1
Microsoft 365 Email Encryption –
User Guide
Issue: 2.0
Issue Date: 12/04/2021
Distribution: Internal
2
Contents Overview .......................................................................................................................................................................... 3
Permission Selection Flowchart ..................................................................................................................................... 4
List of Supported Email Services .................................................................................................................................. 4
List of Unsupported Email Services .............................................................................................................................. 4
Permission Matrix for Sender & Recipient .................................................................................................................. 5
Permission Access Comparison ..................................................................................................................................... 6
Permission Level 1: Encrypt – only ............................................................................................................................... 7
Permission Level 2: Do Not Forward ............................................................................................................................ 8
Permission Level 3: Barnardos.org.uk – Confidential ................................................................................................ 9
Permission Level 4: Barnardos.org.uk – Confidential View Only ........................................................................... 10
Permission Level 5: Echoworx add-in ......................................................................................................................... 11
Install Echoworx add-in on Outlook ....................................................................................................................... 11
Permission Level 6: [ENCRYPT] in the subject line ................................................................................................. 12
How external recipients manage encrypted emails with Barnardo’s ....................................................................... 13
3
Overview
Users need to set an appropriate permission level to restrict what recipients can do with an email. There are
six types of permission levels available to choose from when you send an email. Note that these levels are
not in order of security, and you are advised to use the method appropriate for the context of the email and
compatibility with the recipients.
Permission Level 1 and 2: For encrypting external emails to recipients with supported email services.
1. Encrypt – only: Emails deliver encrypted to external recipients with compatible email services.
2. Do Not Forward: Emails deliver encrypted to external recipients with compatible email services.
The recipients can reply, edit, and save the email but cannot forward it to other email addresses.
Permission Level 3 and 4: For adding extra sensitivity for internal emails only.
3. Barnardos.org.uk – Confidential: Emails intended for internal users with Barnardos’ email
addresses only. The recipients will have full permissions to the email. Non-Barnardos’ email
addresses cannot open the email.
4. Barnardos.org.uk – Confidential View Only: Emails intended for internal users with Barnardos
email addresses only. The recipients can only view the email. Non-Barnardos’ email addresses
cannot open the email.
All internal emails are secure and do not require encryption. The above permissions are intended for extra
sensitivity applied to internal emails. Please refer to ‘Permission Level Access Comparison’ for further
information.
Permission Level 5 and 6: For encrypting external emails to recipients with unsupported email services.
5. Echoworx add-in: Emails deliver encrypted to external recipients with incompatible email services.
It provides the same protection as permission level 1, while the application is different for the sender
and receiver.
6. [ENCRYPT] in the subject line: This permission policy uses the same mechanism as permission
level 5 but applied in a different user interface/layout for the sender.
4
Permission Selection Flowchart
List of Supported Email Services
- Hotmail, Microsoft 365, Outlook 2013 and above.
- Gmail, Yahoo Mail.
- Other supported email services. Sender is advised to ask the recipients about their email service and
its compatibility with Microsoft 365; if unsure, please send an encrypted test email and confirm if the
recipient can receive and access the email and its attachment.
List of Unsupported Email Services
- Outlook 2010
- Other unsupported email services. Recipients with unsupported email service should be sent an
encrypted email via Permission Level 5 and 6.
5
Permission Matrix for Sender & Recipient
Internal Sender (Microsoft 365 user)
Recipient
Email encryption,
with/without attachments
using:
External Internal
Hotmail,
Microsoft 365,
Outlook 2013
& above.
Gmail,
Yahoo Mail
Other
supported
email services
Outlook 2010
Other
unsupported
email services
Microsoft 365
user
Non-
Microsoft 365
user
Permission Level 1 & 2
Outlook & Web
* *
Permission Level 3 & 4
Outlook & Web Not applicable for external emails.
Permission Level 5
Echoworx add-in Outlook Use Permission Level 1 and 2. * *
Not applicable for internal
emails.
Permission Level 6
[Encrypt] in the subject line
on Outlook & Web
Use Permission Level 1 and 2. * * Not applicable for internal
emails.
Key:
Successful encryption – Recipient does not require to register to access the email.
* Successful encryption – Recipient required to register before accessing the encrypted email.
Denied – Encrypted email is not delivered to the recipient; the sender needs to use an alternative Permission Level.
6
Permission Access Comparison
Permission Level View Edit Copy Print Save Export Full
Control Reply
Reply
All Forward
1. Encrypt – only
2. Do Not Forward
3. Barnardos.org.uk – Confidential
4. Barnardos.org.uk – Confidential
View Only
5. Echoworx Add-in
6. [ENCRYPT] in the subject line
Key:
Allowed
Not allowed
7
Permission Level 1: Encrypt – only
Send encrypted messages to external recipients with any supported email services.
Note 1: Supported email services include Microsoft 365, Outlook 2013 and above, Hotmail, Gmail, Yahoo
Mail, and other supported email services. Users are advised to ask the recipients about their email service and
its compatibility with Microsoft 365. If unsure, please send an encrypted test email and confirm if the recipient
can receive and access the email and its attachment.
Note 2: Recipients with unsupported email service, e.g., some external partners with Outlook 2010, should be
sent an encrypted email via Permission Level 5 and 6.
Outlook 365
Outlook Web
8
Permission Level 2: Do Not Forward
Send encrypted messages to external recipients with any supported email services. This option prevents:
▪ the internal/external recipients from copying anyone to the email, i.e., no CC and BCC. The forward
button on the email will be greyed out.
▪ Screenshots. Be aware that recipients could still take a picture of the message using a camera.
If the recipient has automatic forwarding set up for their account, the message will be forwarded, but it can
only be opened with the account for which it was originally sent.
Outlook 365
Outlook Web
9
Permission Level 3: Barnardos.org.uk – Confidential
This content is proprietary information intended for internal users only. This option prevents external
recipients from being able to view the email.
Outlook 365
Outlook Web
10
Permission Level 4: Barnardos.org.uk – Confidential View Only
This content is propriety information for internal users only. This option prevents external recipients from
being able to view the email.
Outlook 365
Outlook Web
11
Permission Level 5: Echoworx add-in
Send encrypted messages to external recipients with an unsupported email service such as Outlook 2010.
This option requires the sender to install the Echoworx add-in from the Company Portal on their Outlook (see
below). The recipient receives an email with an instruction link to register before accessing the email content.
Any future email does not require registration.
Install Echoworx add-in on Outlook
Windows 10 > Start > Company Portal > Search Echoworx
Outlook 365
Outlook Web
Not available on the web.
12
Permission Level 6: [ENCRYPT] in the subject line
Send encrypted messages to external recipients with an unsupported email service such as Outlook 2010.
The recipient receives an email with an instruction link to register before accessing the email content. Any
future email does not require registration.
Note: [ENCRYPT] is not case sensitive, i.e., [encrypt], [enCRYpT]. Inclusion of square brackets [ ] are
required. Be aware that misspelling of the word [encrypt] will result in sending an email unencrypted.
Outlook 365
Outlook Web
13
How external recipients manage encrypted emails with Barnardo’s
A separate user guide for managing encrypted emails from Barnardo’s is available to demonstrate how
external recipients can access encrypted emails from us. You may share the guide with the recipients if they
have concerns with accessing your encrypted emails.
Link to ‘Managing Encrypted Email with Barnardos’: https://inside.barnardos.org.uk/resources-and-
guidance/information-services/software-and-systems/encrypting-emails
14
Need further help and support?
▪ Workplace: Technology Transformation Group
▪ Email: [email protected]
▪ Phone: 0330 222 0199
▪ Inside. Barnardos: Microsoft 365 – Software Support Centre
Associated Guidance and Documents
▪ Information Security and Data Protection – User Guidance
▪ Information Security Policy
▪ Data Protection Policy
▪ Information Sharing Policy
Document History
Version Date Author Status Comment
1.0 25/02/2021 Daniel Ganji Final First definitive version
2.0 09/04/2021 Daniel Ganji Draft Adding flowchart, amending matrix and
comparison tables.