Export (0) Print
Expand All

Exchange Hosted Email Encryption


Applies to: Office 365 Enterprise, Live@edu, Forefront Online Protection for Exchange

Topic Last Modified: 2014-09-02

Microsoft Exchange Hosted Encryption (EHE) is a convenient, easy-to-use email encryption service that helps safely deliver your confidential business communications in a hosted secure email solution. This email encryption service enables users to send and receive encrypted email directly from their desktops as easily as regular email, to anyone at any time. This topic contains an overview of the hosted secure email encryption service offered by Microsoft.

This feature of Exchange Online is currently not compatible with Office 365 operated by 21Vianet in China. For more information, see Learn About Office 365 in 21Vianet.
Exchange Hosted Encryption is scheduled for upgrade to a new service in January 2014. For information about the EHE upgrade, please see Exchange Hosted Encryption (EHE) upgrade center.

If your organization is using Microsoft® Forefront® Online Protection for Exchange (FOPE) and subscribes to the hosted Microsoft Exchange email encryption service, your users can send and receive encrypted email directly from their desktops in the same manner as regular email. Encryption is policy-rule based and messages are encrypted at the gateway based on FOPE policy rules that an administrator sets. The hosted secure email encryption service takes the original message and includes it as an encrypted attachment. All recipients can read the original contents using a web browser noted in the Programs compatible with Exchange Hosted Encryption section of this topic. This enables a more secure Web-based encryption and decryption for any recipient of a hosted secure email.

When you set the Encrypt rule action on the policy rule for outbound mail, emails sent by users in the organization can be encrypted automatically based upon rule-matching by subject and message keywords, regular expressions, sending and receiving email address, or domains.

The following diagram shows an overview of encryption with the hosted secure email encryption service applied. It shows where messages are encrypted and decrypted as a message travels from the sender within a corporate network that is using FOPE to a receiver who is outside the corporate network.

Exchange hosted encryption message flow

For the person creating and reading email messages, sending an encrypted message is very similar to sending a non-encrypted message. If you, the FOPE administrator, have configured a company to use hosted encryption and applied a policy that causes certain messages to be encrypted, then the message sender does not need to take any specific action to send encrypted messages.

For more detailed information that administrators can use to learn about policy rules, and how to use them with the hosted secure email encryption service, use the links listed at the end of this topic.

The maximum size limit for outgoing messages that are sent through FOPE is 150 MB, including attachments. There is no difference in the limit for encrypted or non-encrypted messages. When using hosted encryption, the size limit for incoming message replies from recipients is 10 MB, which also includes attachments. There is no limit on the number of attachments. Only replies from recipients that are sent to a user who is using hosted encryption are bound by the 10 MB limit.

Users who send encrypted messages are not required to enter any special passwords as a part of the encryption process. The first time a recipient attempts to open an encrypted message, they must authenticate their identity and establish a password to securely open encrypted messages from the email encryption service. Subsequent messages that are encrypted require the recipient to authenticate themselves through the password established during the first-time registration process. These credentials are used only to decrypt secure messages.

The password requirements for the first time a user logs in to read an encrypted message cannot be set by a FOPE administrator and they cannot be made to expire. The following rules for encryption passwords apply to all Exchange Hosted Encryption service users:

  • Minimum password length is 6 characters.

  • Numbers are not required.

  • Capital letters are not required.

  • Special characters are not required.

  • Trivial Passwords are not allowed.

The email encryption service is designed so that passwords used for authentication to review such messages do not need to be reset, and it is easy for a message recipient to review an encrypted message if they have already opened it once and either a long period of time has elapsed or they have forgotten the password they created the first time they opened it. In both of these cases, the recipient would need to open the original message received and follow the same email answerback procedure that they followed the first time. For more information about reading messages, see Create, Read, or Reply to an Encrypted Message.

A sent encrypted message does not expire, in that it becomes unreadable after a certain time period. The encrypted message can be decrypted for as long as the current version of Exchange Hosted Encryption is running. For more information about feature availability in Microsoft Online Services, see Exchange Hosted Encryption. The credentials used to access the encrypted message do have a time-limit as explained in Create, Read, or Reply to an Encrypted Message.

For more information about end-user access to encrypted messages, see the Create, Read, or Reply to an Encrypted Message topic.

In order to send and receive encrypted messages, the following system requirements apply to end users:

  • An email platform that is configured to use Microsoft® Forefront® Online Protection for Exchange with an Exchange Hosted Encryption subscription to send encrypted messages.

  • Internet Explorer version 7 or later or Mozilla Firefox version 2.0 or later to read encrypted messages.

Mobile phone operating systems are not officially supported for reading hosted Exchange email encrypted messages. Some popular device types such as iOS, Android, or Windows Phone 7 may work with EHE, but they may not function with complete compatibility.

Encrypted messages are stored in the receiver’s inbox according to the way that each person’s email program or provider has configured their email to work. The sender’s sent items folder will have the plain text message that was initially sent. This includes users with Microsoft Office 365 or another web-based email provider, whose messages may be stored on a remote server. Local email program settings cannot be changed by a FOPE administrator or policy settings as the encryption policies only affect outgoing messages that pass through the FOPE service. There are no encrypted messages stored in another cache on a local computer or memory when the reader closes an encrypted message they have been reading.

If your company subscribes to an archive service such as Microsoft Exchange Hosted Archive or has another archive strategy that stores messages apart from the user inbox, then a hosted secure email encrypted message can be stored within the archive according to the rules established within that software. Only the sender or receiver whose email address appears in the email header of an encrypted message and who has been authenticated by EHE can see the contents of an encrypted message. This behavior applies for encrypted messages in any external archive, or a recipient’s inbox.

Microsoft Exchange Online has a retention policy that is applied by default and retention policies that can be configured at the company, domain or user level. For more information about these features, see Set Up and Manage Retention Policies in Exchange Online. For more information about retention policies in an on-premises Microsoft Exchange Server environment, see Understanding Retention Tags and Retention Policies.

The following table provides message and policy rule delivery outcomes for the senders and recipients when hosted Exchange email encryption services are enabled. For this table, it is assumed that:

  • Email users in Contoso.com domains are using hosted encryption.

  • Email users in Trey Research and Woodgrove Bank domains are not in subdomains of the Contoso.com domain. Furthermore, these companies are not using FOPE EHE.

  • Email addresses can appear in any of the addressee areas in the message header such as the To: line, carbon copy (Cc:) line, or blind carbon copy (Bcc:) line. This does not affect encryption.


Policy Rule Message Action Sender Recipient Policy Rule and Message Behavior

Domain Scope: All domains

Traffic Scope: Outbound

Action: Encrypt



Reply All



boris@hr.contoso.com; carol@treyresearch.net

Message will be encrypted if it matches any of the policy rules.

If Contoso has a connector configured to bypass FOPE filtering, then no messages are encrypted.

Recipients can read encrypted messages as explained in the Create, Read, or Reply to an Encrypted Message topic.

Domain Scope: All domains

Traffic Scope: Outbound

Action: Encrypt


Reply All



anton@contoso.com; boris@hr.contoso.com; dita@woodgrovebank.com;

If the original message was encrypted through FOPE when it was first created, an encrypted message will be accessible by all recipients.

Recipients can read as explained in the Create, Read, or Reply to an Encrypted Message topic.

A FOPE administrator can enable the EHE service and create policy rules to activate encryption.

Policies for encryption can be applied only to outgoing messages from a single domain. Likewise, policies for decryption can be applied only to incoming messages to a single domain. For example, if your company has provisioned more than one domain, you can allow users in the hr.treyresearch.net domain to use hosted encryption, but not users in the london.treyresearch.net domain.

The FOPE administrator cannot disable email platform features such as forward or reply all. These types of user actions are a part of the messaging application and not a part of FOPE or encryption. The table in a previous section of this topic explains the message behavior for certain message actions such as forward a message or reply all to a message.

In order to make use of the EHE service, the FOPE administrator must purchase, enroll, and configure the service for specific domains. To purchase EHE, visit the Microsoft Online Services web site to learn more.

Before you can create encryption rules, you should consider the conditions in which your organization will allow encrypted messages. For example, you could design a policy that allows only specific people to send encrypted messages. You could design a policy that allows messages that contain specific text to be encrypted, such as the word “encrypt” in a message’s subject line, and then tell users to add this if they want to use encryption.

The conditions in which you expect users to use encryption will affect both how you create policies and how many EHE licenses you must purchase.

The archive reports that are available in FOPE, such as Destruction, SEC 17a-4, or Supervisory Review Evidentiary, do not contain the content of encrypted messages. The SEC 17a-4 report does contain information such as the dates, to and from whom a message was sent, the subject, and more for each message archived.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft