Tuesday, April 3, 2012

Is My Office 365 E-mail Secure? - Part 1: Outlook

I've had a number of questions come up lately about the security of sending e-mails in Office 365.  People want to know:
  1. Is my e-mail traffic is encrypted when I send it to or receive it from Office 365?
  2. Are e-mails sent from Office 365 encrypted when being transmitted to their eventual destinations.

So the answers are #1 maybe and #2 generally.  To clear up that mud let's dig in to Office 365 a little bit.  In this first part I'll address #1.  Your answer to #2 follows in Is My Office 365 E-mail Secure? - Part 2: The "Cloud".

When you set up a workstation with a full Outlook (2010 in my example, other versions are similar) client to connect to Office 365 it creates an Outlook Anywhere session between your local computer and the Office 365 service.  Outlook Anywhere is a feature where normal Outlook communications are encapsulated within HTTPS traffic - meaning you don't have to be near the server to connect to it.  HTTPS, for those of you who aren't familiar with the difference between HTTP and HTTPS, is how you connect securely to web pages on the internet.

If you look in your Outlook settings (File - Account - Account Settings) and go to the properties for your e-mail account you can see for your self.


Once you see your e-mail accounts listed choose the account listed as type=Microsoft Exchange and click the Change button.

Next click More Settings.

From the Security tab you can verify that communications between Outlook and Exchange are encrypted.

Next, from the Connection tab click on the Exchange Proxy Settings button.  The top line should read something like  If you see HTTPS there you are using a secure connection.

Finally, for the last bit of verification look at the drop-down box in the same window.  If NTLM Authentication is selected then you are not transmitting your password in plain text to establish the HTTPS connection - you are secure.

I haven't answered the question regarding use of the web mail version of Outlook, Outlook Web Access yet though.  The simple answer is that since your browser lists "HTTPS://" in front of the web address for Outlook Web Access in the browser's URL field you are assured that your entire session including all e-mail and other data is safe from prying eyes.

So, to summarize, your internet session to Office 365 is encrypted from the start and your username, password and e-mail data are all protected.  If you installed Office 365 correctly, Outlook doesn't even need your username and password because the Microsoft Single Sign-on (or Active Directory Federation Services for larger customers) did the hard work before you even opened it.

Check back for Part 2 ... Is My Office 365 E-mail Secure? - Part 2: E-mails on the Internet.
Enhanced by Zemanta


  1. Part 2 is now available at

  2. Everything we seem to have matches what you have here except for the Proxy Authentication settings. We have ours set to Basic. So my question is if we have it on Basic instead of NTLM, are the credentials being sent clear text, unencrypted?

    I also found this article that states we can’t use NTLM, but it’s set to Basic to work with various client programs:

    Your help would be much appreciated regarding this.

  3. Good articles. This is good that Office 365 provides channel security between Outlook clients and Cloud server. But would you tell me about mailbox security residing on Office 365 servers? Is data encrypted that even MS does not have access to it? If MS can view or access Email data, what would be the best approach to secure confidential data? Does MS allows customers to encrypt data and manage their own keys? Thanks.

  4. Office 365 tenant (account) data is segmented (not encrypted) at rest. This means that while the data is just sitting in the Microsoft data center there is no encryption on the data itself. Rather than encrypt the data (for performance and other reasons) on the disk, access to the data is restricted and transmission of the data is secured. Customer data is separated logically except for government and other "dedicated" large customers where the data may be physically separated as well.

    In effect, there is no way to actually get at the unencrypted data. It is stored in large databases for the most part. Using a combination of industry security best practices and methodologies, Microsoft has achieved many (including ISO-27001, EU Model clauses, HIPAA-BAA and FISMA)certifications and is verified by 3rd party auditors as well.

    You can see more specifics at

  5. It is not necessary that every direct mail marketing format will be essential yet effective tool for every business. It might possible that you have to use other supportive advertising strategies as well for better outcome.
    extract emails

  6. You have done good work by publishing this article here.Smtp Bulk Email Service Providers I found this article too much informative, and also it is beneficial to enhance our knowledge. Grateful to you for sharing an article like this.

  7. Really appreciate this wonderful as we have seen here. This is a great source to enhance knowledge for us. Thankful to you for sharing an article like this.Buy USA email database


Due to excessive spam, only registered users may post comments. Comments are unmoderated and post immediately but they are monitored. Inappropriate content will be removed promptly and will get you banned.

If you wish to communicate with me outside of this blog please e-mail me at

Related Posts Plugin for WordPress, Blogger...