Email Encryption

You can encrypt emails.

Restriction This option is only available with an Email Advanced license.

The encryption type Sophos Email uses is push based email encryption using AES 256.

To turn encryption on or off, go to Settings > Encryption settings.

Note Make sure TLS (Transport Layer Security) v1.2 is enabled on your email gateway before enabling encryption here, otherwise the connection with Sophos will break, and you will not be able to send or receive email. The ciphers required are 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'. For more information, see FIPS mode and TLS.

If you turn encryption off, Data Loss Prevention can't apply rules that require encryption of outbound messages.

General settings

  • Microsoft Office documents, ZIP files and PDF files are encrypted natively.
  • Multiple attachments may be generated from files that have been encrypted natively.
  • All other files, for example plain text and HTML will be encrypted as PDFs. Email content will be encrypted as a PDF.
  • You need to install Adobe Reader to view encrypted emails and attachments that have been encrypted as PDFs.
  • You can view and reply to messages on mobile devices.
  • You can select the following encryption options:
    • Send via TLS if available

      TLS prevents eavesdropping and tampering with the message in transit.

      Note If TLS is not available, the entire message will be encrypted as a PDF.
    • Encrypt entire message

      The email and attachments are encrypted with a password.

      The first time an encrypted email is sent to you, an email is sent from Sophos asking you to click on a link to set a Sophos Secure Message password. You need to do this within 30 days, otherwise the email expires. When you click on the link, you are directed to Sophos Secure Message where you can set your password.
      Note The password can only be used for emails within the region that the original email came from. If you receive an email from another region, you need to set another password.

      After setting the password, you receive an email from Sophos including the encrypted email and any encrypted attachments. To access them, open them and type in the password you created.

      You can reply to encrypted emails securely by clicking Reply on the encrypted PDF.

    • Encrypt attachments only

      The steps are the same as above, however only attachments are encrypted.

    • You can also change the language used for notification and registration messages. Select a language from the list.
  • End-user options
    • Allow your users to send encrypted messages with a subject line tag.

      Enter your preferred subject line tag. The tag is not case sensitive.

    • Outlook Add-in (for Office 365 users only)

      You can allow users to encrypt emails using the Outlook Add-in by downloading and installing the Outlook Add-in relevant for the user's Outlook client. An Outlook Add-in is available for the Windows client and another Outlook Add-in is available for both Web and Mac clients.

      Note The Outlook Add-in used for Mac clients will only work if you have turned on the Allow your users to send encrypted messages with a subject line tag. option. When the subject line tag is changed, the Outlook Add-in must be downloaded and re-installed on Mac clients.

      To download an Outlook Add-in, click Download Windows Outlook Add-in or Download Web/Mac Outlook Add-in.

      For installation instructions, see Installing the Sophos Outlook Add-in for Encryption.

      When you compose an email, to encrypt it with the Outlook Client, click Encrypt. You can deselect Encrypt if you change your mind and do not want to encrypt the email.

      In the Web Client and the Windows Client, clicking Encrypt will flag the email for encryption (add a header to the email).

      In the Mac client, clicking Encrypt will tag the message subject for encryption.

Addresses and domains

Add recipient addresses and domains for which you want to encrypt messages. Text is not case sensitive and wildcards are not supported.