Email encryption in Outlook: how to encrypt messages with digital ID

These days when e-mail has become the main means of personal and business communication and stealing information is what trade secret crimes thrive on, the problems of securing email and safeguarding privacy are on everyone's mind.

Even if your job does not imply sending your company's secrets that need to be protected from unwanted eyes, you may look for a little personal privacy. Whatever your reason is, the most reliable ways to secure your communications with co-workers, friends and family are mail encryption and digital signatures. Outlook email encryption protects the contents of your messages against unauthorized reading, while a digital signature ensures that your original message has not been modified and comes from a certain sender.

Encrypting email it Outlook may sound like a daunting task, but it is actually quite simple. There exist a few methods of sending secure emails in Outlook, and further on in this article we are going to dwell on the basics of each:

Get a Digital ID for Outlook (encryption and signing certificates)

To be able to encrypt important Outlook e-mails, the first thing you need to get is a Digital ID, also known as E-mail Certificate. You can get the digital ID from one of the sources recommended by Microsoft. You will be able to use these IDs not only to send secure Outlook messages, but protect documents of other applications as well, including Microsoft Access, Excel, Word, PowerPoint and OneNote.

The process of getting a Digital ID depends on which service you have opted for. Typically, an ID is provided in the form of an executable installation that will automatically add the certificate to your system. Once installed, your digital ID will become available in Outlook and other Office applications.

How to set up your e-mail certificate in Outlook

To verify whether a digital ID is available in your Outlook, perform the steps below. We explain how this is accomplished in Outlook 2010, though it works exactly in the same way in Outlook 2013 - 365, and with insignificant differences in Outlook 2007. So hopefully you won't have any problems to configure your encryption certificate in any Outlook version.

  1. Switch to the File tab, then go to Options > Trust Center and click the Trust Center Settings button. Go to the File tab > Options > Trust Center and click the Trust Center Settings button.
  2. In the Trust Center dialog window, select E-mail Security.
  3. On the E-mail Security tab, click Settings under Encrypted e-mail. On the E-mail Security tab, click Settings under Encrypted e-mail.

    Note: If you already have a digital ID, the settings will be automatically configured for you. If you want to use a different e-mail certificate, follow the remaining steps.

  4. In the Change Security Settings dialog window, click New under Security Setting Preferences. Click New under Security Setting Preferences.
  5. Type a name for your new digital certificate in the Security Settings Name box.
  6. Make sure S/MIME is selected in the Cryptography Format list. Most digital IDs are of SMIME type and most likely this will be the only option available to you. If your certificate type is Exchange Security, choose it instead.
  7. Click Choose next to Encryption Certificate to add your digital cert to encrypt e-mails. Choose your encryption certificate.

    Note: To find out whether the certificate is valid for digital signing or encryption, or both, click the View Certificate properties link on the Select Certificate dialog box.

    View the Certificate properties to find out whether the certificate is valid for digital signing or encryption.

    Typically, a certificate purposed for cryptographic messaging (such as Outlook email encryption and digital signing) says something like "Protects email messages". An example of the digital certificate purposed for email encryption and digital signing

  8. Select the Send these certificates with signed messages check box if you are going to send Outlook encrypted email messages outside of your company. Then click OK and you are done! Select the 'Send these certificates with signed messages' check box if you are going to send encrypted emails outside of your company.

    Tip: If you want these settings to be used by default for all encrypted and digitally signed messages you send in Outlook, select the Default Security Setting for this cryptographic message format check box.

How to encrypt email in Outlook

Email encryption in Outlook protects the privacy of messages you send by converting them from readable text into scrambled enciphered text.

To be able to send and receive encrypted email messages, you need two basic things:

You need to share the certificates with your contacts because only the recipient who has the private key that matches the public key the sender used to encrypt the email can read that message. In other words, you give your recipients your public key (which is part of your Digital ID) and your correspondents give you their public keys. Only in this case you will be able to send encrypted emails to each other.

If a recipient who does not have the private key matching the public key used by the sender tries to open an encrypted e-mail, they will see this message:

"Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your Digital ID name cannot be found by the underlying security system."

So, let's see how sharing digital IDs is done in Outlook.

How to add a recipient's digital ID (public key)

To be able to exchange encrypted messages with certain contacts, you need to share your public keys first. You start by exchanging digitally signed emails (not encrypted!) with the person to whom you want to send encrypted emails.

Once you get a digitally signed email from your contact, you have to add the contact's digital ID certificate to his/ her contact item in your Address Book. To do this, please follow the steps below:

  1. In Outlook, open a message that is digitally signed. You can recognize a digitally signed message by a Signature icon Signature icon.
  2. Right-click the sender's name in the From fields, and then click Add to Outlook Contacts. Right-click the sender's name and then click Add to Outlook Contacts.

    When the person is added to your Outlook contacts, their digital certificate will be stored with the contact's entry.

    Note: If you already have an entry for this user in your Contacts list, select Update information in the Duplicate Contact Detected dialog.

To view the certificate for a certain contact, double-click the person's name, and then click the Certificates tab.

Once you have shared the Digital IDs with a certain contact, you can send encrypted messages to each other, and the next two sections explain how to do this.

How to encrypt a single email message in Outlook

In an email message you are composing, switch to the Options tab > Permissions group and click the Encrypt button. Then send the encrypted email as you usually do in Outlook, by clicking the Send button. Yep, it is that easy : ) To send an encrypted email message, click the Encrypt button.

If you don't see the Encrypt button, then do the following:

  1. Go to Options tab > More Options group and click the Message Options Dialog Box Launcher in the lower corner. Click the Message Options Dialog Box Launcher in the lower corner.
  2. In the Properties dialog window, Click the Security Settings button. Click the Security Settings button.
  3. In the Security Properties dialog window, check the Encrypt message contents and attachments check box and click OK. In the Security Properties dialog window, check the 'Encrypt message contents and attachments' check box.

    Note: This process will also encrypt any attachments you send with the encrypted email messages in Outlook.

  4. Finish composing your message and send it as usual.

    To verify whether the email encryption worked, switch to the Sent Items folder and if your email was encrypted successfully, you will see the Encryption icon Encryption icon next to it.

    Note: If you are trying to send an encrypted message to a recipient who has not shared the public key with you, you will be offered the choice to send the message in the unencrypted format. In this case, either share your certificate with the contact or send the message unencrypted: If you are trying to send an encrypted Outlook message to a recipient that does not have your digital ID certificate, you are offered to send an unencrypted message instead.

Encrypt all email messages you send in Outlook

If you find that encrypting each email individually is quite an onerous process, you can opt to automatically encrypt all email messages you send in Outlook. However, please note that in this case all of your recipients must have your digital ID to be able to decipher and read your encrypted email. This is probably the right approach if you use a special Outlook account to send emails within your organization only.

You can enable automatic Outlook email encryption in the following way:

  1. Navigate to the File tab > Options > Trust Center > Trust Center Settings. Enable automatic email encryption in Outlook.
  2. Switch to the Email Security tab, and select Encrypt contents and attachments for outgoing messages under Encrypted email. Then click OK and you are close to finished. Select 'Encrypt contents and attachments for outgoing messages' under Encrypted email.

    Tip: In case you want some additional settings, for example to choose another digital certificate, click the Settings button.

  3. Click OK to close the dialog. From now on, all the messages you send in Outlook will be encrypted.

Well, as you can see Microsoft Outlook takes a rather burdensome approach to email encryption. But once configured, it will definitely make your life easier and email communication safer.

However, the email encryption method we have just explored has one significant limitation - it works for Outlook only. If your recipients use some other email clients, then you will need to employ other tools.

Email encryption between Outlook and other email clients

To send encrypted email between Outlook and other non-Outlook email clients, you can use one of the third party mail encryption tools.

The most popular free open source tool that supports both cryptography standards, OpenPGP and S/MIME, and works with multiple email clients including Outlook is GPG4WIn (the full name is GNU Privacy Guard for Windows).

Using this tool you can easily create an encryption key, export it and send to your contacts. When your recipient receives the email with the encryption key, they will need to save it to a file and then import the key to their email client.

I won't be going into much detail on how to work with this tool since it is rather intuitive and easy to understand. If you need the full info, you can find the instructions with screenshots on the official web-site.

To have a general idea how GPG4OL looks like in Outlook, see the following screenshot: GPG4Win plug-in in Outlook

Besides the GPG4Win add-in, there is a handful of other tools for email encryption. Some of these programs work with Outlook only, while others support several email clients:

Exchange hosted encryption

If you are working in a corporate environment, you can use the Exchange Hosted Encryption (EHE) service to have your email messages encrypted/decrypted at the server side based on policy rules that your administrator creates.

Outlook users who have ever tried this encryption method have two major complaints.

Firstly, exchange hosted encryption is hard to configure. Besides the digital ID, it also requires a special password, aka token, that your Exchange administrator has assigned to you. If your Exchange admin is responsible and responsive, he will configure your Exchange encryption and set you free from this headache : ) If you are not that lucky, try to follow Microsoft's instructions (Get a digital ID for sending messages using Microsoft Exchange section is near the bottom of the page).

Secondly, the recipients of your encrypted emails should use Exchange hosted encryption too, otherwise it is useless.

The Office 365 Exchange Hosted Encryption is claimed to have fixed both of the above mentioned problems. To find more information about it, visit the official web-site or this blog.

If none of the email protection techniques covered in this article meets your requirement in full, you can consider using other, more sophisticated methods, such as Steganography. This hard-to-pronounce word means concealing a message or other file within another message or file. There exist various digital steganography techniques, for example concealing the contents of an email within the lowest bits of noisy images, within encrypted or random data and so on. If you are interested to learn more, check out this Wikipedia article.

And this is all for today, thank you for reading!

Table of contents

54 comments

  1. Hi. To encrypt (encryption only - not signed) a single mail in Outlook I then need the public cert of the recipient. Do I also need my own certificate to perform this function or it can be done by any email sender account (with or without a certificate)? Thanks.

    • Well, I have just found out it is not possible to send an encrypted message if you don't have a certificate. The PKI is not designed that way. In other words you can't just simply encrypt a message with the recipient's public key if you don't have a certificate of your own.

  2. Hi,
    I have the same issue, I installed a personnel certificate and assigned the cert to my account successfully.But while I sending mail, the error massage "If you are trying to send an encrypted Outlook message to a recipient that does not have your digital ID certificate..." will pop out. How to resolve this? Thanks.

  3. Hi,
    I have the same issue, I installed a personnel certificate and assigned the cert to my account successfully.But while I sending mail, the error massage "If you are trying to send an encrypted Outlook message to a recipient that does not have your digital ID certificate..." will pop out. How to resolve this? Thanks.

  4. Thanks for that! Helped alot!

  5. I work for the Air Force and I'm trying to set my exchange server up to be able to send and receive encrypted emails from the AF domain. We are on a different domain still managed by the AF. We can pull down a cert for one user at a time but this is time consuming and we would like to be able to have it configured for all users. We can send encrypted emails internally but not outside of the domain. Any ideas on how to fix this?

  6. Hi

    i have multiple accounts and i don't want to digital certificate for all my emails ..so which option i can disable for multiple accounts

    Regards
    Krishna

  7. Hi Svetlana

    i have installed personnel sign from official source. But im unable to encrypt my email. While sending it shows error massage "If you are trying to send an encrypted Outlook message to a recipient that does not have your digital ID certificat...". Could you please suggest how to resolve my issue.

  8. Jut got a Comodo free email cert, got it installed via FireFox on my Mac. Having a heck of a time trying to get MS Outlook 2016 to use this certificate. Other than getting off the Mac, what do you suggest?

    • Yes, me too Steve. Outlook 2016 does just not see the crt.

  9. What about the newest and updated outlook.com ?

  10. Hi Svetlana,

    I have a question, if I get an encrypted/signed email is there anyway I can force the settings so I can't forward this message without decrypting or at least keeping the encryption as the only option to send it, disable the "Send unencrypted" option?.

    Thanks.

  11. I have followed all the steps and we have done the digital "handshake" and I can see the certificate in the contract's address card but we can't exchange encrypted messages. Would appreciated some assistance.

  12. Hi,

    I have downloaded a digital certificate via Comodo.I received the confirmation email and downloaded through the Microsoft website link which suggested comodoo. The details include the "securing e-mails" descriptions and it says that "the certificate is ok". I follow all the steps through to trust centre etc, clicking on settings and then new, entering a name and then choosing. When I click the choose button, I get the dialogue box come up saying "No certificates avaliable: No certificates meet the application". Perhaps I need a public key - in which case I'm not sure if I have one already/how to get one. My certificate manager also says that I have a certificate by Comodo. Another reason could be the storing of my certificate which by default named as "user". I chose to automatically choose the location - which put it in downloads. This saved the file type as "security certificate", however when I install it via the above instructions the file type specifies "security information" which i change to all files - as this is the only way the certificate shows.

    Would appreciate the help :)

  13. thank you so much! this was driving me nuts and now it's resolved thanks to you!

  14. Hi Svetlana
    The article is great... I have a client who needs emails encrypted from a particular set of users. How do I get about the encryption only for a set of users, also the same set of users would need to communicate with other clients and users etc without the encryption.
    Thanks

  15. Hi Svetlana,

    How can I send encrypted mail to a contact group in Outlook?

  16. Per Frejvall says:

    August 14, 2014 at 8:01 am

    Hi all!

    I have two Exchange accounts aimed at two different servers in my profile. In Outlook 2011 for Mac this works as advertised, but in Outlook 2010 for Windows Outlook is never able to distinguish between the two certificates and e-mail addresses. It will always use the last added certificate, regardless of auto select, default select or manual select.

    I have two different named security settings in trust center, each with the correct certificate for the e-mail address. I have seen people do this with Outlook 2013 but I have failed with 2010.

    Any ideas?

    All the best,

    Per

    In the above example, do you have both accounts on the same Outlook profile? If so, you need to have separate profiles. Security certificates are 1 per Outlook profile if I remember correctly.

  17. What controls which encryption algorithms are displayed. Many of the users in my environment have AES as a choice some have 3DES as the highest level algorithm.

    Please advise. Thank you for your kind consideration and assistance in this matter.

  18. A user can read some encrypted emails but not others. All from the same CA.
    Looking at the users profile in ADUC, we noticed that the users has multiple certificates published that have email encryption enabled.

    How does Outlook/Active Directory which public key certificate to use?

  19. Hello,
    In Outlook 2013, I do not see the same screen shot you show when I add a recipient's Digital ID. Add to contacts is not listed.

  20. Hi Svetlana, your posting has been extremely helpful. I have another question: S/MIME is not working on my corporate environment. they send me the certificates for encryption but after importing then to the local system, and to email user in the same group, encryption failed. But some for some user when I sent an email to itself, it works. I use Outlook 2013 on a Win 7 environment.

  21. Last year (2014) i also had my emails hacked and i have been looking into and i have been looking into email encryption softwares. I found some good information from this website http://www.hackedemails.com/email-encryption/ and hope that it might be useful for you also.

  22. Hi,
    I have added certificates to a couple users on my network. (Outlook 2010)
    We want to send encrypted mails between those users. The only problem is that I need to configure that all the outgoing mail will be encrypted.

    Can I configure that a mail will be encrypted if I send it to specific contacts. So not to all outgoing mail.
    Thanks

  23. Thanks for this great article!

    Is there a way to automatically sign emails from only one of multiple accounts?
    I have one personal account which I now have a Digital ID for, and one company Exchange account which don't have EHE enabled. I would like for all emails sent from my personal account to be automatically sigend, and the ones sent from my company account not to be signed. is this possible in Outlook 2013?

    Thanks

  24. I have an employee with the following encryption problem. He can receive my encrypted emails, can open and read them, he can also send me encrypted emails which I have no problem opening or reading, However, if he replies to my encrypted emails they fail to send/encrypt even though he can me "new" encrypted email with no problems.

    What are we doing wrong?

    • I'm sorry, we haven't encountered this problem before and that is why I am unable to help. You can probably contact Microsoft support service (support.microsoft.com) for assistance.

  25. Why is it that to be able to send encrypted emails via outlook, you have to go through the trouble of adding the public cert of that person to his address book contact

    In Apple Mail, this is ALL AUTOMATIC ( and invisible to our most simplistic user ! )

    I sync my contacts with google, I cant attach the cert to the contact as when the contacts are synced, the cert is then lost again

    this is a major problem for me and my company and has caused us to start transferring our users to Apple platforms.

    The odd thing is that, the only thing that the departments miss is Publisher, which has to be run in Parallels

    annoying we have to go to these lengths for something which most definitely doesn't work as it should

    thanks

    • Hello Adrian,

      Unfortunately, I cannot address any of your questions because I do not work for Microsoft : )

  26. Hey Sveti,

    Is it possible in some way to make sure IT administrator can't read my mails?
    Is there any way to do it? (I was thinking about them logging in to my profile with administrator rights and launch Outlook.) Any ideas? Thank you.

  27. Hi Svetlana,

    I received my COMODO certificate and I can see it in my certificate store but I am not able to select it in Outlook 2013, it just says that I have "no certificates meet the application criteria".

    I also am not able to export the private key of the certificate because it's greyed out.

    Any ideas?

  28. I too have a lot problems which I would like to discuss with you.Great information about email encryption outlook...Thanks for sharing! A great help to the public.

  29. Hi Svetlana,
    I have an strange issue,I'm sending mails with signed messages (using comodo email certificate) (without any attachments) to one of the organisation , but the recipients are receiving my mail as an attachment which can not be opened. The recipients have saved my email address in their address book, still they are unable to view my email contents on the body of a email. Could you please help me here?

  30. I can find the way to encript everything that you send out but is there a way to have outlook automatically encript all attachments but not every single email?
    thanks!

  31. Okay, I have another question for you, Svetlana. Above in your article you have described how to exchange the digital ID's with each other by right-clicking on the person's name in Contacts and clicking Add to Contacts. This also adds the digital public key of the recipient with whom we want to send messages to. And if that contact already exists in Outlook contacts, then select "Update information in the Duplicate Contact Detected dialog". I'm using Outlook 2013 and I do not find the Duplicate Contact Detected dialog box anywhere. Where should I look to Update information for the contact that already exists ??
    Thanks.

  32. Hi Svetlana Cheusheva,
    Okay. You have showed how to install the digital ID into Outlook. But you have not shown how to share the digital ID with another person through Outlook. How do we share our digital ID within Outlook with another person ?

      • Thanks Svetlana for walking me through how to configure and setting this up. It's working wonderfully now !

  33. Hi,

    Please correct me if I'm wrong. In order to communicate between Outlook 2013 and Gmail, I thought I needed to exchange digital ID's. Hence, I went to the COMODO site and filled in the details for my Gmail account and got a success message for the certificate to have been installed. I then opened IE, tools -> options -> Content tab -> certificates. I could see the my Gmail email address listed there. Then I exported the certificate to the desktop and wrote myself an email from Gmail and attached this certificate along with my mail to my Outlook account. After that I right-clicked on my account name in contacts and added the Gmail account into Outlook. I looked in the People group and clicked on Certificates, then imported the Gmail certificate into Outlook and saved the closed the window. Then I wrote myself another email from Outlook to my Gmail account. I clicked on the Encrypt button to encrypt the message and clicked the sent button. But when I do that, I always get a message "Microsoft Outlook had problems encrypting the message ....... because recipients had missing or invalid certificates ... "

    What did I do wrong here ? I tried to follow your instructions exactly, but why does it give me this error ??

    ~Thanks

    • Hi Maneesh,

      We have done some research and found out that to be able to send / receive encrypted messages via Gmail, a special plugin is required to be installed in your web-browser.

      For example, you can check out Penango (https://www.penango.com/download). It works with Firefox and IE.

  34. Hi Svetlana,

    I'm using Outlook 2013. I would like to know how to work with Outlook 2013 mail client and Gmail. I've set up the Outlook part by installing the Digital certificate from COMODO and then wrote myself an email on my gmail account. The first thing I did was to send an plain text mail attaching my public ID to my gmail account. Then I installed another digital certificate from COMODO for my gmail account and did the same to send my public key to my Outlook account. After this I sent an encrypted email from Outlook 2013 to my Gmail account. The email sure did come, but I cannot see anything written in the mail, except a small attachment called "smime.p7m" of 11 kb size. How do I decrypt the mail sent from my Outlook 2013 and read it in my Gmail account ??

    Thanks for helping.

    • Hi Maneesh,

      Could you please provide more details on how exactly you installed another digital certificate from COMODO for your gmail account?

  35. I'd say it's a bug... Simply can't make it work. Will try on 2013 just to verify...

    Thanks,

    Per

    • Per,

      I am very interested to know the result and will really appreciate if you take a minute to post it here. Thank you!

  36. Hi all!

    I have two Exchange accounts aimed at two different servers in my profile. In Outlook 2011 for Mac this works as advertised, but in Outlook 2010 for Windows Outlook is never able to distinguish between the two certificates and e-mail addresses. It will always use the last added certificate, regardless of auto select, default select or manual select.

    I have two different named security settings in trust center, each with the correct certificate for the e-mail address. I have seen people do this with Outlook 2013 but I have failed with 2010.

    Any ideas?

    All the best,

    Per

    • Hi Per!
      I am sorry, we have never encountered this problem before. You can probably contact Microsoft support service for assistance or search for a solution on stackoverflow.com or answers.microsoft.com. Really sorry for not being able to help you better.

  37. FYI, message encryption is broken in Windows 8, you can send but you can't read received encrypted messages. Message signing works though.

  38. These instructions seem backwards. I thought my public key makes it possible for others to send me encrypted messages. Not to open messages from me. It makes no sense for a public key to be able to open an encrypted file. Conversely, I should need to have the public key of each correspondent to whom I want to send encrypted email.

    Do I have it backwards, or is the Outlook system vulnerable to interception by anyone with my public key?

    • Hello Robert,

      You are absolutely right. You share your public key with others so that they can send you encrypted messages (your private key enables you to read them).

      > Conversely, I should need to have the public key of each correspondent to whom I want to send encrypted email.
      Absolutely so. I couldn't have put it better.

      I've revised the article and made a few corrections to convey exactly this meaning. Thank you very much for your feedback!

Post a comment



Thank you for your comment!
When posting a question, please be very clear and concise. This will help us provide a quick and relevant solution to
your query. We cannot guarantee that we will answer every question, but we'll do our best :)