Outlook’s emails use standard encryption out of the box. Learn how to use enhanced encryption to send more secure messages and the best Outlook alternative if you’re looking for genuine privacy.
Like most free email providers, Outlook can’t guarantee your emails are completely private. But there are ways to enhance Outlook encryption if you pay extra for an eligible premium account.
What is email encryption?
How is Outlook encrypted?
How to encrypt an email in the Outlook.com web app
Encrypt an email in Outlook.com (OME)
Open an email encrypted with Outlook OME
How to encrypt an email in the Outlook desktop app
Encrypt an email in Outlook for desktop (S/MIME)
Open an email encrypted with S/MIME
Best Outlook alternative to send a secure email
What is email encryption?
Email encryption is a process that encodes a message so that only the intended recipients of the message can read it. The message is encrypted (encoded) into an illegible string of characters called ciphertext(new window). The only way to read it is to decrypt (decode) it into its original, legible format using a unique encryption key.
Learn more about how email encryption works(new window)
How is Outlook encrypted?
Outlook uses TLS (Transport Layer Security)(new window) to encrypt your emails by default. That means an email is secure when being sent from A to B. But TLS works only if the recipient’s service also supports it.
And once your message arrives, its security depends on what encryption the receiving server uses. As Microsoft explains(new window), “with TLS, the message might not stay encrypted after the message reaches the recipient’s email provider”.
What’s more, like most free email providers, Outlook retains the encryption keys to your messages so that it can access them.
Although Microsoft says Outlook doesn’t scan emails to target you with ads, it could still hand over their contents to third parties. In fact, Microsoft has been caught working closely with US intelligence agencies(new window), including helping the National Security Agency (NSA) evade the company’s own encryption to intercept its users’ communications.
If you want to send a more secure message in Outlook, you can enable enhanced encryption, but only if you upgrade to a premium account. You can encrypt messages using the Outlook.com web app or the Outlook desktop app.
How to encrypt an email in the Outlook.com web app
To encrypt an email in the Outlook.com web app, you need to upgrade to a paid subscription, like Microsoft 365 Family, Microsoft 365 Personal, or an eligible enterprise account.
Upgrading your account allows you to encrypt emails using Microsoft 365 Message Encryption, also known as Microsoft Office 365 Message Encryption (OME).
Encrypt an email in Outlook.com (OME)
If you have an eligible paid subscription, you can encrypt messages using OME as follows:
- Log in to your account at Outlook.com(new window) and compose a new message as usual.
- Click on the three-dot menu under the Outlook composer window and choose Encrypt or Encrypt & Prevent Forwarding.
- Click Send.
Open an email encrypted with Outlook OME
To read and reply to a message encrypted with OME in Outlook.com, the person you’re writing to must do one of the following:
- If they have a Microsoft account, they can sign in to open the email.
- If they have a Gmail or Yahoo Mail account, they can choose to open the email inside those web apps or Outlook can send them a passcode to open the email.
- If they have any other kind of account, Outlook will send them a passcode to open the email.
The main drawbacks to encrypting an email with OME in Outlook.com are:
- Outlook sends the passcode to the same address as the encrypted email, so the message could be accessed if the account is ever breached.
- The Encrypt & Prevent Forwarding option adds little extra security as anyone can always take a screenshot of the message and send it anywhere.
- Recent research has discovered a flaw in Microsoft’s encryption(new window) that could allow hackers to partially or fully infer the contents of emails encrypted with OME.
- Outlook’s encryption was intentionally flawed for surveillance purposes in the past, making it unclear if it can be trusted today.
How to encrypt an email in the Outlook desktop app
If you have the Outlook desktop app, you can enable S/MIME encryption, but only if you have an eligible version of the app or a premium subscription.
The following instructions are for Outlook for Windows. The steps for Outlook for Mac are similar (see how to encrypt with S/MIME in the new Outlook for Mac(new window)).
You can also encrypt messages in the Outlook desktop app using Microsoft 365 Message Encryption (OME), but this is only available with certain Microsoft enterprise subscriptions.
Encrypt an email in Outlook for desktop (S/MIME)
You can encrypt an email with S/MIME encryption if you have an eligible version of the app or a premium subscription.
S/MIME (short for Secure/Multipurpose Internet Mail Extensions)(new window) allows you to encrypt emails with user-specific keys so that only the intended recipients can decrypt them. But first, you need to enable S/MIME for Outlook(new window) and upload a personal S/MIME certificate from a trusted certificate authority(new window).
Once you’ve enabled S/MIME, you can encrypt an email in your Outlook desktop app as follows:
- Compose a new message as usual.
- Choose Options → Encrypt → Encrypt with S/MIME.
- Click Send.
Note that the person you’re writing to must also have S/MIME enabled with a valid S/MIME certificate. If they don’t, you’ll get the following warning with the option to send the message unencrypted:
The main drawbacks to encrypting with S/MIME in the Outlook app are:
- You need to get an eligible paid Microsoft account and have an administrator enable S/MIME. It’s not a simple solution to set up and requires technical skills.
- You cannot send a private message to anyone using a regular Outlook account, or any other provider without S/MIME support. You need to verify that they have S/MIME correctly set up before sending.
- Unlike PGP end-to-end encryption(new window), S/MIME has a centralized system of certificate authorities that could be compromised, though this may only matter to you if you’re at high risk of surveillance.
Open an email encrypted with S/MIME
If the person you’re writing to has S/MIME correctly configured with a valid S/MIME certificate, they can open the email as usual and it should be decrypted.
If they don’t have S/MIME enabled, you won’t be able to send them an S/MIME-encrypted email. Instead, Outlook gives you the option to send the message unencrypted.
Best Outlook alternative to send a secure email
While Outlook’s enhanced encryption options make your emails more secure, if you want to send genuinely private emails, you need to use end-to-end encryption(new window). That way, you can be sure that only you and the intended recipients of your emails can read them.
You can use third-party plug-ins to add end-to-end encryption to Outlook. But they’re usually enterprise solutions restricted to desktop apps that require an administrator to set up.
The easiest way to send a truly secure email is to use Proton Mail, which gives you the following and more out of the box:
- Easy-to-use end-to-end encryption: Any message you send to someone on Proton Mail is end-to-end encrypted automatically — no one but you and your intended recipient(s) can read them.
- Password-protected Emails: Easily send an end-to-end encrypted email to anyone not on Proton Mail without any technical knowledge.
- Zero-access encryption(new window): No one can access your stored emails without your authorization, not even Proton.
- Open-source transparency: All Proton apps are open source and independently audited, so security experts can check they’re secure.
- Proton Easy Switch: Automatically transfer and encrypt all your emails, contacts, and calendars from Outlook to Proton Mail in a few clicks.
At Proton, our vision is to provide privacy and security for everyone, everywhere. That’s why we offer Proton Mail free, so join us and send a secure email for free from any device.
If you’d like to support our vision, sign up for a paid plan. Together, we can build a better internet where privacy is the default.
