How to encrypt emails in MS Exchange
Email encryption has been a challenging problem for decades. Although most users will agree encryption
is good and is required, disagreement occurs on how to implement it. This article talks about
some challenges encountered when using several suggested mechanisms for email encryption and
finally, it recommends a very simple and easy-to-implement method of encrypting outbound emails
when using Microsoft Exchange
Existing Solutions and their shortcomings
Several attempts have been made to achieve end-to-end encryption for email messages. The
following section discusses them and talks about their drawbacks.
Using S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard mechanism for
encrypting the content of any email, which provides a reliable way of ensuring no one can
view the message other than the intended recipient.
S/MIME use public/private keys for actual encryption. This means both parties
(sender and recipient) will need a set of public/private keys in order for this to work.
Creating and using these keys is usually a challenging task for non-technical users
therefore, email encryption with S/MIME was never adopted.
Several companies offer email encryption by integrating the email system with
a web-based system forcing the recipients to create an account. The following
bullets demonstrate the actual flow.
- The sender wants to send an encrypted message to a new client
- The email server intercepts this message and creates a new email asking the
recipient to create an account on the system with a password
- The system then encrypts the email using the password assigned by the recipient
Although this is a very easy-to-implement solution for the sender, recipient will have
to take extra steps in order to view the message. Users are typically reluctant to create
accounts on the third-party email system. Additionally, they will now have to remember another
set of user ID/password before they will be able to access the message.
Installing an Outlook Plugin is another mechanism to encrypt emails, which encrypts the
original message with a user provided password. The recipient will have to
specify the pre-assigned password in order to view the message.
You will have to install this plugin on every email client. For example, you won't be able
to compose an email from your iOS device or a web-based email system if a plugin is not
A Better Approach
Xeams provides a very easy-to-use method of achieving end-to-end encryption. The following diagram
demonstrates the flow.
In this example, Exchange is configured to send outbound emails through Xeams, which will encrypt
the email with a user specified password. This password is specified in the subject of the message.
Consider the following example:
Your tax returns for the year 2018 are attached
Your tax returns for the year 2018 are attached encpass(MagicWord)
Xeams will encrypt the message if it detects the word
in the subject line.
This suffix word is configurable through Xeams' web interface.
- No need to create public/private keys
- Recipient will only need a PDF viewer on their end to open the email
- No plugins are needed in Outlook or any other email client
- Emails can be composed using any program (Outlook, Thunderbird, Apple Mail,
Android Mail or a web-based email client.)
Taking it One Step Further
The diagram in the above example shows the message goes to Exchange and then to Xeams for encryption.
Therefore, messages will stay clear within Exchange. To avoid this situation,
users will have to configure their email clients to use Xeams for their SMTP server.