In the era of security regulations such as GDPR, companies are putting a great effort into making email protection technologies more widely available. Lately, Microsoft has introduced significant changes to Office 365, helping users to safeguard their messages in a quicker and easier way. As people send more and more protected emails on a daily basis, some of you might be wondering: How this works with CodeTwo software?
Mail protection features in Office 365 – what’s changed?
Organizations that use Office 365 Message Encryption (OME) can benefit from out-of-the-box email protection policies such as Do Not Forward and Encrypt-Only. Recently, a new feature, Office 365 sensitivity labels, has been introduced to Office 365. Sensitivity labels do not require additional Azure Information Protection (AIP) licenses, so they are likely to become popular in the upcoming months.
Office 365 admins can manage the Do Not Forward and Encrypt-Only policies by using mail flow transport rules in the Exchange admin center. Office 365 sensitivity labels are handled through the Security and Compliance Center and can be used for message encryption, content marking, access control, or data retention.
From the users’ perspective, the new Office 365 mail protection features can be triggered on supported email clients such as Outlook or Outlook on the web (OWA). In OWA, the Protect option in the compose mode allows users to encrypt an email (Encrypt-Only), prevent it from being forwarded (Do Not Forward), or apply one of the organization’s protection policies, including sensitivity labels (as mentioned before, the available options depend on your Office 365 plan).
The viewing experience depends on who opens a protected message. If the recipient is within the same Office 365 organization and uses a current version of Outlook (including the mobile versions and Outlook on the web / OWA), the message can be opened normally. If the recipient is outside the sender’s organization, does not have an Office 365 account, or uses a different email client, they might need to take additional action, for example open a message wrapper and verify their identity in a web browser to access the protected content.
Message protection vs email signatures added by CodeTwo
Office 365 environments
Our email signature solution for Office 365 tenants, CodeTwo Email Signatures for Office 365, adds signatures server-side when emails are routed through our services hosted in Microsoft Azure datacenters.
If a message is protected server-side, e.g. by using a mail flow transport rule that applies a rights management template (such as Do Not Forward or Encrypt-Only), then the whole message (including a signature added by CodeTwo) is encrypted.
An important advantage of adding signatures to a message and protecting this message server-side is that every email client (including mobile apps and Outlook for Mac) is supported.
If message protection is applied client-side, for example via the Protect options in Outlook on the web, email signatures are not added by our software because we do not interfere with the protected content.
A technology used in one of our older mail signature products allows us to add email signatures on the mail client side using a dedicated add-in, making it possible to add a signature to a protected email in Outlook. However, we are currently working on a modern solution to support all types of Office 365 protected emails on the client side.
Hybrid and on-premises environments
The programs from the CodeTwo Exchange Rules software family automatically recognize emails protected by Office 365 and exclude them from processing, so that they do nothing to the protected content. This applies to both incoming and outgoing protected emails.
Backing up or migrating OME-encrypted emails with CodeTwo software
CodeTwo Backup for Office 365 as well as CodeTwo Office 365 Migration natively support emails encrypted using Office 365 Message Encryption. Such messages are handled like any other email data and are by no means excluded from the backup or migration jobs.
Our Office 365 backup solution retains all properties of OME-encrypted emails. This means that if an email is marked as Confidential or the Do Not Forward option is applied to it, these properties will remain intact when this email is backed up by the program to a local storage, archived, or restored back to an Office 365 tenant. Same principles apply when migrating OME-encrypted messages between two Office 365 tenants using CodeTwo Office 365 migration tool – the migrated emails will remain encrypted in the target environment as well.