Home Blog
18 MARCH 2019 | Security

Three Ways to Encrypt Email in Outlook: Comparison and Setup Instructions

Three Ways to Encrypt Email in Outlook  Comparison and Setup Instructions

Did you know that the Microsoft Outlook desktop application offers three methods to encrypt emails, including the latest OME option that does not require installing certificates and lets you send encrypted email to external recipients (such as free web mail users on Gmail, Yahoo! Mail, or any other email account)?

Questions: Which email encryption options are available in your scenario and which one should you choose? How do you set up your selected encryption option and get started sending and receiving secure email? How do you obtain encryption certificates for Outlook, for yourself and your recipients? Which option gives you the Outlook Encrypt button?

Which of the three Outlook email encryption options are available to you depends on who your recipient is and which email account you are using to send encrypted email. The three options and their availability scenarios are:

  1. Using digital IDs (certificates) for sender and recipients (S/Mime): This option works with any email account that you have added to Outlook but requires your recipients to also use Outlook (or an S/Mime compatible email application). Both you and your email recipients must also install and share encryption certificates. This option is not available for you if you need to send encrypted email to free webmail users such as clients on Gmail, Yahoo, iCloud etc.
  2. Office 365 Message Encryption (OME): This option does not require installing certificates and allows you to send encrypted messages to any email recipient. However, this option is only available to you if you use an Office 365 email account (Exchange Online). Also, you need the Outlook application installed as part of the Office 365 subscription (this encryption option is not available in Outlook 2013, Outlook 2016, or Microsoft Office one time license purchases). This option is also likely the most expensive.
  3. Using Email Encryption Add-ins: The right Outlook email encryption add-in can let you send encrypted to any recipient (any email address, including free webmail users) using any email account. So this option to encrypt email in Outlook combines the best of both the previous two options. Also, this is likely the lowest cost option, or even free.

The best Outlook email encryption option for you among the available ones depends on the ease of use for you and your recipients, available features such as access to encrypted messages outside Outlook, costs, and other capabilities. The table below summarizes the features to help you choose.

If you already know the one you want and just need the encryption setup instructions or the steps to send a secure email in Outlook:

  • Jump to Method 1: Using digital ID (encryption certificates) and S/Mime
  • Jump to Method 2: Using OME
  • Jump to Method 3: Using free encryption add-ins.
Using Certificates (S/Mime)Office 365 Message Encryption (OME)Add-ins (e.g.Encyro Outlook Addin)
Which email accounts can you send fromMany: Most email accounts that work in Outlook (but not G-Suite with GSSMO).Only Microsoft: Office 365 Exchange Online only.Many: Most email accounts that work in Outlook.
Is initial setup difficultVery Hard: Both you and your recipients must buy and install certificates.Easy: Upgrade to the correct Office 365 subscription.Easy: Install add-in.
How hard to send encryptedModerately Easy (6 clicks): Select Options -> More Options -> Security Settings -> Encrypt -> OK -> Send.Moderately Easy (3 clicks): Select Options -> Encrypt -> Send.Easy (1 click): Click Secure Send.
How hard for recipient to open your encrypted emailEasy: Once initial setup performed, encrypted emails open normally.Moderately Hard: Recipient must request a new code each time, wait for code in email and then enter code to open your secure email.Easy: Recipient can open with one click (link auto-expires for security).
Can you receive secure repliesYes: Since recipient also installed certificate, they can send encrypted.Yes: Secure message view offers option to reply.Yes: Secure message view offers option to reply.
Can recipient forwardNo: Unless they help forwardee install certificate.Yes: Encryption applies.Yes: Encryption applies.
Can you receive a new secure message from clientsYes: Since recipient also installed certificate, they can send encrypted.No: They cannot start a new encrypted email.Yes: Yes, for Encyro Outlook Addin (varies for other add-ins).
Read secure messages outside Outlook (e.g. on mobile)No: Need access to your PC with Outlook and certificates installed.Yes: Can access via outlook.com.Yes: Yes, for Encyro Outlook Addin (varies for other add-ins).
CostExpensive: $40-$370 per year for certificate for you. Also need certificate for each recipient.Expensive: $8-15/month ($96-180/year) extra on top of your O365 Business Essentials or Business Premium subscription.Free: Free for Encyro Outlook Addin (varies for other add-ins).
Overall ease of useHard: Setup is not possible for many clients.Moderate: Receiving your secure message is hard. You must use Microsoft email.Easy: Easy for you and your clients.
Recommended forSending to government agencies or enterprises that use Outlook and have certificates setup.Sending to your vendors or others where you can mandate your requirements.Sending to clients on different email services such as Gmail, Yahoo, Hotmail, iCloud and others.

As the table shows, the S/Mime method is only suitable if your recipients also use Outlook and are willing to install certificates. If your recipients do use Outlook but you have to purchase certificates for them, this option becomes extremely expensive. This option should primarily be chosen if your recipient’s organization requires it.

The OME option is great if you already use Microsoft email through an Office 365 subscription and do not mind recipients to go through the extra step of requesting a code. In practice this can be a hurdle that many clients may need hand-holding with.

The option to use the Encyro Outlook Addin provides the easiest user experience and is free.

Regardless of which option you choose, you can find the setup instructions and the detailed steps to send an encrypted email from Outlook, below.

Microsoft’s instructions to encrypt email in Outlook can be a little daunting as the different steps to obtain email encryption certificates and using the available options are split across multiple documents. As a result, others have attempted to explain how to encrypt email in Outlook, such as in these articles by TutsPlus, Comparitech, LaptopMag, SSLSupportDesk and TrendMicro. Unfortunately, these articles have not been updated to include the easier OME option that newer versions of Outlook provide. Also, most of them show older screenshots from Outlook with the “Get Digital ID” button to obtain email encryption certificates. This button is no longer available in Outlook 2016, Outlook 2019 and Outlook ProPlus (the version installed with an Office 365 subscription). In this article, we want to provide the most up to date information to help you make the correct choice for your business email encryption in Outlook, and give you comprehensive setup instructions with screenshots.

Method 1: Using Certificates (S/Mime)

The sections below walk you through all the setup instructions including the process to obtain the required email encryption certificates.

Initial Setup

The key steps to setup email encryption using the S/Mime option are:

  1. Obtain an email encryption certificate for yourself, import it in Outlook, and share it with your recipient.
  2. Ensure that each of your recipients has an email encryption certificate installed in Outlook (or other S/Mime compatible email application) at their end, and have them share it with you.
  3. Learn the steps to send an encrypted email.

Buy Certificate: You may obtain a certificate from several certificate authorities. Microsoft’s documentation recommends three certificate authorities (CAs): As of this writing, following the links in the Microsoft document above, we found that the Comodo certificate was priced at $48/year, GlobalSign at $369/year and IdenTrust at $39 or $79 (depending on individual or business). To purchase, click this Microsoft link and then click on the CA of your choice.

You could purchase the certificate from other CAs as well: be sure to select the email security certificate (sometimes also called an S/Mime encryption certificate, or secure email certificate) and not the SSL certificate which is likely the one most prominently advertised on the CA’s website.

When you purchase a certificate, you will receive a file containing the certificate and a password that is required to import the certificate.

Backup the certificate and password: Make sure you maintain a backup of both the certificate file and the password because in case your computer or hard disk gets damaged and you need to setup Outlook email encryption on a new computer, you will need this same certificate again. If the certificate is lost, then you will not be able to open your previously sent or received encrypted email. Also, if you change to a new certificate, all your email recipients who have your old certificate will be required to update to the new one, which could be a very laborious process for you.

Import Certificate in Outlook: Once you have purchased (and backed up!) the certificate, open or go to the Outlook application on your computer and follow these steps:

  • Click File in the top left.

  • Click Options.

  • In the new window that opens, click Trust Center.

  • Click Trust Center Settings.

  • Click Email Security in the left pane.

  • Under the heading Digital IDs (Certificates), click Import/Export. (Note: If the certificate was not purchased by you but already installed on your computer by your admin/IT staff, then click the “Settings” button instead of “Import/Export” and then select the required certificate from the options shown. Your IT staff who installed the certificate should tell you which certificate among the options shown should be selected.)

  • In the new window that opens, make sure Import existing ID from file is selected. Click Browse and browse to the certificate file (typically a .pfx file) that you obtained when you purchased the certificate. Enter the password associated with the certificate file and click OK.

  • You may get a popup like the one shown below, informing you that the security level is set to Medium. It is best to leave it at Medium (the only other option to set is High but that will require entering the certificate password more often). Click OK.

  • At this stage, free certificates may cause an additional warning to show up, informing you that Windows cannot validate that the certificate is actually from the claimed certificate authority. If you get such a warning, and wish to use the certificate anyway, click Yes to continue.
  • The Import/Export window will now close automatically. Click OK on the Trust Center window to close it.

Your certificate is now imported. Your recipients also need to obtain and import their own certificates. Feel free to point them to this link for instructions:/blog/how-to-encrypt-email-in-outlook/#method-1-using-certificates-s-mime-.

The next step is to share it with your recipient(s) and also obtain their certificates.

Share your certificate with each recipient: To share your certificate, send a digitally signed message to each email recipient to whom you intend to send encrypted email in the future. Here is how:

  • Start composing a new email in Outlook:

  • On the new message window, click Options in the top menu bar:

  • Then click the little icon next to More Options:

  • In the new Properties window that opens, click on Security Settings…

  • In the Security Properties window that opens, click to select the Add digital signature to this message. Optionally, you may click the Change Settings button to view which certificate is being used for signing the message. It should be the certificate that you recently imported. Click OK on this window and then Close on the Properties window.

  • Send the message to the intended email recipient(s). In the message body, you may wish to include instructions for them to add your certificate to your contact data in their address book, as well as to send you a digitally signed message, so you can get their certificate as well. Feel free to point them to [this link](/blog/how-to-encrypt-email-in-outlook/# method-1-using-certificates-s-mime-) for instructions:/blog/how-to-encrypt-email-in-outlook/#method-1-using-certificates-s-mime-

At this point, you have sent your certificate to your contact(s). Note that the public key portion of your certificate is sent - so others can encrypt a message that they need to send to you. Only you can decrypt such an encrypted email message sent to you because to decrypt, you need your private key which is imported only within your Outlook application.

How To Send Encrypted

Now, to send an encrypted message to a recipient, you need to have their certificate (public key portion). So assuming your contacts have procured their own email encryption certificate and have sent you a digitally signed email from their Outlook (or other S/Mime compatible) application, follow the steps below to add their certificate to your contact data.

Add Recipient’s Certificate to Contact Data: These steps need to be followed for every email recipient who will receive encrypted email from you.

  • Open the digitally signed email received from that recipient (your recipient must have sent you a digitally signed email, signed using their email encryption certificate).
  • In the top area where the “From” information for the message is shown, right- click the sender’s name and click Add to Outlook Contacts. If the Contact is already in your contacts, you may use the option to Edit/Update the contact instead of adding a new contact.

  • In the contact card that opens, click Certificates in the top ribbon. Note: In some older versions of Outlook, the full contact card may not open at this step - go to the People view in Outlook and then in the list of contacts shown, double click this contact to open their full contact listing. Once the full contact card is opened, you should be able to see the Certificates button in the top menu as shown below.

  • The contact card should then show you a list of certificates with at least one certificate for that contact and when you select that certificate, it will show you a message informing you that the certificate can be used to encrypt messages that you send to this contact.

Now (finally!) you are all set to send encrypted messages to this contact.

To Send Encrypted Email: Start a new email message as usual and:

  • In the new message window, click Options in the top menu.

  • Click the little icon next to More Options.

  • In the Properties window that opens, click Security Settings.

  • In the Security Properties window that opens, click the checkbox next to Encrypt message content and attachments. Note that the message subject will not be encrypted. It is a good idea to include something in the subject that helps the recipient know what this email is about but do not include any sensitive content in the subject. Click OK on this window and then Close on the previous one.

Finish composing your email message and add any attachments. Click Send as usual to send the message. It will be sent encrypted. Any copies of the email message saved on intermediate email servers are also encrypted since only your recipient has the certificate with the private key to decrypt this message.

Caution: The S/Mime encryption approach suffers from a security vulnerability, known as the message takeover attack. This vulnerability allows an attacker to intercept your message, and add their own signature impersonating you. While the attacker cannot decrypt your original email, they may be able to decrypt replies and subsequent emails on that email thread.

How your recipient opens your encrypted email

If you have not yet obtained the certificate for this recipient, then Outlook will refuse to send the message. So if the message is sent, you can be fairly confident that the recipient has the required certificate to open your encrypted email. They may need to be on their desktop computer and open the message in Outlook (rather than say on their mobile device). Your recipient’s Outlook application will automatically decrypt the message for your recipient.

If your recipient replies to this email message, the reply will automatically be encrypted (assuming your recipient had added your email encryption certificate to their contact data).

Receiving Secure Email from Clients (Replies, New Emails)

Once your recipient has performed the initial setup steps described above, they have the required encryption certificates. They can easily send you encrypted replies by replying to your encrypted email. They can also send you new encrypted emails by following the steps to send an encrypted email described above.

Features and Cost

The option to encrypt email using certificates (S/Mime) is easy to use once the initial setup steps of procuring and sharing certificates have been performed.

However, if you are considering encryption options for your business email, we recommend this option only for cases where your recipient explicitly asks for such encryption. That is only likely the case if your business or professional practice serves large enterprise clients or government agencies.

If you serve many small businesses or individual clients, it is unlikely that your recipients will have the resources and expertise to purchase and install email encryption certificates. Many may be using free webmail accounts such as Gmail, Yahoo and others where the option to install S/Mime certificates is not even available.

Assuming you do use this option, also keep in mind that:

  • You will not be able to access your encrypted email outside of Outlook. If for instance, you happen to be away from your computer that has Outlook installed and the email encryption certificates imported, and need to check an urgent secure message received, say, on your mobile device or your spouse’s computer, that will not be possible.
  • Your recipient may not be able to forward your encrypted email to others. Suppose you sent an encrypted email with tax or health information and the recipient now needs to forward that information securely to their mortgage broker, business partner, lawyer, or family member. Then, unless their intended forwardee also uses an S/Mime compatible email application (e.g. Outlook) and has an email encryption certificate installed, your recipient will not be able to forward the information as an encrypted email.
  • You cannot use S/Mime email encryption with a G-Suite email account if using GSSMO, as documented by Google here. The workaround is to use IMAP instead of GSSMO but then you do not get Google calendar to Outlook calendar synchronization and several other nice features of GSSMO.

Costs: As of this writing, email encryption certificate costs from the Microsoft recommended certificate authorities ranged from $39 to $369 per year.

The cost of the certificate is a recurring cost as the certificate needs to be renewed every year (or every 2 or 3 years, if you paid for multiple years in advance). Also, this is the cost for one certificate: you need a certificate for each user at your organization. Your recipients also need to purchase certificates.

Method 2: Office 365 Message Encryption (OME)

The OME email encryption option lets you send an encrypted email to any email address. So your recipient need not be using Outlook or have any email encryption certificates installed. The two restrictions to keep in mind are:

  • OME works only with a Microsoft email account, so you should be sending from an email account that you set up as part of your Office 365 subscription (Exchange Online).
  • The recipient will have to perform a couple of extra steps each time they receive your encrypted email. They will typically have to request a special code that will arrive in another email. Once they receive the second email, they will have to manually copy and paste the code from that email into a box on the web page that will display their encrypted email. (Detailed steps with screen shots appear further below.)

Initial Setup

To enable Office 365 email encryption the key step is to upgrade your Office 365 subscription to a plan that includes Office 365 Message Encryption. Unfortunately, the popular Office 365 Business Essentials (that provides you with a Microsoft hosted email service) and the Office 365 Business Premium (that additionally includes the installed Office applications including Outlook, PowerPoint, Word, Excel and others) plans do NOT include OME. Even Office 365 Enterprise E1 does not include OME.

As specified in Microsoft’s documentation, you must upgrade to Office 365 Enterprise E3 or E5, Microsoft Enterprise E3 or E5, Microsoft 365 Business, Office 365 A1, A3, or A5, or Office 365 Government G3 or G5. (Alternatively, you may add Azure Information Protection Plan 1 to your O365 subscription, but this usually works out to be more complex for most users and more expensive as well).

To upgrade:

  1. Go to https://www.office.com/ and click Sign In. Sign in with your Office 365 administrator account.
  2. In the option tiles shown, click Admin.
  3. Then click Billing in left pane, and click Subscriptions under that.
  4. Click the Switch Plans button to upgrade to a higher plan. The least expensive plan to get OME is Office 365 Enterprise E3 and will cost $20/user/month (an additional $8 to $15 per month compared to Office 365 Business Premium or Business Essentials). If the Switch Plans button is not available, see these instructions from Microsoft for alternatives.

Once you upgrade, you can verify that OME is available to you as follows.

  • Option 1: Go to www.outlook.com and sign in as one of the users on your Office 365 subscription. Start composing a new message. The Encrypt button should show as enabled (not grayed out) in the top menu above the new message composition form.

  • Option 2: Start (or re-start) the Outlook application on your computer. You must be using Outlook ProPlus, the version installed as part of your Office 365 subscription (not a version of Outlook installed through a one time purchased Office license such as Outlook 2016). Start composing a New Email. Click Options in the top menu and you should see that the Encrypt button is enabled.

At this stage you are ready to start sending encrypted email using Office 365 Message Encryption (OME).

How to Send Encrypted

Sending an encrypted email is easier than with the certificate (S/Mime) approach because instead of having to navigate through More Options and Security Settings menus, the Outlook Encrypt button is offered within the Options tab itself on the new message composition window. The steps are:

  • Start composing a New Email.

  • Click Options in the top menu and then click Encrypt. (Optionally, you may click the little arrow in the lower part of the Encrypt button and choose to also prevent forwarding of the email.)

  • You should now see a message informing you that encryption is applied to this message.

  • Finish composing your message and click Send as usual to send it.

How your recipient opens your encrypted email

When you send an encrypted email using OME as above, your recipient receives an email from you without the actual email content or attachments but with an email body that looks like the one shown below (the formatting of the email may look a little different depending on which email application or web-mail interface your recipient is using; the screenshot below is from Gmail). Your recipient will need to click the button Read the message. (The button may show up as a link in certain email applications.)

Upon clicking that button, your recipient will be taken to a web page that looks like the one below: Caution: The option to Sign in with a work or school account will only work for your recipient if they have an Office 365 subscription with the same email address as you sent them the message to. This can be confusing for your recipient because clicking the link to Sign in with a work or school account will work even if the recipient’s email is not associated with a relevant Office 365 subscription but after logging in, they will not be able to see your message.

So unless your recipient has an Office 365 subscription with the same email address that you emailed them at, they should click the link Or, sign in with a one-time passcode.

(For certain recipient email addresses, those on Gmail or Yahoo! Mail, the above web page will look a little different and they will see a button to login with either Google or Yahoo: These recipients may click the relevant sign-in option and then login with their Yahoo or Google account.)

After your recipient clicks Or, sign in with a one-time passcode, they will be taken to a second web page that looks like so: At this stage, your recipient will need to switch away from their web browser and go back to their email account to wait for an email from from Microsoft Office 365 Message Encryption (MicrosoftOffice365@messaging.microsoft.com). Note that this email comes from Microsoft’s email address and not yours, so your recipient may have to look for it in their spam or junk email folders if it is not found in their email inbox.

The email they receive contains a passcode and looks like the one below: Your recipient would copy the passcode from this email and then go back to the web page shown previously that was asking for the passcode to be entered.

Once they enter the passcode and click Continue on that web page, they will finally arrive at your secure email message along with any attachments. The web page that shows your encrypted message looks like the one below. Clicking an attachment either shows a preview, or in the case of Office files (Word, PowerPoint, Excel etc.), it shows an error like the one below: Your recipient must manually download the file and then open it.

This can be confusing for your recipient, and is more difficult for them than if you had used the Encyro Outlook Addin in which case the file would have downloaded automatically.

Receiving Secure Email from Clients (Replies, New Emails)

Replies: Your secure message displayed to your recipient has a button that allows them to Reply All (clicking the little arrow next to Reply All lets them change it to Reply or Forward). Clicking Reply All, Reply, or Forward starts an encrypted response. So your recipient can send you a secure response back if needed.

New Secure Email: There is no option for your clients to send you a new secure message (other than they purchasing an OME enabled Office 365 subscription of their own). For instance, if you send an email asking for a sensitive document, the client cannot respond with a secure file in response to your non-encrypted email. (Such an option is available if you use the Encyro Outlook Addin as explained in Method 3 later in this article.)

Features and Cost

OME is relatively easy to use for the sender. As a sender, you also have the advantage over using S/Mime or certificate based encryption (Method 1) that you can access your secure email outside of Outlook. For instance, if you are away from your computer with Outlook installed, or the computer is damaged, you can always access your secure email at outlook.com from a different computer or even a mobile device.

Another advantage over Method 1 is that you need not backup any certificate files or related certificate passwords. In case your computer is damaged, simply installl Outlook on a new computer and login with your Office 365 account. Your secure messages will remain available.

A third advantage over Method 1 is that your recipient can also forward your secure message to others and encryption will automatically apply. Your recipient can forward to any email address without worrying about certificates or other setup to be performed by the party they are forwarding to.

At the same time, the following limitations should be considered if planning to use OME for your business email encryption:

  • Difficulty for recipient: The recipient must request a passcode, switch back and forth between their web browser and their email a couple of times, and manually copy and paste a passcode before they can read your secure email. These steps can be a hurdle for many recipients, resulting in support calls to your office. (Receiving your message is much easier for your recipient when you use Method 3, described further below.)
  • Need Outlook ProPlus: The OME email encryption option is only available from Outlook ProPlus, as installed through your Office 365 subscription. If you purchased a Microsoft Office license without the Office 365 subscription, you cannot use OME from Outlook. (Methods 1 and 3 work with both Outlook ProPlus and one time licensed versions such as Outlook 2013, Outlook 2016 and Outlook 2019.)
  • Messages do not expire: OME does not give you the option to set a message expiry duration on your secure message. With Method 3 below, you can set an expiration period.

Costs: The cost of using OME boils down to the extra money paid for upgrading to an Office 365 plan that supports OME.

  • If you already have an Office 365 subscrition at either the Office 365 Business Essentials or Business Premium levels, your cost to upgrade would be $15/month/user or $8/month/user respectively to add the OME capability.
  • If you currently have another business email service or are using a free email service such as Gmail, then your cost will be to purchase an Office 365 subscription plan that is at least $20/month per user.

Depending on your scenario, the cost of using OME adds up to an extra $96 to $240 per year, per user. This makes OME one of the more expensive options, especially considering that free alternatives are available, as explained in Method 3 below.

Recommended For: We recommend the OME option for your business email needs if you are either sending secure emails primarily to vendors or others who you can train to receive your encrypted email, or to recipients who are obliged to follow your security requirements. If sending secure email using OME to clients and customers, especially individual customers without IT expertise, you may have to spend extra time helping them open your encrypted emails, at least the first time around.

Method 3: Outlook Encryption Add-ins

This is likely the easiest method for small businesses without dedicated IT staff. It is also the best method to send encrypted messages to recipients who may not have any encryption set up in their own email accounts.

With this option, you can use pretty much any email account that you have added to Outlook, including a free email account from Gmail, Yahoo! Mail, or other inexpensive business email providers such as Zoho Mail or Rackspace Email (these cost less than the Office 365 email service). And you can send to any email address without requiring your recipient to perform any setup, installation, or account sign up.

We first describe how this option works taking the Encyro Outlook Addin as an example. Multiple Outlook email encryption add-ins are available and we describe some of their differences later in this article to help you choose.

Initial Setup

The initial setup typically involves installing the add-in. You go to the add-in’s website and download the installer. For Encyro, go to Encyro Outlook Addin and click on the Download button.

Depending on your browser, you will see an option to run, open, or save the file.

For instance, in Chrome, clicking the Download button should show the downloaded file named setup.exe near the bottom of your browser window. Click the file itself or the little arrow next to it to see the option to Open it. Opening it will start the installer. In Edge, you will see an option to Run the downloaded file, again near the bottom of the browser window, as shown below. In FireFox, you will likely get an option to Save the installer file: After you click Save File, go to the downloads icons in the top bar, to the right of the Firefox address bar and click on the downloaded setup.exe file to run it. If using Internet Explorer, you will see an option to Run the downloaded file near the bottom of the browser window.

After you click Run or Open or click the downloaded file to execute it, you will get a prompt to begin the installation. Click Install: If the above window does not show up, it may have been hidden by some other window on top. You should see an icon for this installer window in the task bar near the bottom of your screen. Click the icon shown below to view the above window and then click Install. The installation will progress and may take a minute or so. You may receive a Windows prompt to allow the installation. Once done, you will get the following window. Click Close.

At this stage, start or restart Outlook. To verify that the installation succeeded, start composing a New Email and you should see the Secure Send button as shown below, near the top left: If the button is not visible, the Message tab may be collapsed. Click onMessage in the top menu: The you should see the Secure Send button. To prevent the button from disappearing, click the little push-pin like icon towards the extreme right in the Message tab: Once the Secure Send button is available, you are ready to send encrypted email using Outlook to any email address.

How to Send Encrypted

Click the New Email button in Outlook. Compose your email as usual and attach any files you need to send encrypted. Now, instead clicking the Send button, click the Secure Send button. The message content and attachments will be encrypted. Just like in Method 1 and Method 2, the subject is not encrypted. The subject helps your recipient know what the email is about before they get to the decrypted view.

How your recipient opens your encrypted email

Your recipient gets an email from your email address, with the subject that you typed but the email body is changed to look like the following: When your recipient clicks the Access Now button, they will be taken to a web page that shows them the secure message that you sent, such as: Unlike Method 2 (OME), there is no back and forth needed between the message web page and email to obtain and enter any passcode. Rather, to maintain security, the message will automatically expire by the time mentioned in the notification email. The sender can change the number of days after which the message expires.

On the web page that displays your secure message:

  • The user may view the message and download any attachments.
  • Choose to set a password: For security reasons, the message will automatically expire, unless the recipient selects the option to set a password and retain indefinite access.
  • Choose to send you a secure reply (once they start the reply process, they could also forward the message to others and encryption automatically applies).

Note: If the recipient happens to have an Encyro account (such as because they set a password on your previous message and hence obtained a free Encyro account), then the Access Now button will take them to their Encyro account login page and then show them the secure message after they login. If your recipient has forgotten their password, they can reset it themselves on the login page without you having to reset their account.

Receiving Secure Email from Clients (Replies, New Emails)

Replies: The web page that shows your secure message to the recipient also shows them an option to send a secure reply.

New Secure Email: The Encyro Outlook Addin comes with an upload page that allows you to receive secure messages from your clients without asking them to sign up for any account (see 1 minute demo video). For instance, you could send an email (without encryption) to your client asking for some sensitive document and you could simply include your upload page link in your message or your email signature. Your recipient would click that link to send you a new secure message. (This may not be an option with all Outlook encryption add-ins, but is a feature with the Encyro Outlook Addin).

Features and Cost

The Encyro Outlook Addin makes it easy for both the sender and receivers to communicate securely. One advantage of this add-in over Methods 1 and 2 is that with Method 3, sending a secure message requires just one click, as opposed to 5 clicks in Method 1 (assuming the initial setup has already been done) and 3 clicks in Method 3.

A second advantage is that this method over method 2 is that it makes it much easier for your recipient to open your secure message. Just one click takes them to your secure message as opposed to the multiple back and forth steps required in Method 2.

A third advantage over Method 2 is that you can use any email account to send your secure messages, while Method 2 (OME) only works with an Office 365 email service. For instance, you could use Method 3 with a free email account from Gmail, a free email account provided by your website host, or an inexpensive business email account from Zoho, Rackspace or others. An advantage over Method 1 is that you can use the Encyro Outlook Addin with G-Suite based email accounts with GSSMO (or IMAP), while S/Mime email encryption does not work with G-Suite using GSSMO.

Costs: The Encyro Outlook Addin is free. A paid tier is available to obtain additional features such as custom branding, compliance options and audit trails, and organization level multi-user controls. However, the free tier suffices to send secure messages to your clients.

Recommended For: We recommend Method 3, specifically with the Encyro Outlook Addin, for scenarios where you need to send secure messages to clients who may not themselves use Outlook and may also use free web-mail based email accounts such as on Gmail, Yahoo! Mail, Internet Service Provider (ISP) based email accounts and so on.

Which Outlook encryption add-in is best for me?

If you decide to proceed with Method 3, you have the choice of multiple Microsoft Outlook encryption add-ins, such as from ShareFile, Virtru, Encyro, Jumble, SmartVault, TrendMicro and some others. Largely, the add-ins fall into two types:

  1. Stand-alone Add-ins: These encrypt your email purely on your and your recipient’s computers (so called zero knowledge encryption).
  2. Packaged Add-ins: These add-ins are offered as part of a package that additionally includes a client portal or file sharing service.

Encyro has an advantage compared to standalone add-ins (zero knowledge encryption) that, with Encyro, your sent and received messages are
available outside of the Outlook add-in as well. For instance, if you happen to be away from your PC with the Outlook and the add-in installed, then with Encyro, you could access your secure messages via a mobile device or a web login from another computer by visiting encyro.com. For the stand-alone add-ins only the add-in installed with your Outlook application has the ability to decrypt your secure messages.

Encyro also has an advantage over packaged add-ins in terms of cost. The Encyro Outlook Addin is available free while almost all packaged add-ins require a paid subscription to their complete product. If you only need the Outlook encryption feature, then you can use Encyro for free.

A more detailed discussion of Outlook encryption add-in features is provided in this article.


We described three methods to encrypt email in Outlook: using certificates (S/Mime), Office 365 Message Encryption (OME), and using encryption add-ins. Among the three methods, the option to use add-ins is the lowest cost, and also allows using any email account as sender and for receivers. It is the easiest to use in most scenarios except for cases such as communicating with a government agency or large enterprise that has already opted to setup email encryption certificates (in which case Method 1 is required).