I’ve had a number of questions come up lately about the security of sending e-mails in Office 365. People want to know:
- Is my e-mail traffic is encrypted when I send it to or receive it from Office 365?
- Are e-mails sent from Office 365 encrypted when being transmitted to their eventual destinations.
So the answers are #1 maybe and #2 generally. To clear up that mud let’s dig in to Office 365 a little bit. In this first part I’ll address #1. Your answer to #2 follows in Is My Office 365 E-mail Secure? – Part 2: The “Cloud”.
When you set up a workstation with a full Outlook (2010 in my example, other versions are similar) client to connect to Office 365 it creates an Outlook Anywhere session between your local computer and the Office 365 service. Outlook Anywhere is a feature where normal Outlook communications are encapsulated within HTTPS traffic – meaning you don’t have to be near the server to connect to it. HTTPS, for those of you who aren’t familiar with the difference between HTTP and HTTPS, is how you connect securely to web pages on the internet.
If you look in your Outlook settings (File – Account – Account Settings) and go to the properties for your e-mail account you can see for your self.
Once you see your e-mail accounts listed choose the account listed as type=Microsoft Exchange and click the Change button.
From the Security tab you can verify that communications between Outlook and Exchange are encrypted.
Next, from the Connection tab click on the Exchange Proxy Settings button. The top line should read something like https://red001.mail.microsoftonline.com. If you see HTTPS there you are using a secure connection.
Finally, for the last bit of verification look at the drop-down box in the same window. If NTLM Authentication is selected then you are not transmitting your password in plain text to establish the HTTPS connection – you are secure.
I haven’t answered the question regarding use of the web mail version of Outlook, Outlook Web Access yet though. The simple answer is that since your browser lists “HTTPS://” in front of the web address for Outlook Web Access in the browser’s URL field you are assured that your entire session including all e-mail and other data is safe from prying eyes.
So, to summarize, your internet session to Office 365 is encrypted from the start and your username, password and e-mail data are all protected. If you installed Office 365 correctly, Outlook doesn’t even need your username and password because the Microsoft Single Sign-on (or Active Directory Federation Services for larger customers) did the hard work before you even opened it.
Check back for Part 2 … Is My Office 365 E-mail Secure? – Part 2: E-mails on the Internet.