Is My Office 365 E-mail Secure? Part 2: The Cloud

In Part 1 we looked at Office 365's security and talked about the connection between Outlook and Office 365 and also between the browser and Outlook Web Access. Both are secure. Outlook uses Outlook Anywhere (an RPC session encapsulated within an SSL HTTPS connection) and Outlook Web Access uses a secure SSL HTTPS session.

Today let's look at what happens to your e-mail when it leaves Office 365. Does it remain encrypted? I'm back now with some answers.

Let's start with a diagram:




The scenarios where you have mail transfer with Office 365 are:

  • Mailbox traffic & Outlook Web Access - covered in Is My Office 365 E-mail Secure? - Part 1: Outlook
  • SMTP relay from on premises applications and devices that don't directly support TLS (more on this in a minute)
  • SMTP relay using TLS
  • Mail delivery to servers that do not support TLS
  • Mail delivery to servers using TLS


Before I dig in to those four new scenarios let's talk about TLS.  TLS stands for Transport Layer Security.  If you're familiar with SSL (Secure Sockets Layer) TLS is similar.  TLS encrypts "the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity." (Credit: http://en.wikipedia.org/wiki/Transport_Layer_Security)

Mail Delivery

SMTP (Simple Mail Transfer Protocol) is used to transfer e-mail between mail servers on the internet.  SMTP transfers e-mail unencrypted, in plain text.  To enable secure communications additional measures must be taken.  TLS provides that functionality.

TLS is can be enabled on Microsoft Exchange systems and is enabled by default on Office 365.  TLS has two settings: opportunistic and forced.  Opportunistic checks to see whether the partner in each e-mail conversation also supports TLS and if they do the conversation is encrypted.  If TLS is not supported, the conversation fails back to standard unencrypted communications.  Opportunistic TLS functions "out of the box" for Office 365 and requires no configuration.

If you wish to force encryption between your organization and another you'll want to look in to forced TLS.  This changes the behavior of Office 365 to check each e-mail communication for TLS support and then to deny connections with any systems that do not support TLS.  The communication partner can be configured for opportunistic or forced TLS, it doesn't matter which.  This video will introduce you to forced TLS.  In Office 365 TLS is configured within Forefront Online Protection for Exchange (or FOPE).  It is not necessary to use FOPE for normal Office 365 operation but it gives you (in E1 and higher plans) the ability to perform more advanced configurations. 

SMTP Relay

So, back to the diagram above.  In this scenario, a SMTP relay server is used to facilitate the sending of e-mail for on-premises applications and devices.  Exchange servers are often used to relay e-mail to the internet and when they are removed a new IIS (Internet Information Server) server can be used to replace that functionality.  This is necessary because Office 365 does not allow anonymous, unencrypted e-mail relay.  Many devices and applications do not support secure connections using TLS directly so it is necessary to stand up a replacement relay server that can proxy that secure connection for them.

In the diagram, internal applications and devices deliver their e-mail to the relay server with a standard anonymous SMTP connection.  The relay server is configured with a certificate and then creates a TLS connection with Office 365 to deliver the e-mail.  It is possible for a SMTP relay server to directly deliver e-mail to the destination server but this bypasses the e-mail hygiene features of Office 365 among other things.  Make sure to check Office 365's restrictions before relaying through the service to make sure that you can do so.  In some cases, you may not wish for your e-mail to be limited and won't care if it is secure or not.

For more on how to set up an on-premises SMTP relay server see http://support.microsoft.com/kb/2600912.


So, we've discovered that:

  • E-mail between Office 365 and other mail systems is secure by default (using TLS when supported by the partner mail system) and can be forced to be secure when necessary.
  • SMTP relay communications can be configured to be secure and use Office 365 when combined with TLS as well.
  • Communications between Outlook / web browsers and Office 365 are encrypted with SSL.