encryption for ALL Outgoing Emails (Always-On)
If you regularly send sensitive information, you can set Outlook to encrypt every outgoing message automatically:
Steps:
- Go to File → Options
- Click Trust Center → Trust Center Settings
- Click Email Security
- Under Encrypted email, check:
- Encrypt contents and attachments for outgoing messages
- Click OK
Note: In many professional environments, IT admins handle this at the server level. They might set up rules that automatically encrypt any email containing “Social Security Number,” “Confidential,” or specific financial keywords. This allows employees to work naturally while the system provides a “safety net” in the background. While safer, encrypting every single email can be a bit much for routine “lunch plans” or quick “thank you” notes.
Encrypt Email Using Subject Line Trigger
You can encrypt via the Options tab or by using a subject line trigger like [ENCRYPT] if your admin has set it up.
If your Microsoft 365 administrator has configured mail flow rules, simply add [ENCRYPT] to your email subject line and the message is automatically encrypted — no buttons needed.
This is extremely useful for mobile email users who may not have the Encrypt button easily accessible.
Example subject line:
[ENCRYPT] Q4 Financial Report — ConfidentialHow to Encrypt Email in Outlook — Mac
Steps for Outlook on Mac:
- Open Outlook for Mac
- Click New Email
- Go to the Options tab
- Click Security → Encrypt Message
- Or: Use the Lock icon in the formatting toolbar
- Send
Note: S/MIME on Mac requires your certificate to be installed in your Mac Keychain as well as Outlook.
Sending Encrypted Email to Gmail and Yahoo Users
One of the most common questions: can Outlook encrypted email work with Gmail?
Yes — with Microsoft 365 Message Encryption (OME). OME works with any email address, not just Outlook users. Recipients can view encrypted emails through a web browser without additional setup.
What Gmail users see:
- They receive an email with a link to view the encrypted message
- They click “Read the message”
- They verify their identity with a one-time passcode sent to their email
- The message opens in a secure Microsoft portal
No app installation required for the recipient.
What to Do If the Encrypt Button Is Missing
This is one of the most common issues. If encrypting email in Outlook feels confusing or the Encrypt option is missing, you are not alone.
Most common reasons the Encrypt button is missing:
| Reason | Fix |
|---|---|
| No qualifying Microsoft 365 plan | Upgrade to Business Premium, E3, or E5 |
| Outlook app not updated | Update Outlook via File → Office Account → Update |
| Using personal Outlook.com account | OME requires Microsoft 365 subscription |
| IT admin hasn’t enabled it | Contact your IT department |
| Using Classic Outlook without certificate | Set up S/MIME certificate first |
Best Practices for Outlook Email Encryption
Follow these practices to maximize the security of your encrypted Outlook communications: Use strong passwords when using password protection with secure file sharing, create strong, unique passwords. Never reuse passwords across different files or documents. Share passwords separately — always share passwords through a different channel than the email containing the link. Use phone calls, text messages, or encrypted messaging apps. Enable two-factor authentication to protect your Outlook account with 2FA to prevent unauthorized access to your email account.
Additional best practices:
- Combine encryption methods — encrypt both the email and sensitive attachments separately
- Keep Outlook updated — encryption features get security patches regularly
- Don’t rely on subject line keywords alone — always verify encryption is applied before sending financial or health data
Learn how to protect your full account: How to Set Up Google Account Security Properly in 2026
Frequently Asked Questions
Open Outlook → New Email → Options tab → click Encrypt → choose Encrypt-Only or Do Not Forward → compose your message → Send. The entire process takes under 10 seconds once set up. Outlook automatically encrypts any attachments along with the message body.
Yes — Microsoft 365 Message Encryption (OME) works with any email address including Gmail, Yahoo, and others. Gmail recipients receive a link to view the message in a secure Microsoft web portal using a one-time passcode. No app installation is required.
Encrypt-Only encrypts the message content so only the recipient can read it, but they can still forward, copy, or print it. Do Not Forward encrypts the message AND prevents the recipient from forwarding, printing, or copying the content — useful for truly confidential communications.
Microsoft 365 Message Encryption (OME) requires a qualifying Microsoft 365 plan — Business Premium, Enterprise E3, E5, or Office 365 Enterprise. S/MIME encryption requires a free or paid digital certificate but no specific Microsoft 365 subscription level. Personal Outlook.com accounts have limited encryption options.
Look for the lock icon in the email header or subject line. When you open the message, you’ll see a notice such as “This message was encrypted” at the top of the email body. You may need to click a link or verify your identity to read the full message.
Yes — go to File → Options → Trust Center → Trust Center Settings → Email Security → check “Encrypt contents and attachments for outgoing messages.” This applies encryption to every email you send. Many IT admins set this up at the server level using mail flow rules that trigger encryption based on keywords.
Conclusion
Encrypting email in Outlook is easier than most people think — especially with Microsoft 365. The Encrypt button in the Options tab takes 10 seconds to use and protects both your message and attachments with enterprise-grade security.
Start with this: Open a new email in Outlook → click Options → click Encrypt → Send. That’s it.
For maximum security, set up S/MIME with a digital certificate. For team-wide encryption, ask your IT admin to configure automatic mail flow rules.
Your sensitive communications deserve protection — and Outlook already has everything you need built in.
