Schools ICT have made changes to how Encrypt-Only behaves for Office attachments. By default, when a user sends an email and attachments from Office 365 using Encrypt-only, the Office attachments are also protected with Encrypt-Only permissions and that encryption persists throughout the lifecycle of the content. For example, if Anne receives an Office 365 encrypted e-mail with a Word document attached, then downloads and saves the document in a shared documents area so that Ben can also access it, Ben will not be able to open the document as it will still have permissions applied that restrict access to Anne only.

To provide greater flexibility and choice in regard to the security of Office attachments, Schools ICT have made a change to this default setting. This means that when a user sends an e-mail with an Office attachment from Office 365 using Encrypt-Only, the email and the attachment will be encrypted in transit. Once downloaded and shared by the original recipient of the e-mail, the email and the attachment can be opened by other people. This has the advantage that you can send an e-mail and Office attachment securely to, for example, a department in the County Council, but that department can then share the attached document within their team without being inconvenienced by restrictions still applied to the document.

What is Encrypt-Only 

When you encrypt an e-mail that you are sending from Office 365, the default level of encryption that is applied is Encrypt-Only. This is the level of encryption that you get when you click on the Encrypt button. The e-mail you are sending will also display a message at the top saying "Encrypt: This message is encrypted. Recipients can't remove encryption"

encrypt only 01


What if I want to Restrict Access to the Office Attachments

If you are sending an e-mail with an Office attachment and you want to ensure nobody other than the intended recipient will ever be able to open that document, even if it is saved in a shared area, then you can use the 'Do Not Forward' level of encryption. This will ensure that the access restrictions applied at the time of sending the e-mail persist throughout the lifecycle of the document.

How to Change to the "Do Not Forward" Level of Encryption


Once you have clicked on the Encrypt button to encrypt the e-mail, click on Change Permissions do not forward 01

A Change Permissions dialog box will appear

Click the drop down arrow on the selection box and select Do Not Forward

do not forward 02
Click OK do not forward 03
The message at the top of the e-mail will change to Do Not Forward: Recipients can't forward, print or copy content. do not forward 04




Once Schools ICT have made these changes, clicking the Encrypt button when sending an e-mail will:
Encrypt the e-mail and attachments during transit, but allow other people to access any Office attachments once they have been downloaded and shared with them by the original recipient of the e-mail.

Do Not Forward

If sending an e-mail Encrypt-Only does not provide the level of protection you need for the attached Office document, then change the encryption level to Do Not Forward before sending. This will prevent anybody other than the intended recipient being able to open the attachment, even if it is saved into a shared area.