Email Encryption for Australian Businesses

Email encryption scrambles a message so only the intended recipient can read it, protecting it both while it travels and, with the right approach, after it lands. For most Australian businesses there are two layers worth understanding: transport encryption, which is largely automatic, and message-level encryption, which you turn on for sensitive mail. The good news is that if you run Microsoft 365, most of what you need is already there.

Key facts

• Transport encryption (TLS) protects email in transit between mail servers and is now standard for the major providers, but it does nothing once the message is sitting in a mailbox.
• Message-level encryption protects the contents of a specific email so only the intended recipient can open it, regardless of where it ends up.
• Microsoft 365 includes Microsoft Purview Message Encryption, which lets staff encrypt sensitive mail to any recipient, including people outside the business.
• Encryption protects confidentiality; it does not stop spoofing or phishing, which is what SPF, DKIM, and DMARC are for.
• Encrypting sensitive personal or financial information is a sensible control under the Privacy Act 1988, which expects reasonable steps to secure personal information.
• Most SMEs do not need every email encrypted, just a clear rule for the mail that carries sensitive data.

What is the difference between transport and message encryption?

Transport encryption and message encryption protect email at different points, and the distinction matters. Transport Layer Security, or TLS, encrypts the connection between two mail servers so the message cannot be read while it crosses the internet. It is largely automatic now, because Gmail, Microsoft, and the other major providers all support it by default. The limitation is that TLS only protects the journey. Once the email arrives, it sits in the recipient's mailbox in readable form, and if it was forwarded to the wrong person, TLS did nothing to stop them reading it. Message-level encryption protects the message itself, so only the intended recipient can open the contents, no matter where the email travels or who it is forwarded to. For genuinely sensitive mail, that is the layer that counts.

Do you need email encryption if you use Microsoft 365?

If you run Microsoft 365, you already have strong encryption available, the question is whether it is switched on and used. TLS is handled for you. For message-level protection, Microsoft Purview Message Encryption lets a staff member encrypt a sensitive email to any recipient, including external ones, who then open it securely even if they are not Microsoft 365 users. It is included in Business Premium and the common enterprise plans. The gap for most SMEs is not the technology, it is that no one has set up the rules or shown staff how to use it. That is a configuration and training job, and it is part of how we set up Microsoft 365 and cyber security for clients.

When should an SME encrypt email?

The practical rule is to encrypt mail that would cause harm if it landed in the wrong hands. That covers things like tax file numbers, bank and payment details, health information, identity documents, contracts with confidential terms, and bulk personal data about staff or customers. You do not need to encrypt every message, and trying to usually leads to staff ignoring the rule. A simple, written policy works better: here is the kind of information we always encrypt, here is the button to do it. Under the Privacy Act 1988, businesses are expected to take reasonable steps to protect personal information, and encrypting sensitive mail is a reasonable, low-effort step that also looks sensible in hindsight if a device is ever lost or an account compromised.

What email encryption does not do

Encryption protects confidentiality, and that is all it protects. It does not verify that an email genuinely came from who it claims, so it does nothing against spoofing or business email compromise; that is the job of SPF, DKIM, and DMARC. It does not filter spam or scan for malware. And it does not retain a record for you; that is what archiving is for. Encryption is one layer in a complete email setup, alongside filtering, authentication, and archiving, and the layers do different jobs. A business that encrypts sensitive mail but has no impersonation protection has solved the smaller problem and left the bigger one open.

Frequently asked questions

Is email already encrypted by default?

In transit, usually yes. TLS is supported by default between the major providers, so most mail is encrypted while it travels between servers. It is not protected once it reaches the mailbox, which is where message-level encryption comes in for sensitive content.

Does Microsoft 365 include email encryption?

Yes. TLS is automatic, and Microsoft Purview Message Encryption provides message-level encryption to any recipient, including people outside your business. It is included in Business Premium and common enterprise plans, and mostly just needs configuring and a simple usage policy.

Can I send an encrypted email to someone who is not on Microsoft 365?

Yes. With Microsoft Purview Message Encryption the recipient receives a secure link to read and reply to the message, even if they do not use Microsoft 365. They do not need a matching system at their end.

Is encryption a Privacy Act requirement?

The Privacy Act 1988 does not name encryption specifically, but it requires reasonable steps to protect personal information. For sensitive data, encryption is a reasonable and widely expected step, and it is the kind of control regulators and insurers look for after an incident.

If your team regularly emails sensitive information and you are not sure it is protected, we can set up message encryption properly and give staff a simple rule for when to use it. It is a quick win, and we do it for Sydney businesses as part of a wider email security setup.