Send encrypted Outlook attachments using Microsoft Purview Message Encryption — the file is secured inside the email and recipients verify with a one-time passcode.
The difference between sending a confidential file securely and exposing it in plain text comes down to knowing how to encrypt an attachment in Outlook the right way. Outlook doesn’t let you password-protect a single file — instead, it encrypts the entire email, and the attachment rides inside that protected envelope. Microsoft offers two routes to do this: Microsoft Purview Message Encryption for most Microsoft 365 subscribers, and S/MIME for organizations that already use digital certificates.
What Does Encrypting An Attachment Actually Do?
Outlook encrypts the whole message, not the attachment file itself. The file sits inside an encrypted envelope that the recipient must authenticate to open. For Microsoft Purview Message Encryption (MEO), external recipients get a notification email with a link. They click it, verify their identity with a one-time passcode or Microsoft account sign-in, and view the message plus attachments in a secure browser portal. For S/MIME, both sender and recipient need digital certificates installed — the encryption happens at the email client level before the message leaves your outbox.
How To Encrypt Attachments Using Microsoft Purview Message Encryption
MEO is the most accessible method for anyone with a Microsoft 365 subscription — Personal, Family, Business, or Enterprise plans all include it. Free Outlook accounts do not have access to this feature.
- Open Outlook and create a New Email.
- In the composition window, click the Options tab on the ribbon.
- Click the Encrypt button.
- Select an encryption level:
- Encrypt-Only: Recipients can view, copy, print, and forward the content. Recommended for general use.
- Do Not Forward: Recipients cannot copy, print, or forward. Office documents get Information Rights Management restrictions. PDF restrictions work only in Outlook Web App.
- Compose your message and attach files — each attachment can be up to 150 MB.
- Click Send.
The recipient receives a notification email with a link. They click it, authenticate with a one-time passcode valid for 15 minutes, and view the secure message and attachments in their browser. Microsoft’s Purview encryption guide covers client-specific details for Windows, Mac, and Outlook Web App.
Encrypting An Attachment In Outlook: Which Method Fits Your Setup
The right encryption method depends on your subscription, your recipient’s setup, and the level of control you need. The table below compares MEO and S/MIME across the factors that matter most.
| Feature | MEO (Purview) | S/MIME |
|---|---|---|
| How it works | Cloud-based encryption via Azure Rights Management | End-to-end encryption with digital certificates |
| Attachment coverage | All attachments encrypted with the message | All attachments encrypted with the message |
| Max attachment size | 150 MB per file | Limited by email system |
| Recipient software needed | None — one-time passcode sent to their email | Matching digital certificate required |
| Custom password option | Not supported in any Outlook client | Not applicable — certificate-based |
| Forwarding and printing control | Encrypt-Only or Do Not Forward options | No built-in forwarding restrictions |
| Required subscription | Any paid Microsoft 365 plan | Microsoft 365 plus a certificate authority |
How S/MIME Encryption Works For Attachments
S/MIME uses digital certificates to encrypt messages and attachments end-to-end with AES 256-bit protection. Both the sender and the recipient must have a compatible certificate installed. New Outlook does not import certificates automatically — you or your IT administrator must install them manually.
The key advantage is true end-to-end encryption with no cloud dependency. The trade-off is that the recipient absolutely needs a matching certificate to decrypt. If they lack one, the message cannot be opened without a third-party bridge. Government and military users often use PIV cards for S/MIME — insert the card, enter the PIN, and Outlook handles the rest. New Outlook shows a warning if a recipient cannot decrypt, giving you a chance to switch methods before sending.
Common Outlook Encryption Mistakes
Several pitfalls cause encrypted attachments to fail or confuse recipients. The table below covers the most frequent ones and how to work around each.
| Mistake | What Actually Happens | How To Fix It |
|---|---|---|
| Trying to set a custom password on the attachment | New Outlook does not support custom passwords — it uses one-time passcodes instead | Send the encrypted message and let the system generate the passcode |
| Using S/MIME without a digital certificate installed | Encryption fails or the recipient cannot open the message | Obtain and install a Digital ID from a certificate authority before sending |
| Attempting encryption with a free Outlook account | MEO requires a Microsoft 365 subscription | Upgrade to any paid Microsoft 365 plan |
| Assuming “Do Not Forward” restricts PDFs on all platforms | PDF restrictions only apply in Outlook Web App | Use Encrypt-Only for universal PDF access control |
| Sending S/MIME to a recipient without a matching certificate | Recipient sees an error or cannot decrypt | Switch to MEO or confirm both sides have compatible certificates |
| Using a third-party email app on mobile to read encrypted mail | App shows instructions to view in a browser instead of the content directly | Open the encrypted message link in the phone’s browser |
| Not checking attachment size before encrypting | Attachments over 150 MB fail to send | Compress the file or split it into smaller parts |
Pick The Encryption Method That Fits Your Situation
If you have a Microsoft 365 subscription and your recipient can click a link in email, Microsoft Purview Message Encryption is the straightforward choice — no certificate setup, 150 MB per file, and forwarding controls built in. If your organization already uses digital certificates and both sides have them, S/MIME delivers full end-to-end AES 256-bit encryption without relying on any cloud service. Either way, the attachment is protected inside the message envelope, not as a standalone file with a password.
References & Sources
- Microsoft Support. “Send Encrypted Messages with a Microsoft 365 Personal or Family Subscription.” Official steps for Purview encryption in Outlook.
- Microsoft Support. “Set Up Outlook to Use S/MIME Encryption.” Digital certificate setup and requirements.
- Microsoft Learn. “How to Encrypt Emails with Attachments.” MEO limitations and one-time passcode workflow.
- PreVeil. “Encrypted Email Attachments: MEO vs S/MIME.” Comparison of encryption methods and attachment handling.
- IDManagement.gov. “Outlook S/MIME and PIV Configuration.” Government PIV card setup for encrypted email.
