Email encryption in Outlook

To totally unlock this section you need to Log-in


Encrypting email it Outlook may sound like a daunting task, but it is actually quite simple.

Get a Digital ID for Outlook (encryption and signing certificates)

To be able to encrypt important Outlook e-mails, the first thing you need to get is a Digital ID, also known as E-mail Certificate. You can get the digital ID from one of the sources recommended by Microsoft. You will be able to use these IDs not only to send secure Outlook messages, but protect documents of other applications as well, including Microsoft Access, Excel, Word, PowerPoint and OneNote, versions 2013, 2010 and 2007.

The Digital IDs commoly recommended are those of:

  • DocuSign
  • Comodo
  • GlobalSign
  • My Credentialâ„¢ from GeoTrust, Inc.

Note: Please keep in mind that most of the services are paid and charge either monthly or yearly fee. If you are looking for a free digital ID, check out COMODO, they provide a free Email Certificate (S/MIME) that will protect your Outlook emails both with encrypting and digitally signing.

The process of getting a Digital ID depends on which service you have opted for. Typically, an ID is provided in the form of an executable installation that will automatically add the certificate to your system. Once installed, your digital ID will become available in Outlook and other Office applications.

How to set up your e-mail certificate in Outlook

To verify whether a digital ID is available in your Outlook, perform the steps below. We will explain how this is accomplished in Outlook 2010, though it works exactly in the same way in Outlook 2013 and with slight differences in Outlook 2007. So hopefully you won't have any problems to configure your encryption certificate in any Outlook version.

Switch to the File tab, then go to Options > Trust Center and click the Trust Center Settings button.

Email encryption in Outlook

In the Trust Center dialog window, select E-mail Security.

On the E-mail Security tab, click Settings under Encrypted e-mail.

Email encryption in Outlook

Note: If you already have a digital ID, the settings will be automatically configured for you. If you want to use a different e-mail certificate, follow the remaining steps.

In the Change Security Settings dialog window, click New under Security Setting Preferences.

Email encryption in Outlook

Type a name for your new digital certificate in the Security Settings Name box.

Make sure S/MIME is selected in the Cryptography Format list. Most digital IDs are of SMIME type and most likely this will be the only option available to you. If your certificate type is Exchange Security, choose it instead.

Click Choose next to Encryption Certificate to add your digital cert to encrypt e-mails.

Email encryption in Outlook

Note: To find out whether the certificate is valid for digital signing or encryption, or both, click the View Certificate properties link on the Select Certificate dialog box.

Email encryption in Outlook

Typically, a certificate purposed for cryptographic messaging (such as Outlook email encryption and digital signing) says something like "Protects e-mail messagess".

Email encryption in Outlook

Select the Send these certificates with signed messages check box if you are going to send Outlook encrypted email messages outside of your company. Then click OK and you are done!

Email encryption in Outlook

Tip: If you want these settings to be used by default for all encrypted and digitally signed messages you send in Outlook, select the Default Security Setting for this cryptographic message format check box.

How to encrypt email in Outlook

Email encryption in Outlook protects the privacy of messages you send by converting them from readable text into scrambled enciphered text.

To be able to send and receive encrypted email messages, you need two basic things:

Digital ID (encryption email certificate). We have discussed how to get a digital ID and set up the certificate in Outlook in the first part of the article.

Share your public key (which is part of the certificate) with the correspondents you wish to receive encrypted messages from. See the step-by-step instructions on how to share public keys.

You need to share the certificates with your contacts because only the recipient who has the private key that matches the public key the sender used to encrypt the email can read that message. In other words, you give your recipients your public key (which is part of your Digital ID) and your correspondents give you their public keys. Only in this case you will be able to send encrypted emails to each other.

If a recipient who does not have the private key matching the public key used by the sender tries to open an encrypted e-mail, they will see this message:

"Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your Digital ID< name cannot be found by the underlying security system."

So, let's see how sharing digital IDs is done in Outlook.

How to add a recipient's digital ID (public key)

To be able to exchange encrypted messages with certain contacts, you need to share your public keys first. You start by exchanging digitally signed emails (not encrypted!) with the person to whom you want to send encrypted emails.

Once you get a digitally signed email from your contact, you have to add the contact's digital ID certificate to his/ her contact item in your Address Book. To do this, please follow the steps below:

In Outlook, open a message that is digitally signed. You can recognize a digitally signed message by a Signature icon.

Right-click the sender's name in the From fields, and then click Add to Outlook Contacts.

Email encryption in Outlook

When the person is added to your Outlook contacts, their digital certificate will be stored with the contact's entry.

Note: If you already have an entry for this user in your Contacts list, select Update information in the Duplicate Contact Detected dialog.

To view the certificate for a certain contact, double-click the person's name, and then click the Certificates tab.

Once you have shared the Digital IDs with a certain contact, you can send encrypted messages to each other, and the next two sections explain how to do this.

How to encrypt a single email message in Outlook

In an email message you are composing, switch to the Options tab > Permissions group and click the Encrypt button. Then send the encrypted email as you usually do in Outlook, by clicking the Send button. Yep, it is that easy.

Email encryption in Outlook

If you don't see the Encrypt button, then do the following:

Go to Options tab > More Options group and click the Message Options Dialog Box Launcher in the lower corner.

Email encryption in Outlook

In the Properties dialog window, click the Security Settings button.

Email encryption in Outlook

In the Security Properties dialog window, check the Encrypt message contents and attachments check box and click OK.

Email encryption in Outlook

NOTE: This process will also encrypt any attachments you send with the encrypted email messages in Outlook.

IMPORTANT NOTE: in order to encrypt an email for the recipient you must have the recipient's Digital Certificate, and their digital certificates must be assigned to the relevant entry in your Address Book.

Finish composing your message and send it as usual.

To verify whether the email encryption worked, switch to the Sent Items folder and if your email was encrypted successfully, you will see the Encryption icon next to it.

NOTE: If you are trying to send an encrypted message to a recipient who has not shared the public key with you, you will be offered the choice to send the message in the unencrypted format. In this case, either share your certificate with the contact or send the message unencrypted:

Email encryption in Outlook

Encrypt all email messages you send in Outlook

If you find that encrypting each email individually is quite an onerous process, you can opt to automatically encrypt all email messages you send in Outlook. However, please note that in this case all of your recipients must have your digital ID to be able to decipher and read your encrypted email. This is probably the right approach if you use a special Outlook account to send emails within your organization only.

You can enable automatic Outlook email encryption in the following way:

Navigate to the File tab > Options > Trust Center > Trust Center Settings.

Email encryption in Outlook

Switch to the Email Security tab, and select Encrypt contents and attachments for outgoing messages under Encrypted email. Then click OK and you are close to finished.

Email encryption in Outlook

Tip: In case you want some additional settings, for example to choose another digital certificate, click the Settings button.

Click OK to close the dialog. From now on, all the messages you send in Outlook will be encrypted.

Well, as you can see Microsoft Outlook takes a rather burdensome approach to email encryption. But once configured, it will definitely make your life easier and email communication safer.

However, the email encryption method we have just explored has one significant limitation - it works for Outlook only. If your recipients use some other email clients, then you will need to employ other tools.

Email encryption between Outlook and other email clients

To send encrypted email between Outlook and other non-Outlook email clients, you can use one of the third party mail encryption tools.

The most popular free open source tool that supports both cryptography standards, OpenPGP and S/MIME, and works with multiple email clients including Outlook is GPG4WIn (the full name is GNU Privacy Guard for Windows).

Using this tool you can easily create an encryption key, export it and send to your contacts. When your recipient receives the email with the encryption key, they will need to save it to a file and then import the key to their email client.

To have a general idea how GPG4OL looks like in Outlook, see the following screenshot:

Email encryption in Outlook

Summary of actions to enable E-Mail Encryption on Microsoft Outlook

Assigning your Certificate to your email account:

  • Open Outlook.
  • Select Tools from menu.
  • Select Options from drop down menu.
  • In dialog box that appears select Security tab.
  • Enter a name for your security setting into the Security Settings Name box.
  • Ensure S/MIME is selected on the Secure Message Format box.
  • Check the Default Security Setting for this Secure Message Format.
  • In Certificates and Algorithms section click the Choose button in the Signing Certificate section.
  • Select your Secure Email Certificate from the Select Certificate dialog box.

Outlook should automatically choose the same Secure Email Certificate as your Signing Certificate for the Encryption Certificate.

If not, click the Choose button in the Encryption Certificate and select your Secure Email Certificate from the Select Certificate dialog box. Ensure Send These Certificates with Signed Messages is selected, then click OK to return to Options dialog box and finally click OK to return to Outlook.

Setting up buttons for easy signing / encryption abilities from a New Message toolbar:

Following these steps will display digital sign and encrypt buttons on your New Message toolbar:

  • Click New Message button.
  • Select Tools from menu.
  • Select Customize from drop down menu.
  • Select the Commands tab.
  • Select the Standard from the Categories listings.
  • Scroll down the Commands list on the right to locate Encrypt Message Contents and Attachments. Click on the entry.
  • Using your mouse, drag the highlighted Encrypt Message Contents and Attachments listing onto your Toolbar. We recommend placing it next to the Send button.
  • Repeat the previous steps to also add the Digitally Sign Message listing.
  • Click Close to return to composing your message.

Signing an Email:

Signing an email ensures the recipient knows the email has come from you and informs him / her if it has been tampered with since being signed.

  • Compose your email and attach files as usual.
  • Click Sign button.
  • Click Send button.

The recipient of your email must have a copy of your Certificate in order to verify your signed email is legitimate.

Encrypting an Email:

Encrypting an email ensures that only the recipient may view the email content and any attachments.

IMPORTANT NOTE: in order to encrypt an email for the recipient you must have the recipient's Digital Certificate, and their digital certificates must be assigned to the relevant entry in your Address Book.

  • Compose your email and attach files as usual.
  • Ensure the recipient has a Digital Certificate and you have assigned the Certificate to their relative entry in your Outlook Contacts area.
  • Click Encrypt button.
  • Click Send button.