How to encrypt emails in MS Exchange

Email encryption has been a challenging problem for decades. Although most users will agree encryption is good and is required, disagreement occurs on how to implement it. This article talks about some challenges encountered when using several suggested mechanisms for email encryption and finally, it recommends a very simple and easy-to-implement method of encrypting outbound emails when using Microsoft Exchange

Existing Solutions and their shortcomings

Several attempts have been made to achieve end-to-end encryption for email messages. The following section discusses them and talks about their drawbacks.

Using S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard mechanism for encrypting the content of any email, which provides a reliable way of ensuring no one can view the message other than the intended recipient.


S/MIME use public/private keys for actual encryption. This means both parties (sender and recipient) will need a set of public/private keys in order for this to work. Creating and using these keys is usually a challenging task for non-technical users therefore, email encryption with S/MIME was never adopted.
Web-based Encryption
Several companies offer email encryption by integrating the email system with a web-based system forcing the recipients to create an account. The following bullets demonstrate the actual flow.

  • The sender wants to send an encrypted message to a new client
  • The email server intercepts this message and creates a new email asking the recipient to create an account on the system with a password
  • The system then encrypts the email using the password assigned by the recipient


Although this is a very easy-to-implement solution for the sender, recipient will have to take extra steps in order to view the message. Users are typically reluctant to create accounts on the third-party email system. Additionally, they will now have to remember another set of user ID/password before they will be able to access the message.
Outlook Plugin
Installing an Outlook Plugin is another mechanism to encrypt emails, which encrypts the original message with a user provided password. The recipient will have to specify the pre-assigned password in order to view the message.


You will have to install this plugin on every email client. For example, you won't be able to compose an email from your iOS device or a web-based email system if a plugin is not available.

A Better Approach

Xeams provides a very easy-to-use method of achieving end-to-end encryption. The following diagram demonstrates the flow.

EncryptionExchange.png In this example, Exchange is configured to send outbound emails through Xeams, which will encrypt the email with a user specified password. This password is specified in the subject of the message. Consider the following example:

Desired Subject
Your tax returns for the year 2018 are attached
Modified Subject
Your tax returns for the year 2018 are attached encpass(MagicWord)
Xeams will encrypt the message if it detects the word encpass in the subject line. This suffix word is configurable through Xeams' web interface.


  • No need to create public/private keys
  • Recipient will only need a PDF viewer on their end to open the email
  • No plugins are needed in Outlook or any other email client
  • Emails can be composed using any program (Outlook, Thunderbird, Apple Mail, Android Mail or a web-based email client.)

Taking it One Step Further

The diagram in the above example shows the message goes to Exchange and then to Xeams for encryption. Therefore, messages will stay clear within Exchange. To avoid this situation, users will have to configure their email clients to use Xeams for their SMTP server.