Understand Opportunistic TLS and Email Encryption: A Deep Dive into S/MIME, Purview Message Encryption, and Secure Email.

Introduction

In Part 1 of this series, I wrote about how SMTP DANE and DNSSEC work together to secure email communications in Exchange Online, ensuring authenticity and encryption between servers. In this article, I will dive deeper into two essential components of email security: Opportunistic TLS and email encryption. I will take a closer look at two common encryption solutions, S/MIME and Microsoft Purview Message Encryption, to highlight their key differences and use cases.

Email encryption is more important than ever as businesses face increasing cyber threats and the need to protect sensitive information. By the end of this article, you’ll have a better understanding of how these technologies can help secure your organization’s communications.

Questions raised

After my first blog post, i received some questions, and it became clear to me, that there are a couple of common misunderstandings on this subject – also alot of fear or doubt to what will happen when its enabled, and what about legacy sender etc etc – this is where the term “opportunistic” comes in.

Opportunistic TLS Explained

What is Opportunistic TLS?

Opportunistic TLS is a method used by email servers to attempt to establish a secure connection over TLS (Transport Layer Security) without prior arrangement between the sender and recipient servers. If both servers support TLS, the email is encrypted in transit, providing a basic layer of security. However, if the recipient server does not support TLS, the email is sent in plain text without any encryption.

This “best effort” approach ensures that encryption is used when available, but it doesn’t force encryption if the receiving server isn’t configured for it.

How It Works

To better understand how Opportunistic TLS functions, take a good look at the below flowchart. The process begins with an email being sent from a server. The email server queries DNS records, including MX, A, and AAAA records, to identify where the email should be sent. If the domain does not have DNSSEC enabled or a TLSA record present, the server defaults to using Opportunistic TLS, assuming TLS is supported by the receiving server.

As the flowchart shows, Opportunistic TLS is the fallback mechanism used when more robust methods like DNSSEC and DANE validation are not available. This allows email to flow securely when possible but ensures that it is still delivered even when the ideal security conditions aren’t met.

Opportunistic TLS Security Trade-offs

While Opportunistic TLS provides some level of encryption, it doesn’t offer any guarantees regarding the authenticity of the receiving server. This leaves the system vulnerable to downgrade attacks, where a malicious actor could interfere with the negotiation process and force the email to be sent in plain text, thus exposing sensitive information. For this reason, Opportunistic TLS is considered less secure compared to enforced TLS or DANE, which provide stronger validation mechanisms.

So really high focus on useability and making sure email flows, in this case where we talk about Transport layer security – its the classic tradeoff between security and useability…. more on that later 🙂

END to END encryption

Well enough about being opportunistic, the word also has that certain ring to it 🙂

S/MIME Certificate-Based Encryption

What is S/MIME?

S/MIME (Secure/Multipurpose Internet Mail Extensions) is an industry-standard protocol that allows email senders to sign and encrypt emails using digital certificates. S/MIME ensures both the authenticity of the sender and the confidentiality of the message content.

How S/MIME Works

S/MIME relies on public-key cryptography to encrypt and decrypt emails. The sender uses the recipient’s public key to encrypt the email, ensuring that only the recipient’s private key can decrypt and read it. This process guarantees that the email cannot be intercepted and read by anyone other than the intended recipient.

Benefits of S/MIME

• Authentication: Digital signatures ensure that the email was sent by the authenticated sender and has not been altered.
• Integrity: Recipients can verify that the email content has not been tampered with.
• Confidentiality: The email content is fully encrypted, ensuring that only the intended recipient can access it.

Common S/MIME Use Cases

S/MIME is commonly used in environments where email authenticity and confidentiality are critical, such as in government, legal, and financial sectors. Organizations that require strict verification of sender identity and protection of sensitive data often rely on S/MIME for secure communications.

Microsoft Purview Message Encryption

What is Microsoft Purview Message Encryption?

Microsoft Purview Message Encryption is a cloud-based service built on Azure Rights Management (Azure RMS), part of Azure Information Protection. This service ensures that your emails remain protected, even when sent to recipients outside your organization. It supports sending encrypted emails to users on various platforms, including Outlook.com, Gmail, Yahoo, and more. The recipient doesn’t need a specific email service or subscription to view and reply to encrypted messages, making the experience seamless across platforms.

How Microsoft Purview Message Encryption Works

When a message matches an encryption rule defined in Exchange Online, Microsoft Purview Message Encryption automatically encrypts the email before it’s sent. For recipients using Outlook within Microsoft 365, they can view encrypted messages without any extra steps. External recipients (using Gmail or Yahoo, for example) receive a “wrapper email” with instructions to authenticate and access the message via a secure web portal. This ensures encryption across devices and platforms.

Microsoft Purview also offers an “Encrypt-only” option, allowing users to send encrypted emails without rights restrictions. This can be particularly useful when confidentiality is needed, but recipients still need flexibility in handling the message.

Advanced Message Encryption

For more control over how recipients interact with encrypted emails, Microsoft Purview Advanced Message Encryption allows administrators to create custom templates and expiration policies. With this feature, you can:

• Set expiration dates on encrypted emails.
• Revoke access to messages after they’ve been sent, ensuring sensitive information isn’t accessible indefinitely.
• Automatically detect and apply encryption based on predefined rules for sensitive data types, such as financial or health information.

Advanced Message Encryption provides granular control, especially useful in industries with strict compliance requirements, like healthcare and finance.

Key Features of Microsoft Purview Message Encryption

• Universal access: Recipients don’t need a subscription to view encrypted emails.
• Custom rules: Admins can configure mail flow rules to enforce encryption based on keywords, sensitive information, or recipients.
• Cross-platform compatibility: Works across various email platforms and devices, ensuring consistent encryption without restricting external communication.
• Advanced policies: Admins can revoke access or expire email access based on the sensitivity of the information.

Use Cases for Microsoft Purview Message Encryption

External Communication: Perfect for secure communication with clients, partners, and contractors outside the organization, ensuring sensitive data remains encrypted and secure.

Data Protection: Ideal for organizations needing compliance with regulations like GDPR or HIPAA, where data protection is paramount.

S/MIME vs. Microsoft Purview Message Encryption: Key Differences

Authentication vs. Ease of Use

S/MIME (Secure/Multipurpose Internet Mail Extensions) provides robust email authentication and encryption through certificates. It ensures that the email is encrypted end-to-end and verifies the identity of the sender. S/MIME is best suited for environments where verifying the identity of the sender and protecting message integrity is critical. However, it requires the management of digital certificates for each user, which can be complex, especially for organizations without a strong Public Key Infrastructure (PKI) in place.

On the other hand, Microsoft Purview Message Encryption focuses more on ease of use, especially for external recipients. Unlike S/MIME, Purview Message Encryption doesn’t require users to manage individual certificates. Instead, it relies on policies and templates defined at the organizational level, ensuring that emails are encrypted and easily accessible by recipients on a variety of platforms (Outlook, Gmail, Yahoo). This makes it ideal for external communication, as it doesn’t require recipients to have any prior setup to view encrypted emails​(

Microsoft Learn

Microsoft Learn

Internal vs. External Communication

S/MIME is most effective for internal communications, especially in environments that require strict authentication and encryption at the user level. Each email is individually signed and encrypted, ensuring that only the intended recipient can decrypt it, and that the email has not been altered in transit.

Microsoft Purview Message Encryption is designed to facilitate secure external communication, making it ideal for situations where you need to share sensitive information with third parties. It allows users to send encrypted emails without needing to manage individual certificates. Recipients, whether inside or outside your organization, can easily access encrypted emails via a web portal or directly in Outlook if they are Microsoft 365 users​(Microsoft Learn)​(Microsoft Learn).

Key Management

S/MIME relies on public-key cryptography, requiring both the sender and the recipient to have and manage their own certificates. This adds complexity in terms of certificate issuance, renewal, and revocation, making it better suited for highly regulated environments with strong IT support.

Microsoft Purview Message Encryption uses Azure Rights Management Services (RMS) for key management, with the option for administrators to define encryption policies centrally. Organizations don’t need to manage individual user certificates; instead, encryption is enforced based on rules set in the Exchange admin center. Advanced features like message revocation and expiration, which are part of Advanced Message Encryption, further enhance control, allowing administrators to revoke access to sensitive emails or set expiration dates​(Microsoft Learn)​(Microsoft Learn).

Compliance and Regulatory Requirements

For organizations dealing with strict regulatory requirements, such as those in healthcare or finance, S/MIME might be the preferred choice due to its strong authentication and encryption capabilities at the user level. However, Microsoft Purview Message Encryption, with its advanced features like automatic policy enforcement, message expiration, and the ability to revoke email access, offers a more flexible and scalable solution, especially for organizations that need to ensure compliance with data protection regulations like GDPR, HIPAA, or CCPA.

Series Navigation