Additional Information for Email Encryption

The encryption service is based on Office 365 Message Encryption (OME) technology. OME provides flexibility and it can be applied as-needed to any email that is sent from an @olemiss.edu account. It encrypts the email body, all attachments, and gives recipients the ability to easily send encrypted replies through a built-in portal.

External email (olemiss.edu to non-olemiss.edu) is the most common use case for email encryption. This layer of protection is particularly useful when confidential information needs to be sent to an outside email account, whereby the security of the receiving system is unknown. For example, it can be useful for sending messages to external email services such as Gmail and to other universities or government agencies. The email encryption service may also be appropriate if there is a need to send confidential information to UM students who use external accounts (including @go.olemiss.edu).

Internal email (olemiss.edu to olemiss.edu) is automatically encrypted in-transit between users and at-rest on the Office 365 servers. This assurance of security is upheld as long as the data remains on the Office 365 infrastructure. However, we must consider our email can be forwarded to an external account without our knowledge and/or accessed on improperly secured devices. The encryption service is available to provide an extra layer of protection for highly confidential internal messages.

See the questions below for additional details about our Office 365 Message Encryption (OME) services:

How does OME secure the contents of a message?
- Office 365 Message Encryption (OME) packages the original message into a single encrypted attachment (an HTML file) and sends it to the recipients. The email recipient opens this HTML attachment using their browser (or the optional OME Viewer mobile app) to launch the OME portal. This portal provides an interface to verify their identity, and ultimately, to display the decrypted message. The recipient must verify their identity by proving that they have access to their email account (which was originally specified by the sender). If verification is successful, the original message/attachments are decrypted and shown to the recipient via the portal. The confidentiality and integrity of the original data should be upheld through this OME process.
- It should be noted that the email Subject is Not Encrypted, and the original unencrypted message is usually saved in the sender's Sent Items Folder (they may want to manually delete this message). Additionally, it is always important to understand the potential ramifications that can occur if decrypted contents are saved elsewhere, particularly on an insecure/shared system, or by way of compromised accounts.
How do OME recipients verify their identity?
- There are two methods to verify an identity in OME: 1) through the use of a one-time passcode and 2) by signing in with a Microsoft account.
- The one-time passcode is generated on the fly and sent to the recipient’s email account. The passcode verification method is an option for all users (internal and external), and we suggest using it in most cases if there is any confusion.
- It can be verified by signing in with a Microsoft account. All @olemiss.edu email accounts (excluding aliases and some special accounts) are valid Microsoft Office 365 accounts and they can be used to sign in. A Microsoft account can also be an email address from another organization that use Office 365 services (including other participating universities), an account from an exclusive Microsoft email service (such as @outlook.com or @hotmail.com), or any other email address that has been previously registered with Microsoft (any personal email account can be registered).
Do mobile devices work with OME and are there any other requirements?
- With OME, there is no dependency on device type, email client, or operating system, and no additional software needs to be installed. Recipients can use their existing email account to access encrypted messages.
- To open an encrypted message, recipients must have access to their email account and a supported internet browser, and may be required to authenticate using their Microsoft account or a one-time passcode.
- Recipients receive basic instructions on how to open the encrypted message. In certain situations, it may also be helpful to let them know to be expecting an encrypted email ahead of time and/or to send them a link to this page, especially if they are unfamiliar with the overall OME process.
Why do some messages come from Office365@messaging.microsoft.com?
- When an encrypted reply is sent from the OME portal or the Outlook smartphone app, the sending email address is set to Office365@messaging.microsoft.com. This is because the encrypted message is sent through a Microsoft server. It helps to prevent encrypted messages from being marked as spam. The displayed name on the email and the address within the encryption portal are not changed because of this labeling. Also, this labeling only applies to messages sent through the portal, not through any other email client.
How is OME different from S/MIME email encryption?
- OME is a server-based encryption technology; it has minimal technical requirements and allows messages to be easily opened on most devices. S/MIME is a client-based encryption technology; it requires certificate management and it must be setup by all email recipients ahead of time. S/MIME does offer several unique and compelling benefits, and it can be used with UM Email / Office 365. However, S/MIME it is not an ideal solution for the majority of our users, mainly due to the additional technical requirements.
- The IT helpdesk is NOT able to assist with S/MIME certificates, email client setup, data recovery, or provide any other S/MIME support. IT recommends using the supported encryption solution, OME, instead.
How is OME different from RMS, IRM, and file-level encryption technologies?
- The primary difference is OME encrypts the entire email message. Other information is provided below.
- Rights Management Services (RMS) is the Microsoft technology that allows Office 365 accounts to be used for OME verification. RMS can also be applied directly to files (instead of email). This protection is persistent and independent of where the file is stored or how it is shared. Advanced features such as file expiration are also possible. An RMS aware application is required to manage the permissions. All Office 2013 and later programs are compatible and free standalone Windows and MacOS RMS applications are available.
- Information Rights Management (IRM) is another related Microsoft technology. It provides granular online/offline access controls, and can be applied directly to an Office document (e.g. to restrict printing/copying in Excel) or within Outlook/365 to internal emails via predefined templates (e.g. "Do Not Forward").
- The benefits of other file-level encryption technologies such as password-protected 7zip files and Adobe Acrobat documents are important as well. All of these technologies can be used in conjunction with one another. For example, it is possible to apply file-level encryption to a PDF document (via Adobe Acrobat or Microsoft RMS), attach the PDF to an email, and encrypt it again at the message-level using OME. This would encrypt the message and keep file-level protection intact even if the PDF is saved elsewhere.
What encryption method is used for OME?
- The Microsoft Azure Rights Management Services (RMS) infrastructure is used to manage encryption keys for Office 365 Message Encryption (OME) and Information Rights Management (IRM). The specific encryption algorithms used are kept in line with the latest Federal Information Processing Standards (FIPS). See the provided documentation on RMS Cryptographic Modes for more information.
Does OME provide content/language localization?
- Incoming email and HTML content is localized based on sender email settings. The viewing portal is localized based on recipient's browser settings. However, the actual content of encrypted message is not localized.
Is it possible to revoke an OME message from a recipient?
- No. You cannot revoke a message after it has been sent.
What is the maximum size and number of recipients for OME email?
- There is a 25 mb size limit for email; this includes email body and attachments. A single OME encrypted message may be sent to multiple recipients. The recipient limit is based on the number of characters in the To field of the email. When combined (after distribution list expansion), recipient addresses in the To field should not exceed 11,980 characters. Since email addresses can vary in character length, there is not a standard recipient limit for a single encrypted message.
What type of messages or data needs to be encrypted?
- Additional restrictions and types of encryption may be required for particularly sensitive data. Please review the policies section of the IT Security website for details. We also recommend asking your supervisor for assistance if there are questions about the types of data that should be encrypted.