You need to send sensitive information such as financial data, legal documents, or personal health details through email. Outlook includes a built-in feature called Office Message Encryption or OME that protects your message content from unauthorized access. This article explains what OME does and the exact steps to encrypt an email in Outlook for Windows, Outlook on the web, and Outlook for Mac. By the end, you will be able to send encrypted emails that only your intended recipients can read.
Key Takeaways: Sending Encrypted Emails With OME
- File > Options > Trust Center > Trust Center Settings > Email Security: Locate the encryption settings in classic Outlook for Windows.
- Options > Encrypt button in a new message: The quickest way to apply OME encryption to a single email.
- OME versus S/MIME: OME does not require certificates or prior key exchange, while S/MIME requires both sender and recipient to have certificates.
What Is Office Message Encryption and How It Works
Office Message Encryption is a service included with Microsoft 365 subscriptions that contain Azure Rights Management. When you encrypt a message with OME, Outlook converts the email into an encrypted HTML attachment. The recipient receives a notification email with a link. After signing in with a Microsoft account or a one-time passcode, the recipient can view the decrypted message in a secure web portal.
OME works with any email address, including Gmail, Yahoo, and Outlook.com. The sender must have a Microsoft 365 subscription that includes Azure Information Protection. The recipient does not need any special software. OME supports attachments and inline images in the encrypted message. The service also lets you set expiration dates and revoke access after sending.
Prerequisites for Using OME
Before you can encrypt an email with OME, verify the following:
- Your Microsoft 365 plan includes Azure Rights Management. Business Premium, Enterprise E3, and Enterprise E5 include this feature. Exchange Online Plan 1 does not include it.
- You are using Outlook for Windows version 1908 or later, Outlook on the web, or Outlook for Mac version 16.42 or later.
- Your organization has enabled OME in the Exchange admin center. Most Microsoft 365 tenants have OME enabled by default.
How to Encrypt an Email With OME in Outlook for Windows
The process differs slightly depending on whether you use the classic ribbon or the simplified ribbon. The steps below work for both layouts.
- Open a new email message
Click New Email on the Home tab. Compose your message as usual. - Locate the Encrypt button
In the message window, go to the Options tab. In the Permission group, click Encrypt. If you see a dropdown arrow next to Encrypt, click it to see additional options such as Do Not Forward. - Select the encryption option
Choose Encrypt-Only if you want the recipient to be able to forward, copy, and print the message. Choose Do Not Forward if you want to prevent those actions. - Send the message
Click Send. The message is encrypted on the client side and sent to the recipient.
If the Encrypt button is grayed out, your account may not have an OME license. Contact your Microsoft 365 administrator to verify your subscription includes Azure Rights Management.
How to Encrypt an Email With OME in Outlook on the Web
Outlook on the web also supports OME encryption with a simplified interface.
- Compose a new message
Click New message at the top of the page. Fill in the To, Subject, and body fields. - Open the encryption options
Click the three-dot menu More options in the message toolbar. Select Message options. In the right pane, locate the Permission section. - Apply encryption
Click the dropdown under Permission and choose Encrypt or Do Not Forward. The message header will show a lock icon to confirm encryption is active. - Send the message
Click Send. The recipient will receive the encrypted email notification.
How to Encrypt an Email With OME in Outlook for Mac
Outlook for Mac uses a similar approach to the Windows version.
- Create a new message
Click New Email in the toolbar. Write your message. - Find the Encrypt button
Go to the Options tab in the message window. Click Encrypt in the Permission group. - Choose an encryption policy
Select Encrypt-Only or Do Not Forward from the dropdown menu. - Send the message
Click Send. Outlook encrypts the email before sending it.
Common Issues When Using OME and How to Avoid Them
The Encrypt button does not appear in the ribbon
If you do not see the Encrypt button, your Outlook client may not be updated to a version that supports OME. Install the latest updates from File > Office Account > Update Options > Update Now. If the button still does not appear, your Microsoft 365 tenant may have OME disabled. Contact your administrator to enable the feature in the Exchange admin center under Mail flow > Message encryption.
The recipient cannot open the encrypted message
The recipient must sign in with a Microsoft account or use a one-time passcode sent to their email address. If the recipient does not receive the passcode email, ask them to check their spam folder. The passcode email comes from no-reply@microsoft.com. If the recipient uses a corporate email account that blocks external links, they may need to ask their IT team to allow the OME portal URL: azure.microsoft.com.
OME encryption is applied to all outgoing messages
Some organizations set a default encryption rule in the Exchange admin center that encrypts every outbound email. If you cannot send unencrypted messages, your administrator has configured a transport rule. You cannot override this rule from the Outlook client. Contact your administrator if you need to send unencrypted messages to specific recipients.
OME vs S/MIME: Key Differences
| Item | Office Message Encryption (OME) | S/MIME |
|---|---|---|
| Certificate requirement | None for sender or recipient | Both sender and recipient need a digital certificate |
| Recipient email type | Any email address | Only recipients with compatible email clients |
| Viewing the message | Opens in a secure web portal | Opens directly in the recipient’s email client |
| Attachment handling | Attachments are encrypted with the message | Attachments can be signed or encrypted separately |
| Revocation | Supported via the Microsoft 365 compliance center | Not supported after sending |
| Subscription required | Microsoft 365 with Azure Rights Management | Any email system that supports S/MIME |
You now know how to encrypt an Outlook email using Office Message Encryption in all major Outlook clients. After sending your first encrypted message, test the recipient experience by sending an encrypted email to a personal Gmail or Yahoo address. For advanced control, explore the Microsoft 365 compliance center where you can set expiration dates and revoke access to encrypted messages after they are sent.