In a previous article, I’ve shown you how to send secret notes to your peers using PGP encryption. If you haven’t had a chance to read it, go and familiarize yourself with the topic. Why do we need email encryption? Because privacy matters and good practices in matters of encryption can save you from a lot of trouble. You’ll figure out which matters Outlook email encryption touches upon as you go through the article. For today’s topic, I’m going to talk about how to encrypt email in Outlook. For this, I’ll be using S\MIME and OME. So, without further ado, let’s do some serious encryption.

How to encrypt email in Outlook using S\MIME

First a bit of background on S\MIME. The acronym stands for Secure\Multipurpose Internet Mail Extensions and it’s a public cryptography standard that allows the user to encrypt and digitally sign MIME-type data (e.g., plaintext email messages, various email attachments such as video, audio, or image). S\MIME’s asymmetric cryptography dependency facilitates security functions such as authentication, message integrity, non-repudiation via digital signatures, and privacy.

As a security standard, S\MIME is pretty lock tight. The only disadvantage I can think of is that you can S\MIME and S\MIMEr but can’t S\MIME a non-S\MIMEr. A bit of clarification: Sending S\MIME-encrypted emails only works when both ends (i.e., sender and receiver) use a compatible email app which, in our case is Outlook.

On top of that, both sender and receiver must have VALID encryption certificates installed in their apps. Ergo, S\MIMEing someone who uses a free-to-use email service like Gmail or Yahoo, it will not work. Just remember: S\MIME to S\MIME is good, S\MIME to non-S\MIME is bad. Anyway, with these things in mind let’s see how you can encrypt an email in Outlook.

 Step 1 – Setting everything up

Now, before you can set up S\MIME encryption, you’ll need to ensure that a valid certificate exists in your keychain. For more info about obtaining a valid certificate, please refer to Microsoft’s documentation on how to install the trusted root certificate.  When you’re done with the signing part, you can begin setting it up in Outlook.

Step 2 – Trust Center Setting.

Open Outlook and click on Options. Select Trust Center and then click on Trust Center Settings. The Trust Center window will appear on your screen. Select Email Security.  Next to the “Default Setting” there is a button labeled “Settings”.

Step 3 – Obtaining your Digital ID.

If your sysadmin already purchased the digital certificate, skip this step.  If not, click on the “Get Digital ID” button and follow the on-screen instructions.

Step 4 – Importing or Exporting your Digital ID.

Now you’re back to the Trust Center Email Security tab. Under Digital IDs (Certificates), click on the “Import\Export” button.

Step 5. Finding your .pfx certificate.

In the Import\Export Digital ID window, click on the “Browse” button, select your certificate, and press on “OK”. The certificate is usually saved as a .pfx file.

Step 6. Importing a new private exchange key.

In the Import\Export Digital ID window, press the OK button after you finish importing the certificate. This will take you to a new window. You can further adjust the security level by clicking on the button located on the bottom part of the window. The default security setting is Medium. You can review your Digital Certificate info by clicking on the “Details” button. To finish the certificate installation process, click on the “OK” button.

Congrats! You’ve just set up your first Digital ID certificate. However, you’ll still need to share this certificate with your peers so you can send encrypted messages. To do that, follow the steps below.

Sharing digital certificates

Step 1. Open a new email window. In Outlook, click on the New Email button.

Step 2. Adjusting the security settings.  Click on the “Options” button and then on the “More Options” expansion button. This will open up the Properties window. Under “Security”, click on the “Security Settings” button.

Step 3. Digital signature enforcement. In the “Security Properties” window, check the box next to the “Add digital signature to this message” option and click on “Ok” to finish the process. That’s it! Your recipients are now in possession of your public key.

Now you can send a S\MIME encrypted message. Here’s how you go about it.

  • Open up the digitally signed email you previously received.
  • Click on Contact and select Certificates.
  • Compose a new email.
  • Click on Option and select the “More Options” button.
  • Under Properties, select “Security Settings”.
  • Check the box next to “Encrypt message contents and attachments.”
  • Click Ok, type in your email, and send it.

And that’s how you send a S\MIME-encrypted email. The procedure may be a bit confusing at first, but you’ll get the hang of it once you begin implementing the changes. From where I stand, the most problematic aspect of setting up a S\MIME encrypted channel is obtaining digital certificates. Normally, your sysadmin is in charge of the certificate purchase process. Of course, you can always do this on your own, as there are plenty of third-party vendors out there selling certificates.

That would be one of the methods used to encrypt emails in Outlook. What about the other one?  Stick around and find out.

How to encrypt email in Outlook with OME

OME, which is short for Office Message Encryption is an Office 365-mediated encryption method that allows your employees to send an encrypted message inside and outside your organization. The major advantage in using OME over S\MIME is that everything can be controlled from a single interface (i.e., Microsoft Azure). The not-so-good news is that OME configuration takes a lot of time and it’s not for those faint of heart. Don’t worry; just follow this guide and you’ll be able to set up the Office Message Encryption function in no time. Let’s get underway.

Step 1. Hop on your Portal Office account.

Type in your Global Admin username and password. Once you’re in, head to the admin section, select Settings and click on Services & Add-ins.  Now select Microsoft Azure Information Protection.

Step 2. Set up Microsoft Azure Information Protection.

A new window will pop up. Click on the “Manage Microsoft Azure Information Protection settings” hyperlink. Please note that Azure Information Protection requires Rights Management. Click the “Activate” button under Rights Management and follow the on-screen instructions.

Step 3. Configure your Multi-Factor Authentication for your Exchange Online PowerShell.

Time to get into geek-mode. First, you’ll need to hop on your Exchange admin center account. Be sure to use Microsoft; other browsers just won’t do. Now, go to your Office 365 account, select Admin, Admin Center and then select Exchange.

Under Exchange, click on Hybrid, scroll down, and click on the configure button located beneath “The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely” hyperlink. Once you click on the hyperlink, Edge will begin downloading the lightweight command module binary large object for the remote PowerShell. After the download ends, click on Install. Close the window once you see the PowerShell default prompt.

Step 4. Check for basic authentication.

Your Windows Remote Management session requires basic auth enable. To verify if basic auth is on, fire up the command prompt with admin rights, type in Winrm quickconfig. Hit “Y”. The next step would be to verify the argument of valueBasic. To do that, please type in winrm get winrm/config/auth. If the command prompt returns “valueBasic = TRUE”, it means basic authentication is enabled on your machine. Else, please follow Microsoft’s documentation on how to enable basic authentication on your machine.

Step 5. Connecting to the Exchange Online PowerShell (multi-factor authentication edition).

Open up your newly-installed MS Exchange O-RPM (Online Remote PowerShell Module). Once you’re in, please type in the following command: Connect-IPPSSession -UserPrincipalName < Don’t forget to replace this template with your user name and, of course, associated email address.

Step 6. Setting up message encryption, decryption, and testing the IRM configuration.

This step is somewhat tricky, so pay extra attention when you’re typing in the PowerShell arguments.

1. Import the installed module by typing in the following line: Import-Module AADRM

2. Associate a lightweight command with the module. Display all available cmdlet(s) by typing in: Get-Command -Module ADDRM

3. Establish Azure RMS connection. Once you’re in, type in the following command to run the cmdlet: Enable-Aadrm

4. Fetch the information required for msg encryption. To do that, please type in the following lines:

 $rmsConfig = Get-AadrmConfiguration

$licenseURI = $rmsConfig.LicensingIntranetDistributionPointUrl

5. Sever the connection with AARDM. Type in this line: Disconnect-AadrmService. Press Enter to continue.

6. Establish a connection to Exchange online. For this step, your will need to create a new PowerShell session.

Please type in the following line: Connect-EXOPSSession

7. Gather information to configure your IRM. In the PowerShell window, type in:

$irmConfig = Get-IRMConfiguration

$list = $irmConfig.LicensingLocation

If(!$list) { $list = @()}

If (!$list.Contains($licenseURI)) { $list += $licenseURI }

Hit Enter to continue.

8. Switch on message encryption (Office 365). Now you’re ready to set up your message encryption. For this step, type in the following lines:

Set-IRMConfiguration -LicensingLocation $list

Set-IRMConfiguration -AzureRMSLicensingEnabled $ True -InternalLicensingEnabled $true

9. Switch on server-side description (i.e., applies to Outlook Android, iOS, and Web Outlook). Type in: Set-IRMConfiguration -ClientAccessServerEnabled $true

10. Test your configuration. In the same PowerShell window, type in the following line: Test-IRMConfiguration -sender<yourusername>

11. Kill the IRM templates (Outlook + OWA). Type in: Set-IRMConfiguration -ClientAccessServerEnabled $false

That’s it! Your users can now send encrypted messages in Outlook. As a personal observation, OME is rather tricky to set up, but once the job’s done, you won’t need to come back for additional tweaking. Just follow these steps and you won’t have any trouble configuring OME.

Heimdal Official Logo
Email is the most common attack vector used as an entry point into an organization’s systems.

Heimdal® Email Security

Is the next-level email protection solution which secures all your incoming and outgoing comunications.
  • Completely secure your infrastructure against email-delivered threats;
  • Deep content scanning for malicious attachments and links;
  • Block Phishing and man-in-the-email attacks;
  • Complete email-based reporting for compliance & auditing requirements;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Email Encryption and beyond

Both S\MIME and OME are great choices when it comes to information privacy. However, they’re not foolproof. For instance, S\MIME encrypted emails, though they use public-key cryptography, are prone to a type of crypto-attack called Message Takeover (i.e., attacker assumes your signature in order to intercept and decrypt replies to your sent emails).

On the other hand, S\MIME’s fairly easy to set up within an organization, with little to no tech skills. Azure’s OME is everything a sysadmin could dream of: set-and-forget (not completely) functionality, secure, and very…global. Still, the deployment process is rather difficult and issues can ensue along the way. Yes, unfortunately, you’ll be getting a lot of error messages during the installation process. Perseverance – that’s the key to success.

As far as email encryption goes, you should always consider other venues. Check out my article on PGP encryption for more info on how to bolster your email comm security. Of course, there are always more ways to protect your in-company comm channels. Here are my personal favorites.

  • Caution before encryption. Please bear in mind that not even the mother of encryption can keep you safe if you click on every email attachment you come upon. Always remember to double-check the email’s body and the sender before you open or run attachments.
  • Extra email protection. OME and S\MIME should be your line of defense. If you’re looking for a great ‘frontliner’, you should definitely consider an extra security layer. Heimdal™ Security’s Email Security is a great choice for sysadmins looking for ways to protect the company’s assets from things like email-delivered malware, worms, ransomware, and insider threats.


A couple of takeaways before I leave. Don’t forget that in order to set up S\MIME, you’ll need a digital certificate. If your sysadmin did not buy this certificate, go out there and hassle with your third-party digital ID vendor. From a deployment point of view, S\MIME’s easier to set up compared to OME but prone to cryptography attacks such as Message Takeover. When setting up OME, don’t forget that grammar matters; please include the signs and operators exactly how they’ve been written here, else you’re going to encounter various errors. As always, stay safe, stay frosty, and leave me a comment if you have questions on how to encrypt email in Outlook.

Leave a Reply

Your email address will not be published. Required fields are marked *