Email remains the primary communication channel for UK businesses, handling everything from routine correspondence to the transmission of highly sensitive financial data, legal documents, personal information, and strategic business plans. Yet despite the critical nature of much email content, the vast majority of UK businesses send even their most confidential communications without any form of encryption — effectively sending the digital equivalent of a postcard that anyone along the delivery route can read.
The risks are not theoretical. Email interception, account compromise, and misdirected messages are everyday occurrences. The Information Commissioner's Office (ICO) regularly investigates data breaches involving unencrypted email, and the penalties under UK GDPR for failing to protect personal data in transit can be severe. Beyond regulatory risk, the reputational damage from a confidential email falling into the wrong hands can be devastating.
This guide explains what email encryption is, why it matters for UK businesses, the different encryption methods available, and how to implement practical email encryption using Microsoft 365 — the platform most UK SMEs already use.
What Is Email Encryption?
Email encryption is the process of encoding the content of an email message so that only the intended recipient can read it. Without encryption, an email travels across the internet in plain text, passing through multiple servers and network devices, any of which could potentially intercept and read the content. With encryption, the message is scrambled into unreadable ciphertext that can only be decoded by someone with the correct decryption key.
There are two distinct types of email encryption, and understanding the difference is essential for making informed decisions about your organisation's approach.
Transport Layer Encryption (TLS)
Transport Layer Security (TLS) encrypts the connection between email servers during transmission. Think of it as an armoured van transporting your message — the message is protected while in transit, but once it arrives at its destination, it is stored in plain text. TLS is the baseline standard for email encryption and is used automatically by most modern email systems, including Microsoft 365 and Google Workspace. However, TLS has a significant limitation: it only protects the message during transmission, not at rest. If a recipient's email account is compromised, TLS-encrypted messages are fully readable.
End-to-End Encryption (E2EE)
End-to-end encryption protects the message content itself, not just the transmission channel. The message is encrypted on the sender's device and can only be decrypted by the intended recipient. Even the email provider cannot read the message content. This provides a much higher level of protection, as the message remains encrypted at rest, in transit, and even if an intermediary system is compromised.
Transport Layer Encryption (TLS)
- Automatic — no user action required
- Protects email during transmission
- Supported by all major email platforms
- No impact on recipient experience
- Does NOT protect at rest
- Suitable for routine business email
End-to-End Encryption (E2EE)
- Requires deliberate activation per message
- Protects content at rest and in transit
- Requires compatible systems or portals
- May require recipient to authenticate
- Protects even if accounts are compromised
- Essential for highly sensitive data
When Should You Encrypt Emails?
Not every email needs end-to-end encryption. The overhead and friction of encryption should be proportionate to the sensitivity of the content. Here is a practical framework for deciding when encryption is warranted.
Always encrypt emails containing personal data as defined under UK GDPR (names, addresses, financial details, health information, National Insurance numbers), legal documents and contracts, financial information including invoices with bank details, intellectual property and trade secrets, board papers and strategic plans, and any information that could cause harm if disclosed to unauthorised parties.
Consider encrypting internal communications about sensitive business matters, HR correspondence, negotiations with suppliers or partners, and communications with external advisers including accountants and solicitors.
Standard TLS is sufficient for routine business correspondence, meeting arrangements, general enquiries, and internal communications that do not involve sensitive data.
Article 32 of the UK GDPR requires organisations to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk, explicitly mentioning "encryption" as one such measure. The ICO has stated that the failure to encrypt emails containing personal data, particularly when transmitted externally, may constitute a breach of this obligation. Whilst encryption is not mandatory for every email, the absence of any encryption capability for sensitive communications is increasingly difficult to justify in the event of a data breach investigation.
Email Encryption in Microsoft 365
For the majority of UK SMEs using Microsoft 365, there are several built-in encryption options that require no additional software or cost.
Microsoft 365 Message Encryption (OME)
Office Message Encryption is included with Microsoft 365 Business Premium, E3, and E5 licences. It allows users to send encrypted emails to anyone, regardless of the recipient's email provider. The recipient receives a notification with a link to a secure web portal where they authenticate and read the message. OME can be triggered manually by users (by applying the "Encrypt" option in Outlook) or automatically via mail flow rules — for example, encrypting all emails containing credit card numbers or National Insurance numbers.
Sensitivity Labels
Microsoft Purview sensitivity labels provide a more sophisticated approach to email encryption. Labels such as "Confidential" or "Highly Confidential" can be configured to automatically encrypt messages, restrict forwarding, prevent printing, and apply watermarks. Users select the appropriate label when composing a message, and the corresponding protections are applied automatically. This approach is particularly powerful because it integrates encryption into a broader information protection framework.
S/MIME Encryption
Secure/Multipurpose Internet Mail Extensions (S/MIME) provides certificate-based end-to-end encryption. Both sender and recipient must have S/MIME certificates, which makes it impractical for ad hoc external communication but excellent for regular encrypted correspondence between known parties — for example, between your organisation and your legal advisers or accountants.
| Encryption Method | Included In | Recipient Needs | Ease of Use | Best For |
|---|---|---|---|---|
| TLS (automatic) | All Microsoft 365 plans | Nothing — automatic | Invisible to users | Baseline protection for all email |
| OME | Business Premium, E3, E5 | Web browser for portal | Simple — one click | Sensitive emails to external recipients |
| Sensitivity Labels | Business Premium, E3, E5 | Varies by label config | Simple — select label | Organisation-wide classification |
| S/MIME | All plans (cert required) | S/MIME certificate | Complex setup | Regular encrypted correspondence |
Implementing Email Encryption: A Practical Approach
Rolling out email encryption across your organisation requires planning and a phased approach to avoid confusion and resistance from users.
Phase 1: Policy and Classification
Before implementing any technology, define your email classification policy. Identify which types of information require encryption, document the criteria clearly, and communicate them to all staff. This policy should align with your broader data classification framework and your obligations under UK GDPR.
Phase 2: Technical Configuration
Configure your chosen encryption method in Microsoft 365. For most UK SMEs, we recommend starting with OME and sensitivity labels. Set up mail flow rules that automatically encrypt emails matching specific criteria — for example, emails containing keywords like "confidential" in the subject line, emails to specific external domains, or emails detected as containing personal data patterns.
Phase 3: User Training
Train all staff on when and how to use email encryption. Keep it practical — show them exactly which button to click in Outlook, explain why it matters, and provide examples relevant to their roles. A finance team member needs to understand that emailing bank details requires encryption. An HR manager needs to understand that employee personal data must be encrypted. Make the training role-specific and practical rather than abstract and theoretical.
Phase 4: Monitoring and Refinement
Monitor encryption usage through Microsoft 365 reporting. Are users actually applying encryption when they should be? Are mail flow rules catching the sensitive content they are designed to identify? Are recipients experiencing problems accessing encrypted messages? Use this data to refine your rules and training over time.
Common Mistakes With Email Encryption
Even well-intentioned encryption implementations can go wrong. Here are the most common mistakes we see UK businesses make.
Encrypting everything. Encrypting every single email creates friction for recipients, generates support tickets, and causes users to view encryption as an annoyance rather than a protection. Encrypt what needs encrypting, and leave routine correspondence alone.
Forgetting the recipient experience. If external recipients find your encrypted emails confusing or difficult to access, they will ask you to resend the information unencrypted — defeating the entire purpose. Test the recipient experience thoroughly before rolling out, and provide clear instructions within the encrypted message.
Not training users. Deploying encryption technology without training users is a recipe for either non-adoption (users ignore it) or frustration (users apply it incorrectly). Investment in training pays for itself many times over.
Relying solely on user discretion. If encryption depends entirely on users remembering to apply it, sensitive data will inevitably be sent unencrypted. Automatic mail flow rules that detect and encrypt sensitive content patterns provide a safety net for human forgetfulness.
Need Help Securing Your Email?
Cloudswitched configures and manages email encryption for UK businesses using Microsoft 365. From policy development and technical configuration to user training and ongoing monitoring, we ensure your sensitive communications are properly protected. Contact us for an email security assessment.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.