Securing email communications is essential for digital trust, yet selecting the appropriate encryption method can be challenging. This article examines two email encryption standards: Microsoft Purview Message Encryption and Secure/Multipurpose Internet Mail Extensions (S/MIME).
Both standards protect email content but differ in encryption architecture, key management, and user experience. Understanding these differences helps IT teams determine the best approach for safeguarding various levels of sensitive data.
Microsoft Purview Message Encryption is a cloud-based service built on Azure Rights Management (Azure RMS). It integrates encryption with identity and authorization policies.
MS Purview emphasizes access control. When an email meets specific criteria, such as a user selecting “Encrypt” or a mail-flow rule activating, the service secures the message using tenant-specific Azure keys. Senders may also apply rights policies, including “Do Not Forward” or “Encrypt-Only.”
MS Purview is useful because it is easy to use. Internal users can work with it smoothly, and external recipients get messages through a secure web portal or by verifying their identity with services like Google or Microsoft. Because the encryption keys are managed by either the tenant or Microsoft, MS Purview does not offer true end-to-end encryption. The service provider can still technically decrypt content if needed for processing.
A key concern for companies is that Microsoft is based in the United States. US government agencies can ask for access to encryption keys under laws such as the Patriot Act. If authorities get these keys, users could lose access to their encrypted emails.
The US CLOUD Act requires Microsoft to follow valid US government orders for customer data, even if the data is stored outside the US or if customers use BYOK. This means Microsoft might have to provide decrypted content if it can, since it still has access to services even when customers use their own keys. Critics note that BYOK protects against tenant theft but does not stop legal subpoenas. For better protection, customers should use Hold Your Own Key (HYOK) or pick non-US providers, though HYOK may limit some features.
While some organizations may see this as a benefit, it can be a problem for those wanting full control over their encryption keys. Given current geopolitical issues, this risk could seriously affect business operations.
S/MIME is an open standard based on Public Key Infrastructure (PKI). Unlike MS Purview’s tenant-based approach, S/MIME uses unique public and private key pairs for each user.
This standard provides two critical security properties:
Choosing between MS Purview and S/MIME depends on whether centralized control or cryptographic assurance is the priority.
To use MS Purview, you need an eligible Microsoft 365 plan, such as:
These plans include Azure Rights Management, which the tenant can enable. No additional software is required for user devices. Internal users access encrypted email directly in Outlook, while external recipients use a secure web portal.
For lower-tier subscriptions, such as Exchange Online Plan 1/2, Microsoft 365 Business Basic/Standard, or Office 365 F1/E1/F3, you must purchase an add-on, such as Azure Information Protection Plan 1 or the Microsoft Purview Message Encryption add-on, to enable this feature.
Organizations without MS Purview or the Azure Information Protection Plan 1 add-on cannot send encrypted emails with this feature. Users will not see the “Encrypt” option in Outlook or OWA, and mail flow rules will not apply encryption.
Internal users can still receive and view MS Purview -encrypted emails from external senders in Outlook. Decryption depends on the sender’s tenant RMS and recipient authentication.
To use S/MIME, the following is required:
Each user’s certificate must be installed in their email client, such as Outlook, or through a plugin. Users can choose when to encrypt or sign messages or set encryption as the default. Recipients must use an S/MIME-capable email client and have their own certificate to decrypt messages. No web portal is used.
As automation is now essential for managing the ongoing reduction of SSL/TLS validity periods, it is also critical for realizing the full security benefits of S/MIME without added administrative burden.
KeyTalk CKMS (Certificate and Key Management System) transforms S/MIME from a high-maintenance task into a scalable, automated solution. KeyTalk eliminates traditional S/MIME challenges by automating the entire certificate lifecycle, including issuance, renewal, and revocation.
KeyTalk CKMS addresses the technological and operational challenges often associated with S/MIME adoption, making it easy to implement and automate a comprehensive S/MIME architecture in any organization.
For organizations that require high-assurance identity and true end-to-end encryption, S/MIME remains the gold standard. By adopting automated management solutions, IT teams can implement these rigorous security standards while avoiding the operational pitfalls of manual certificate management.
This blog post looked at Microsoft Purview Message Encryption and Secure/Multipurpose Internet Mail Extensions (S/MIME) for email encryption. Both protect email content, but they use different technologies, encryption methods, authentication, and trust models. They also vary in how users experience them, how easy they are to set up, and how well they work across organizations.
MS Purview is based on Azure Rights Management (Azure RMS), making it easy to set up and use with Microsoft 365. However, it does not offer full end-to-end encryption since Microsoft can still access the messages. In light of any geopolitical developments this should be carefully reconsidered as government agencies can have access to any sensitive e-mail information and therefore impact business operations.
S/MIME uses public key infrastructure (PKI) to provide stronger encryption and digital signatures, but it is harder to manage and both sender and recipient need to use certificates.
KeyTalk’s Certificate and Key Management System (CKMS) makes S/MIME easier to use by automating certificate management, making setup and configuration simpler, supporting external recipients, and helping improve security and compliance.
——-
Do you have questions about this article or how KeyTalk CKMS helps you ease with the management and automation of digital certificates? Our support team is available 24/7 to assist and guide you in implementing a fully automated PKI architecture via e-mail or our contact page.
The KeyTalk Team
