What Is Email Encryption | Microsoft Security (2024)

Email encryption is a security measure that encodes an email message so that only the intended recipients can read it. Encrypting, or obscuring, emails is a process designed to keep cybercriminals—especially identity thieves—from getting hold of valuable information that they can use for monetary gain.

It's common to use email to send sensitive or confidential information that could be exploited by thieves. When an email is in transit to your recipient, it can be intercepted by malicious actors looking for data such as:

• Names, addresses, and other personally identifiable information (PII).
• Financial account numbers and other data.
• Customer or employee information.
• Login credentials.
• Legal contracts.
• Intellectual property.
• Patient health information.

Using encryption for email security ensures that only the authorized recipient can decode and consume messages containing sensitive information. If a bad actor were to intercept an encrypted message, they would open it only to find scrambled, unreadable text inside. Email encryption is an important way to protect your data because gaining access to confidential information through email is a primary tactic of cybercriminals.

Basic email encryption involves an exchange of encryption keys that are generated by mathematical algorithms called one-way functions. Each encoded communication uses a paired public key, available to anyone on the internet, and a private key, known only to the recipient. This kind of email encryption system is called public key infrastructure, or PKI.

In a PKI model, an encrypted email’s journey typically works like this:

• A message is sent using a public key, which transforms the contents from a readable format, or plaintext, into a scrambled format, or ciphertext.
• The message remains in cyphertext while it’s in transit from server to server over the internet.
• When the email gets to its destination, the intended recipient decrypts the ciphertext email back into plaintext using a unique private key.

The recipient’s machine will use the private key to decrypt the message unless the recipient has an enterprise-grade email encryption service. In that case, a central server may decrypt the message on behalf of the recipient after validating their identity.

Email encryption by itself doesn’t prevent malicious parties from intercepting messages. Without the private key, however, the data inside will appear jumbled and unreadable to the unauthorized person.

It’s possible to have multiple layers of encryption in place at the same time. For example, encrypting the communication channels through which your email flows will provide even better protection than email encryption alone.

Email is such a common way to communicate that it’s easy to forget how incredibly vulnerable it is. Hackers who surveil or steal PII from your email traffic can not only gain access to information related to your business and employees, but to customer data as well.

Email encryption services can block a significant avenue of attack for cybercriminals and protect the privacy of those who have entrusted you with their sensitive information. Avoiding security breaches and building customer trust protects both your bottom line and your reputation.

Using email encryption will also keep you compliant with legal and industry regulations. Compliance guidelines vary based on where in the world your business operates. But no matter what industry you are in or where you do business, you’re likely to handle a combination of PII, financial data, transaction data, or even sensitive patient health information that is regulated. Protecting this data is the law in many countries based on applicable privacy regulations. And many compliance guidelines strictly require that emails containing sensitive data are encrypted.

Another way email encryption can protect you is that it helps employees identify which emails are genuine and which are phishing or spam schemes. An email encryption service that includes digital signing gives an extra layer of proof that an email comes from an authentic sender, lessening the risk that your system is infected through routine employee communications.

When you choose an email encryption service, consider your broader cybersecurity needs, the compliance requirements in your industry, and the size of your organization. Your employees may only deal with sensitive information a few times a day—or perhaps all your emails are highly sensitive and subject to complex regulations.

First, look at the available features within the email platforms you already use. You may have a certain level of encryption available by default, and it may only take a modest subscription upgrade or a plug-in to meet or exceed your privacy requirements. Building on tools that are already familiar to your employees has the advantage of reducing your training needs.

Second, consider ease of use. Try to find a cost-effective way to encrypt emails that doesn’t involve having employees logging in to a portal to read encrypted messages or follow complicated steps to attach files to an email.

Last, consider the size of your company. Larger organizations are best served by an enterprise-level encryption solution that provides end-to-end email protection. Enterprise-grade communication, collaboration, and security platforms sometimes have advanced message encryption included. These types of solutions can automate much of the encryption process for admins and users alike.

Some enterprise-grade solutions can fortify your email security posture by automatically encrypting sensitive emails. They may also send and request digital signatures to thoroughly verify identity or offer users advanced options such as prohibiting the forwarding, printing, or copy/pasting of emails.

Choosing an email encryption service is an important way to improve your overall security posture. Start by reviewing the types of email encryption available to you, the security needs of your organization, and what email protections can integrate with the platforms and solutions you already use. Consider how your needs can be met by:

• The features available in your current productivity suite, such as Microsoft purview message encryption.
• The email protections available in a comprehensive threat protection solution such as Microsoft Defender.
• Advanced message encryption included in an enterprise solution such as Microsoft 365 Enterprise E5.