Office 365 Message Encryption
  • 14 Feb 2024
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Office 365 Message Encryption

  • Dark
    Light
  • PDF

Article summary

Microsoft Message Encryption Reference

Office 365 offers many options for encrypting messages. This document summarizes the available methods to encrypt messages for our environment.

Encrypting with Microsoft message encryption with restrictions:

You can set permissions and encryption by using the encryption menu in Outlook. If sending to external users with this menu the message will be sent with Microsoft message Encryption so the restrictions can be enforced. Restrictions on documents can only be enforced on documents from the Office suite of products. If sent to other @maine.gov users the restrictions will be enforced automatically in Outlook.


To use this option, create a new message, choose file, then encryption and choose from one of the options:

Encrypt-Only 

This ensures that the email is encrypted which cannot be removed from the message. This does not apply additional restrictions to access.

This works for all file types.

Do Not Forward 

The attachments can’t be forwarded but can be downloaded. Once they are downloaded, they cannot be printed or copied. The message is locked to email address it was sent to.

This will only work for Office Documents, all other files will be treated as Encrypt-Only

State of Maine – Confidential (For Internal Use ONLY, External users will not be able to access) 

The recipient can edit the documents but not copy, forward or print them.

This will only work for Office Documents, all other files will be treated as Encrypt-Only

State of Maine - Confidential View Only (For Internal Use ONLY, External users will not be able to access) 

The recipient can view the documents but not edit, copy, forward or print.

This will only work for Office Documents, all other files will be treated as Encrypt-Only

Encrypting Messages with Microsoft Message Encryption without restrictions

There are also options in Outlook to encrypt messages to outside users without applying additional restrictions.


You can choose the “Confidential” sensitivity flag in Outlook by choosing File after creating a new message, then Properties, the choose the sensitivity dropdown and choose confidential. This will encrypt with the new OME experience if sent to users outside of @maine.gov. Users inside of @maine.gov will see the Confidential flag in Outlook but are not restricted in any way.

Keyword Based Microsoft Message Encryption

You can force encryption for messages to outside senders by including a keyword in the body or the subject of a message, these keywords are SOM Secure and somsecure.

Since internal email is encrypted automatically this will not influence internal emails.

Automated Microsoft Message Encryption

If a message is sent to outside users with SSNs, HIPPA information, PII or other sensitive information automated DLP rules will encrypt the message with the Microsoft message Encryption if it is sent to a user outside of @maine.gov. If a large amount of sensitive data is detected a message will appear in Outlook notifying the user that the message will be blocked. There is an override button available that can be clicked to override and allow the message to send. These messages are sent encrypted without additional restrictions. This does not apply to messages sent between internal @maine.gov users.

Overriding Microsoft Message Encryption

Using the keyword somplaintext will override encryption for messages sent with other keywords or detected by the automated DLP rules.

Recipient view of Encrypted Emails

What the recipient sees will vary based on their email provider.

For Recipients using a current version of Outlook: 

Email is received and viewable without any additional steps required. A Permissions notice is displayed indicating the Encryption status and permissions


Some Older versions of Outlook: 

The email is received with a link to read the message in the body of the email. After clicking the link they will then see the same experience as shown below for other outside providers.

(the .rpmsg attachment does not need to be opened.)



Opening Messages via Google and Microsoft:

Clicking the Read the message link opens a webpage with Sign-in options depending on the recipients account type, you can either sign in with a presented option or opt to have a one-time code sent to the same email address the original message was sent to.

Microsoft, Outlook.com, Providers Hosted by Microsoft:

Google:


Yahoo:


The Sign in with a work or school account option attempt may fail from some accounts especially those for providers with high security such as the DOD or other government agencies. If logging in fails with any of the listed methods use One-Time Passcode option instead.

After selecting Use a One-time passcode, a page will open and you will soon receive an email with the code. Once you receive the code, enter it in the One-time passcode field and click Continue, the message should now display.












Was this article helpful?