Here's what most privacy guides won't tell you: Outlook's encryption isn't just one thing. It's two completely different systems that work in opposite ways, and choosing the wrong one can lock out your recipients entirely. The difference matters more than you think.

Key Takeaways

  • S/MIME provides stronger encryption but only works when both sides have certificates
  • Microsoft 365 encryption works with any email provider but requires a business subscription
  • Most encryption failures happen because users pick the wrong method for their recipient
Difficulty: Intermediate Time needed: 20-30 minutes For: Business users and privacy-focused individuals using Outlook

Why This Gets Confusing

Microsoft built two encryption systems into Outlook, and they solve different problems. S/MIME encrypts messages end-to-end using certificates—like having matching keys that only you and your recipient possess. Microsoft 365 Message Encryption routes everything through Microsoft's servers, where it gets encrypted and stored in a web portal that any recipient can access.

The catch? S/MIME messages are unreadable if your recipient doesn't have the right certificate. Microsoft 365 messages are readable by anyone, but only through Microsoft's system. Most encryption headaches start here—with the wrong choice for the wrong situation.

What You Actually Need

  • Outlook desktop client (Microsoft 365, Outlook 2019, or Outlook 2016)
  • For S/MIME: A digital certificate from a trusted Certificate Authority or your organization's IT department
  • For Microsoft 365 encryption: Business Premium, Enterprise, or Education subscription
  • Administrator rights to install certificates on your computer
  • Recipients' email addresses and public certificates (for S/MIME) or any valid email address (for Microsoft 365)

Decision Point: Which Method to Use

Here's the question that determines everything else: does your recipient's organization use S/MIME certificates? If yes, and you need maximum security, go with S/MIME. If no, or if you're sending to Gmail, Yahoo, or personal accounts, Microsoft 365 encryption is your only practical option.

Think of it this way: S/MIME is like speaking a specialized language that both parties must learn. Microsoft 365 encryption is like writing a note and putting it in a safe that anyone can open with the right combination.

A wooden table topped with scrabble tiles spelling news
Photo by Markus Winkler / Unsplash

Setting Up S/MIME (The Technical Route)

Open Outlook and navigate to File > Options > Trust Center > Trust Center Settings > Email Security. Click Import/Export and select your certificate file (.p12 or .pfx format). Enter the certificate password when prompted.

Your certificate will appear in both the Signing Certificate and Encryption Certificate dropdown menus. Select it for both options and click OK. This is where many setups fail—forgetting to select the certificate in both places means encryption won't work properly.

Enabling Microsoft 365 Encryption (The Simple Route)

For Microsoft 365 users, the setup is almost invisible. Go to File > Options > Mail and ensure HTML is selected under message format. If your business subscription includes encryption (most do), the option appears automatically in your compose window.

No certificates to manage, no compatibility concerns. The tradeoff? Your messages pass through Microsoft's servers, and recipients access them through a web portal rather than their regular email client.

Sending Your First Encrypted Message

Compose a new email normally, then look for the encryption controls. For S/MIME, click the Encrypt button in the ribbon or use Options > Encrypt > Encrypt with S/MIME. For Microsoft 365 encryption, select Options > Encrypt and choose your protection level.

Watch for the lock icon—that's your visual confirmation that encryption is active. No lock icon means something went wrong with your setup.

The Recipient Experience (This Is Where It Gets Interesting)

S/MIME encrypted messages decrypt automatically in compatible email clients—Outlook, Apple Mail, and some others. Recipients see your message normally, with no extra steps. But send an S/MIME message to someone without the right setup, and they'll see an unreadable attachment instead of your message.

Microsoft 365 encrypted messages work differently. External recipients get an email with instructions to access a secure web portal. They authenticate using their email credentials, then read your message in a browser. It's more steps, but it works with any email address.

When Things Go Wrong

Certificate errors usually mean your S/MIME certificate expired or wasn't installed correctly. Check the Trust Center and reinstall if needed. If recipients can't decrypt messages, you probably chose S/MIME for someone who doesn't support it—switch to Microsoft 365 encryption.

Missing encryption options typically means your subscription doesn't include the feature, or IT policies have restricted it. Contact your administrator before troubleshooting further.

The Security Reality Check

Here's what most guides skip: email encryption only protects messages in transit and storage, not while you're writing or reading them. Both methods have the same vulnerability—someone with access to your unlocked computer can read your messages.

S/MIME provides stronger technical security, but Microsoft 365 encryption offers better practical security for most users because it's easier to implement correctly. A perfectly configured weak system often beats an improperly configured strong one.

Smart Practices That Actually Matter

  • Test encryption with a trusted contact before sending sensitive business communications
  • Keep backup copies of your private certificates in a secure location separate from your computer
  • Use descriptive subject lines that don't reveal sensitive content—subjects aren't always encrypted
  • Verify certificate expiration dates monthly and renew before they expire to avoid sending failures
  • Train recipients on accessing Microsoft 365 encrypted messages through the web portal

When to Skip Encryption Entirely

Don't encrypt routine business communications where speed matters more than security. S/MIME creates compatibility problems with mobile email apps and web clients that don't support certificate-based encryption. For highly classified information, use dedicated secure messaging platforms instead of any email system.

Skip encryption when recipients explicitly request unencrypted messages for their automated workflow systems. Some business processes can't handle the extra authentication steps.

FAQ

Can I encrypt emails to Gmail and Yahoo recipients?

Microsoft 365 Message Encryption works with any email provider—recipients access messages through a secure web portal. S/MIME encryption requires the recipient's email client to support it, which Gmail and Yahoo web interfaces don't fully support, though their mobile apps may.

Does email encryption slow down delivery?

S/MIME encryption processes locally and doesn't significantly impact delivery speed. Microsoft 365 encryption routes through Microsoft's servers for additional processing, which can add a minute or two to delivery time depending on server load.

Can I encrypt emails with attachments?

Both methods protect attachments along with message content. Microsoft 365 handles attachments up to 25 MB while S/MIME depends on your email server's limits. Large encrypted attachments may require alternative secure file sharing methods.

What happens if I lose my encryption certificate?

Lost S/MIME certificates prevent you from decrypting previously received messages and sending new encrypted emails. Restore from your backup copy or request a new certificate from your Certificate Authority. Microsoft 365 encryption doesn't require local certificates, so this isn't a concern for cloud-based encryption.

The next time you need to send something sensitive, you'll know which method fits your situation. And that's worth more than perfect technical security that nobody can actually use.