Mail protection features in Office 365 – what’s changed?
Organizations that use Office 365 Message Encryption (OME) can benefit from out-of-the-box email protection policies such as Do Not Forward and Encrypt. Recently, a new feature, Office 365 sensitivity labels, has been introduced to Office 365 (Microsoft 365). Sensitivity labels do not require additional Azure Information Protection (AIP) licenses, so they are likely to become popular in the upcoming months.
Office 365 admins can manage the Do Not Forward and Encrypt policies by using mail flow transport rules in the Exchange admin center. Office 365 sensitivity labels are handled through the Microsoft Purview compliance portal and can be used for message encryption, content marking, or access control.
From the users’ perspective, the new Office 365 mail protection features can be triggered on supported email clients such as Outlook or Outlook on the web (OWA). In OWA, the Encrypt option in the compose mode allows users to encrypt an email (Encrypt) or prevent it from being forwarded (Do Not Forward). To apply one of the organization’s protection policies, including sensitivity labels (as mentioned before, the available options depend on your Office 365 plan), you need to use the Sensitivity option.
The viewing experience depends on who opens a protected message. If the recipient is within the same Office 365 organization and uses a current version of Outlook (including the mobile versions and Outlook on the web / OWA), the message can be opened normally. If the recipient is outside the sender’s organization, does not have an Office 365 account, or uses a different email client, they might need to take additional action, for example open a message wrapper and verify their identity in a web browser to access the protected content.
Message protection vs email signatures added by CodeTwo
Office 365 environments
Our email signature solution for Office 365 tenants, CodeTwo Email Signatures 365, can work in one of three signature modes: cloud (server-side), Outlook (client-side) and combo. No matter which method of encryption you use, our software management solution can add signatures to encrypted messages.
In short, when the program works in cloud mode, signatures are added when emails are routed through our services hosted in Microsoft Azure datacenters. In Outlook mode, the program inserts signatures directly in an Outlook add-in, when users are composing their emails. Combo mode, on the other hand, is a combination of both cloud and Outlook modes. Learn more
If a message is protected in the cloud, e.g. by using a mail flow transport rule that applies a rights management template (such as Do Not Forward or Encrypt), then the whole message (including a signature added by CodeTwo) is encrypted, no matter which mode is used.
An important advantage of adding signatures to a message and protecting this message in the cloud is that every email client is supported.
If message protection is applied client-side, for example via the Encrypt options in Outlook, email signatures can be added only in Outlook (client-side) mode. In such situation, the whole email, together with a signature, is encrypted.
Hybrid and on-premises environments
The programs from the CodeTwo Exchange Rules software family automatically recognize emails protected by Office 365 and exclude them from processing, so that they do nothing to the protected content. This applies to both incoming and outgoing protected emails.
Backing up or migrating OME-encrypted emails with CodeTwo software
CodeTwo Backup for Office 365 as well as CodeTwo Office 365 Migration natively support emails encrypted using Office 365 Message Encryption. Such messages are handled like any other email data and are by no means excluded from the backup or migration jobs.
Our Office 365 backup solution retains all properties of OME-encrypted emails. This means that if an email is marked as Confidential or the Do Not Forward option is applied to it, these properties will remain intact when this email is backed up by the program to a local storage, archived, or restored back to an Office 365 tenant. Same principles apply when migrating OME-encrypted messages between two Office 365 tenants using CodeTwo Office 365 migration tool – the migrated emails will remain encrypted in the target environment as well.
CodeTwo Email Signatures 365 is the first and only email signature solution that’s fully Microsoft 365 Certified (the whole infrastructure reviewed & pen-tested by Microsoft). It's an Azure-based cloud service that supports all devices and email apps. Our product was co-engineered and awarded by Microsoft, and has the highest user satisfaction ratings. With CodeTwo's ISO/IEC 27001 & 27018 certification and our proprietary 4-layer security system, it's the most secure signature solution on the market. Watch a short product video
CodeTwo offers solutions for organization-wide email signature management, data backup and migration for Microsoft 365 & Exchange Server, developed since 2007 and used by over 120k organizations worldwide, including Facebook, Samsung and UNICEF.
CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.