Instructions for Sending Encrypted Email

Overview

  • Messages between Tufts (@tufts.edu) email accounts are encrypted by default, making them more secure than regular email (e.g. Gmail) and allowing students, faculty, and staff to safely share private information with each other when appropriate.
  • When more security is desired or when emailing non-Tufts email addresses (e.g. Gmail) about sensitive topics, additional encryption options are available.
    • The "Encrypt" feature in Office 365
      • Includes several different options.
        • With certain options, the recipient’s email address (Tufts versus non-Tufts address) will determine whether or not a message can be decrypted, opened and read.
        • Other options may restrict a recipient’s ability to modify, forward, or even print a message.
      • Note that available options will vary depending on the version of Outlook you are using (e.g. the Outlook web application (Office 365) versus the Outlook desktop client for Mac versus PC).
    • The "[secure]" subject line feature
      • Allows you to encrypt an email by putting the word “secure” in square brackets anywhere in the subject line. Any capitalization will work. The subject line can contain other text as well. For example, “[secure] Requested data” or “Requested Data [secure]”.
      • Will encrypt the email message, regardless of the Outlook version being used.
  • It is recommended that you let your recipients know ahead of time about this encrypted email so they don’t think it’s a phishing scam. Also, there is a brief delay between when the recipient receives the initial email and when the link to decrypt it is functional. If they click on the "Read the message" link and it doesn’t work, ask them to try again in a few minutes.
  • Authorized recipients of encrypted messages will receive an email with a link to securely view the message and potentially respond. An example of an encrypted message sent to a Gmail address is shown below. After clicking "Read the message", the recipient will be asked to authenticate their identity by signing in to their email account again or by using a one-time passcode that is sent to their email address.Options to verify identity in order to read a secure email
  • Depending on the type of address the email is sent to, the recipient may be asked to download an app like Azure Information Protection to read it.
  • It is always a good idea to limit the use of email for any sensitive information, and if email is used, to be sure to securely delete the email as soon as possible. See the page on Securely Deleting Email.
  • If you plan to collect sensitive information from non-Tufts people via email, please see the Instructions for Encrypted Data Collection via Email.

Messages sent from an @tufts.edu address can be encrypted in several ways. The options each user sees will depend on the version of Outlook being used.  To have access to all available encryption choices:

  • Use the web version of Outlook by logging in to: https://outlook.office365.com
  • Look into having Office 365 installed locally by contacting the TTS Service Desk at it@tufts.edu or 617-627-3376.  The Service Desk will be able to assist with determining whether the device in question will support an upgrade to Office 365 and will also be able to assist with the install.  (Note that Microsoft regularly applies automatic updates to Office 365.)

When choosing a method for encrypting your message, consider the type of permissions you want the recipient(s) to have with the message. No matter which option is chosen, the message will be encrypted, and the recipient(s) will not be able to remove/modify the encryption settings.

Method Encryption Option Explanation
"[secure]" subject line feature Encrypt-Only
  • Message can be read by any type of email account (e.g. Tufts.edu, Gmail, Comcast, etc.)
  • Recipients can forward, print, or copy content.
Office 365 Encrypt feature (both web and desktop versions) Encrypt-Only
  • Message can be read by any type of email account (e.g. Tufts.edu, Gmail, Comcast, etc.)
  • Recipients can forward, print, or copy content.
Do Not Forward
  • Message can be read by any type of email account (e.g. Tufts.edu, Gmail, Comcast, etc.)
  • Recipients CANNOT forward, print, or copy content.
Tufts - Confidential
  • Message can only be read when opened from an @tufts.edu account.
  • For proprietary information intended for Tufts-internal users only.
  • The content can be modified, replied-to, or forwarded, but CANNOT be copied or printed.
Tufts - Confidential View Only
  • Message can only be read when opened from an @tufts.edu account.
  • For proprietary information intended for Tufts-internal users only.
  • The content CANNOT be modified, copied, or printed. The recipient also CANNOT reply to or forward the message.

A Note About the "Tufts" Encryption Options

If you send an email to a non-Tufts address (e.g. Gmail) using either the "Tufts - Confidential" or "Tufts - Confidential View Only" encryption setting, the recipient will receive an email that notifies them of the encrypted message, but they will not be able to read it.

access to message denied for non-Tufts email address

 

If you are using the Outlook desktop application for Windows, you may need to allow your Outlook client to access Tufts’ email security templates before you can use the Encrypt feature. (Note: Even if you never do this, you can still encrypt your emails using the “[secure]” subject line feature.)

  1. Open the Outlook desktop application.
  2. Start a new email message
  3. Click the Options tab to open it.
  4. Click the Encrypt/Permissions dropdown arrow and, if a message appears asking you to Connect to Rights Management Servers and get templates, click on the message and wait a few moments.connecting to Rights Management Servers
  5. Tufts' encrypted email templates will now be available the next time you need to send an encrypted email.Encryption options that appear after connecting to Rights Management Servers
  1. Open your Tufts email.
  2. Start a new email message.
  3. Depending on the version of Outlook you are using, the method for accessing encryption options will vary.
    • Outlook desktop client for Mac OS: Click Draft in the top menu, select Encrypt, then select the desired encryption setting.Outlook desktop interface on Mac OS
    • Outlook desktop application for Windows: Click the Options tab, then click the Encrypt dropdown arrow and select the desired encryption setting.Outlook desktop interface on Windows
    • Outlook web application (Office 365): Click the Encryption button. The default encryption setting on the message will be “Encrypt-Only”. To change this, click the “Change permissions” link and select one of the other available options from the pull-down menu that will appear.Office 365 Encrypt Feature
  4. In the body of the email, type your message. You may also include attachments if you wish.
  5. In the body of the email, include the following instructions for the recipient. You can copy and paste these directions directly into your email.
     
    - Start of Instructions for Recipient -

    If you wish to reply, please reply using encrypted email. If you are using an @tufts.edu account, simply reply like you normally would. If you are using something other than an @tufts.edu account, you need to follow the directions below, rather than simply sending an email directly from your account.

    Follow these steps when this email is open:

    • Click Reply all toward the top right of the window.Reply All button
    • If you do not wish to receive a copy of your reply, remove yourself from the Cc field.Adjusting the Cc field to remove yourself as a copied recipient
    • Type your message in the body of the email window.
    • To add an attachment, click on Attach and select the file.Attach
    • Click Send.Send button
    • It's recommended that you delete all emails you received and the email you sent as soon as possible. Be sure to empty your trash.
    • Be sure to store any documents with sensitive information securely.
    - End of Instructions for Recipient -
  6. Click Send.

Note: Following these instructions will encrypt your email message, regardless of your Outlook version.

  1. Open your Tufts email.
  2. Start a new email message.
  3. In the subject line, include the word “secure” in square brackets. Any capitalization will work. The subject line may contain other text as well.
    • e.g. [secure] Request for Information
    • e.g. Encrypted message [secure]Draft email with secure in square brackets in subject line
  4. In the body of the email, type your message. You may also include attachments if you wish.
  5. In the body of the email, include the following instructions for the recipient. You can copy and paste these directions directly into your email.
     
    - Start of Instructions for Recipient -

    If you wish to reply, please reply using encrypted email. If you are using an @tufts.edu account, simply reply like you normally would. If you are using something other than an @tufts.edu account, you need to follow the directions below, rather than simply sending an email directly from your account.

    Follow these steps when this email is open:

    • Click Reply all toward the top right of the window.Reply All button
    • If you do not wish to receive a copy of your reply, remove yourself from the Cc field.Adjusting the Cc field to remove yourself as a copied recipient
    • Type your message in the body of the email window.
    • To add an attachment, click on Attach and select the file.Attach
    • Click Send.Send button
    • It's recommended that you delete all emails you received and the email you sent as soon as possible. Be sure to empty your trash.
    • Be sure to store any documents with sensitive information securely.
    - End of Instructions for Recipient -
  6. Click Send.

Note: If the recipient sees red or blue X icons in their browser, their email client is blocking images. These images are just the Tufts logo and the encrypted email symbol. They can display or ignore the images without affecting their ability to read the message.

Question: My secure email recipient says that they haven’t received my message. What happened?

Answer: Ask them to check their Junk folder.

Question: Can the recipient forward the message?

Answer: Yes, unless the “Do Not Forward”  or "Tufts - Confidential View Only" encryption option is selected. If a non-Tufts recipient elects to forward the message to another recipient, it can be read. When one of the “Tufts” encryption options is used, the messages remain unreadable by recipients with with non-Tufts email addresses.

Question: How long does an encrypted email remain available?

Answer: Currently, it will remain available indefinitely, but Tufts reserves the right to implement an expiration setting at some time in the future.

Question: Can an encrypted message be read on a smartphone?

Answer: Probably. Most smartphones can follow the link to the encrypted message. Most smartphones have trouble downloading the message as an attachment, though. The recipient will probably have to download the attachment on a computer.

Question: Who can I contact for help with email encryption?

AnswerIf you have questions about how to encrypt messages or if you encounter a problem when decrypting a message, please contact the TTS Service Desk at it@tufts.edu or 617-627-3376.

If you have questions about which encryption settings to use under particular circumstances, please contact Information_Security@tufts.edu.