Tuesday, May 22, 2012

Is My Office 365 E-mail Secure? - Part 2: The "Cloud"

Microsoft Office 365 Logo

So, a while back I wrote an article about Office 365's security and talked about the connection between Outlook and Office 365 and also between the browser and Outlook Web Access (at  Both are secure.  Outlook uses Outlook Anywhere (an RPC session encapsulated within an SSL HTTPS connection) and Outlook Web Access uses a secure SSL HTTPS session.

The question I didn't answer, however, was what happens to your e-mail when it leaves Office 365.  Does it remain encrypted?  I'm back now with some answers.

Let's start with a diagram:

The scenarios where you have mail transfer with Office 365 are:
  • Mailbox traffic & Outlook Web Access - covered in Is My Office 365 E-mail Secure? - Part 1: Outlook
  • SMTP relay from on premises applications and devices that don't directly support TLS (more on this in a minute)
  • SMTP relay using TLS
  • Mail delivery to servers that do not support TLS
  • Mail delivery to servers using TLS

Cryptographically secure pseudorandom number g...Before I dig in to those four new scenarios let's talk about TLS.  TLS stands for Transport Layer Security.  If you're familiar with SSL (Secure Sockets Layer) TLS is similar.  TLS encrypts "the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity." (Credit

Mail Delivery
SMTP (Simple Mail Transfer Protocol) is used to transfer e-mail between mail servers on the internet.  SMTP transfers e-mail unencrypted, in plain text.  To enable secure communications additional measures must be taken.  TLS provides that functionality.

An email icon designed for my userpage.
TLS is can be enabled on Microsoft Exchange systems and is enabled by default on Office 365.  TLS has two settings: opportunistic and forced.  Opportunistic checks to see whether the partner in each e-mail conversation also supports TLS and if they do the conversation is encrypted.  If TLS is not supported, the conversation fails back to standard unencrypted communications.  Opportunistic TLS functions "out of the box" for Office 365 and requires no configuration.

If you wish to force encryption between your organization and another you'll want to look in to forced TLS.  This changes the behavior of Office 365 to check each e-mail communication for TLS support and then to deny connections with any systems that do not support TLS.  The communication partner can be configured for opportunistic or forced TLS, it doesn't matter which.  This video will introduce you to forced TLS.  In Office 365 TLS is configured within Forefront Online Protection for Exchange (or FOPE).  It is not necessary to use FOPE for normal Office 365 operation but it gives you (in E1 and higher plans) the ability to perform more advanced configurations.

SMTP Relay
So, back to the diagram above.  In this scenario, a SMTP relay server is used to facilitate the sending of e-mail for on-premises applications and devices.  Exchange servers are often used to relay e-mail to the internet and when they are removed a new IIS (Internet Information Server) server can be used to replace that functionality.  This is necessary because Office 365 does not allow anonymous, unencrypted e-mail relay.  Many devices and applications do not support secure connections using TLS directly so it is necessary to stand up a replacement relay server that can proxy that secure connection for them.

In the diagram, internal applications and devices deliver their e-mail to the relay server with a standard anonymous SMTP connection.  The relay server is configured with a certificate and then creates a TLS connection with Office 365 to deliver the e-mail.  It is possible for a SMTP relay server to directly deliver e-mail to the destination server but this bypasses the e-mail hygiene features of Office 365 among other things.  Make sure to check Office 365's restrictions before relaying through the service to make sure that you can do so.  In some cases, you may not wish for your e-mail to be limited and won't care if it is secure or not.

For more on how to set up an on-premises SMTP relay server see

So, we've discovered that:
  • E-mail between Office 365 and other mail systems is secure by default (using TLS when supported by the partner mail system) and can be forced to be secure when necessary.
  • SMTP relay communications can be configured to be secure and use Office 365 when combined with TLS as well.
  • Communications between Outlook / web browsers and Office 365 are encrypted with SSL.
Enhanced by Zemanta


  1. Is there a way to do any of the following:

    1) Determine before sending if the recipient has TLS?
    2) Force TLS on a per message basis, rather than globally?
    3) Determine if a message was sent using TLS or not?

  2. There are some good TLS tools you should check out at

    1 - One of the tools lets you check if a particular system supports TLS I believe. You can also just connect from a command prompt using telnet using the procedure at combined with

    2 - I don't know of a way to do a per message TLS. You can enforce it per domain or IP address, and maybe per destination e-mail address, but I've never seen an option to enforce it per message.

    3 - TLS encrypted messages can be identified by looking at the e-mail header... it should be apparent that TLS is enabled when looking there.

  3. Also, I was wondering if you'd be so kind to leave us a quick review of our business on Google. Your review would help me connect with other people that we may possibly help.

  4. Managing the joining administration makes no such benefit. Be that as it may, in certain examples the lawyer might be requested by the court to unveil your character in instances of misrepresentation or criminal lead. Mejores VPN

  5. Email and other forms of correspondence should be kept secure at all times. After all, it is our corporate reputation and esteemed clients’ personal data that may be at risk if something bad happens. I personally use either Mullvad or NordVPN for devices where I use my business communication platforms. This is an initiative to ensure that my private data are kept safe from being intercepted.


Due to excessive spam, only registered users may post comments. Comments are unmoderated and post immediately but they are monitored. Inappropriate content will be removed promptly and will get you banned.

If you wish to communicate with me outside of this blog please e-mail me at

Related Posts Plugin for WordPress, Blogger...