Sending Restricted and Confidential Data via Encrypted Email

The LETU Data Classification Policy (Policy 6.2 in the LETU Policy Handbook) details the need to keep Confidential and Sensitive Information (CSI) protected. Specifically, Restricted and Confidential data (as defined by the policy) should be encrypted. Email is a convenient way to move messages back and forth. However, email is also the digital medium that is most vulnerable and at greatest risk for compromise. The approved way to send and receive CSI is to use dedicated TLS-based web systems or APIs designed by vendors and partners for purposes of securely collecting and storing such information.

Using email is not generally an authorized way of handling secured data and is specifically prohibited unless any applicable compliance regulations allow it, the instructions below are followed, no more appropriate option is available and all use is consistent with guidance in LETU Policy 6.2: Data Classification. If you are not certain that using encrypted email to transmit restricted or confidential data is approved per any and all applicable regulations you should not use it and should instead consult a University-approved expert on handling that data type for further counsel.

For purpose of LETU compliance with Policy 6.2: Data Classification, you should only use encrypted email to send confidential information under the following circumstances:

  • The recipient:
    • has an approved business need to see the data
    • is authorized to view or possess the data by any applicable regulations
    • has the means to securely handle, store and delete the data when no longer needed
    • has committed to securely handle, store and delete the data when no longer needed
  • You:
    • are confident from past experience or contract the individual will follow-through on secure handling of the data
    • have LETU approval to provide that individual the data
    • have no more appropriate means including TLS websites, API call or similar best practice to transmit the data
    • fully understand any applicable government or standards body regulations and have confirmed they allow this method for securely transmitting the data in question.
    • are not sending certain restricted PII data such as credit card numbers or social security numbers which LETU policy does not allow to be transmitted via email of any kind.


LETU's email system supports encryption. Instructions for using this solution are below.

Overview: A message that is encrypted by Microsoft 365 Message Encryption is delivered to a recipient’s inbox just like any other email message. If the recipient has Outlook 2013 or 2016 and a Microsoft 365 email account, they'll see an alert about the item's restricted permissions in the Reading pane. After opening the message, the recipient can view the message just like any other.

Messages that have the encrypt-only policy applied can be read directly in Outlook on the web, in Outlook for iOS and Android, and now Outlook for PC versions 2019 and Microsoft 365. Other customers will see a message with a link. That link will take Microsoft 365 users to Outlook on the web to read the message. Users with other email accounts will be prompted to obtain a one-time passcode and read the message in a browser window. 

If the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets them either sign in to read the email message or request a one-time passcode to view the message in a web browser.

Send an encrypted message using Outlook for PC

Note: LETU may define rules to automatically encrypt messages that meet certain criteria. Any LETU-wide encryption rules will be applied automatically.  The below discusses how you can choose to encrypt an individual message.

If you want to encrypt a message, you can apply a variety of different encryption rules before you send the message. To send an encrypted message from Outlook 2013 or 2016, or Outlook 2016 for Mac, select Options Encrypt (on some clients it will be Options > Permissions), then select the protection option you need. You can also send an encrypted message by selecting the Protect button in Outlook on the web


  • Selecting "Encrypt-only" encrypts the message but does not prevent the recipient from forwarding it.
  • Selecting "Do Not Forward" prevents the recipient from forwarding the message accidently - but you should be aware the recipient may screen shot or otherwise copy the message. This option prevents unintentional forward-all and similar accidents.



As you can see above - while these options encrypt the message - in order to be read the message must ultimately be decrypted and displayed for reading by your recipient. At that point the security of the message and the data in the message and any attachments is fully dependent on the actions of the recipient.

In addition, if the recipient's remote mail account itself is compromised, whoever has access to the compromised remote email account will have access to authenticate with their email account information to decrypt this email.

As a result, native email encryption should only be treated as securing the message while it is in transit. It is very important to be confident in the security of the remote recipient's email account when sending.

In particular: If a message is misaddressed (ie to instead of, whoever owns will not only receive the encrypted message notice, but be allowed to use their email credentials to decrypt it.

To guard against this risk, always double check the recipient address - and where the information is extremely sensitive, you should include it in an encrypted word Document, Excel Spreadsheet, or PDF with a long password and transmit that password separately (ie via phone call) to the recipient. In this way, no one but the individual possessing the password for the encrypted attachment will be able to read the content).



View and reply to an encrypted message for Microsoft 365 recipients using Outlook for PC

You can read messages encrypted with the encrypt-only or do-not-forward policies in Outlook 2013 and Outlook 2016 for PC, Outlook 2016 for Mac, Outlook on the web, Outlook for iOS, and Outlook for Android.

Users with other email accounts will be prompted to obtain a one-time passcode and read the message in a browser window.

To reply to an encrypted message

  1. Choose Reply or Reply All.

  2. On the page that appears, type a reply and choose Send. An encrypted copy of your reply message is sent to you.

View and reply to an encrypted message without Microsoft 365 using Outlook for PC

If you're not using Outlook with Microsoft 365, your encrypted message will contain a link in the message body.

  1. Select Read the message.

  2. Select how you'd like to sign in to read the message. If your email provider is Google, Yahoo, or Microsoft, you can select Sign in with Google, Yahoo, or Microsoft respectively. Otherwise, select sign in with a one-time passcode.

  3. Once you receive the passcode in an email message, make a note of the passcode, then return to the web page where you requested the passcode and enter the passcode, and select CONTINUE.

    Tip: Each passcode expires after 15 minutes. If that happens, or if you can’t open the message for any reason, start over by opening the attachment again and following the steps.



Print Article


Article ID: 123660
Tue 1/5/21 8:22 AM
Mon 10/11/21 12:02 PM