If your company deals with any sensitive data and your emails between you and your customers or suppliers are likely to contain such information, it might be a good idea to enforce email encryption between you and them.

By default, email is sent using SMTP that can be in plain text, meaning someone could intercept and read the contents. Not good if that email contains sensitive data like PII, financial or medical records. GDPR mandates that this kind of information is stored, processed and transmitted securely.

If you use Microsoft Office 365 then Exchange Online allows you to enforce email encryption between you and partner organisations. The steps below will show you how to set this up. If you use an On-premises Exchange Server the process is very similar.

Before you proceed we recommend contacting your partner organisation to coordinate the setup of email encryption, because if it is not configured correctly in both your and your partner’s email system it will likely block email flow and could cause disruption.

Let’s get started,

Login to the Office 365 Exchange admin center (microsoft.com)

Go to Mail Flow, then Connectors.

Next, we will add a connector that will enforce encryption when sending email to a partner organisations email domain.

Click Add a Connector.

Now select Connection from Office 365 and Connection to Partner Organisation.

Click Next.

Now add a name for the connector and if you like a description.

Click Next.

Next, select Only when email is sent to these domains and add the email domain of your partner to who you wish to enforce encrypted email. You can add multiple domains here.

Click Next.

On the Routing page, leave the default settings – Use MX records associated with the partner’s domain, unless your partner has instructed you to use a specific smart host or a mail relay server.

Click Next.

Here comes the encryption bit. To enforce Encryption check the Always use TLS to secure the connection. The recommended option is to check the Issued by a Trusted CA and add the partner’s certificate SAN names if you know them. If you aren’t sure what kind of certificate your partner uses you can select Any digital certificate.

Click Next.

Next, you must validate the connection before you can continue. Enter a valid email address of your partner’s domain and click Validate.

This tests the connection will work by sending a test message.

If this is successful you can click next to review the connection setting and create the connector.


You have now set up outbound enforced email encryption to your partner’s organisation.

Now we will set up Enforced Inbound email. So that’s from your partner, to you.

Click Add a connector from the Connectors page in the Exchange admin center (microsoft.com)

Select Connection from Partner Organisation.

Click next.

Give the connection a name and description and click Next.

On the Authenticating sent email page, select By verifying that the sender domain matches one of the following domains.

You can add more than one if you like.

Click Next.

On the Security restrictions page select Reject email messages if they aren’t sent over TLS. This will enforce the encryption.

You can additionally add the Subject Name of the Partners certificate if you know it.

Click Next.

On the final page review the connector’s settings and click Create Connector. You have now enforced encrypted email both inbound and outbound between you and your partner’s organisation 👍

We would now strongly recommend you and your partner send some test emails to make sure that mail flow is working as expected. If there is a problem you will receive an NDR saying your email was rejected and you will need to check the connector settings and investigate what is failing.