Email Encryption for Business: Why It Matters and How to Implement It

The Problem with Unencrypted Email

Standard SMTP email was designed in the 1980s without security in mind. Messages travel between mail servers across the internet, and without encryption, the content of those messages can be intercepted and read at any point along that path. While modern mail server connections increasingly use TLS (Transport Layer Security) for encryption in transit, this protection is not universal, not end-to-end and not guaranteed.

The consequences of unencrypted email interception depend on what you send. For a business exchanging contracts, medical information, financial data or personal records by email, an intercepted message could constitute a personal data breach under UK GDPR — triggering ICO notification obligations and potential enforcement action.

Types of Email Encryption

Transport Layer Security (TLS)

TLS encrypts the connection between mail servers, preventing interception as messages travel between your mail server and the recipient's. Most modern email services support TLS by default. However, TLS is hop-by-hop: it encrypts the message between servers, but the message sits unencrypted on each server it passes through. If either server does not support TLS, the message may travel unencrypted.

STARTTLS is the standard mechanism for negotiating TLS between mail servers. Opportunistic STARTTLS means TLS is used when both servers support it. Enforced TLS means messages are rejected if TLS is not available — providing stronger guarantees but potentially causing delivery failures with older servers.

S/MIME (Secure/Multipurpose Internet Mail Extensions)

S/MIME provides end-to-end encryption and digital signatures for email. The message content is encrypted with the recipient's public key and can only be decrypted with their private key. Even if the message is intercepted in transit or accessed on a mail server, the content remains unreadable.

S/MIME requires both sender and recipient to have certificates (typically issued by a Certificate Authority). It integrates natively with Outlook and Apple Mail. Setup requires each user to have a personal email certificate, which must be managed and renewed — adding administrative overhead but providing the strongest encryption guarantee.

Microsoft 365 Message Encryption (OME)

For organisations using Microsoft 365, Office Message Encryption (OME) provides an accessible way to send encrypted messages to any recipient, regardless of their email platform. Recipients who use Outlook or Microsoft accounts can read the message natively; others receive a notification directing them to a secure web portal to read the message after verifying their identity.

OME can be configured to encrypt messages automatically based on content rules (e.g., any email containing a National Insurance number is encrypted automatically) and is included in Microsoft 365 Business Premium and higher plans.

PGP (Pretty Good Privacy)

PGP uses a web-of-trust model for key exchange rather than Certificate Authorities. It is widely used in technical and security communities but is less common in mainstream business email due to the complexity of key management. PGP is more appropriate for specific use cases (secure communications with security researchers, journalists, etc.) than for general business encryption.

Which Approach Is Right for Your Business?

The right approach depends on your recipients and use case:

• Enforced TLS: Appropriate for businesses with known regular correspondent organisations that also use TLS. Provides transport security without recipient-side complexity.
• Microsoft 365 OME: The most practical option for most UK businesses on Microsoft 365. Easy to configure, works with any recipient and can be automated via data loss prevention (DLP) policies.
• S/MIME: Appropriate when end-to-end encryption is required and both parties are willing to manage certificates — common in legal, financial and healthcare contexts.
• Secure messaging portals: Platforms like Egress or Proofpoint Encryption provide a managed secure messaging service with portal-based access for recipients, suitable for businesses that send high volumes of sensitive communications.

Email Encryption and UK GDPR

Article 32 of the UK GDPR requires organisations to implement appropriate technical measures to protect personal data. The ICO's guidance specifically cites encryption as an appropriate measure for protecting data in transit and at rest.

Critically, if a personal data breach involves only properly encrypted email (where the encryption key has not been compromised), the ICO may determine that the breach does not require notification to affected individuals — because the data remains protected. This is a material compliance benefit of implementing email encryption for personal data communications.

Implementation Considerations

Before deploying email encryption, consider the following practical points:

• User training: Users must understand when to use encryption and how to handle encrypted messages they receive.
• Key/certificate management: S/MIME certificates expire and must be renewed. Establish a process for managing this.
• Recipient compatibility: Test your encryption approach with your most common external correspondents before rolling out broadly.
• Archiving: Encrypted emails may complicate legal hold and archiving requirements. Ensure your archiving solution can handle the approach you choose.
• DLP policy alignment: Configure email encryption rules to align with your data classification and DLP policies — encryption should happen automatically for sensitive content, not rely on users remembering to apply it.