Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today. 

As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this: 

EO and DNF in Outlook. 

I've covered these in earlier blogposts, but lets just quickly go through them again here:

"Encrypt/Encrypt-Only" option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection).

When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it. For example, in the Outlook client, the Forward button is not available, the Save As and Print menu options are not available, and you cannot add or change recipients in the To, Cc, or Bcc boxes.

And these options are great to have, but as you also may know, they can be used as the result of a Sensitivity label. 

DNF in a Sensitivity label

 But some of the limitations of this may not be immediately appearant. We have a strong control over our sensitive info when using Sensitivity labels, and some of the features we love about that control is lost when we use DNF or EO. 

The option to restrict how long someone will be able to read the information

When we create a sensitivity label, we have a couple of awesome features that gives us a lot of control. Some of these where covered in this post, but we will say a little something about them here. When we configure the encryption settings, we can specify some important things: 

- How long will the recipient be able to read the document.

- How long will the recipient be able to read the document without re-authenticating.

- Should the recipient even be allowed to read the document without authenticating every time?

Might be wise to think long and hard before we set these.

And here we see where we can say that the recipient should have to authenticate either after a number or days, or every time.

                                        Not so fun if people are offline at times, but who are these days?

And what we do when we don't want the recipient to have access anymore.

And when we use DNF and EO instead of Assign permissions now, these options are missing. You do however have the option to Remove external access which is awesome: 

But know that if you used DNF or EO on the email only, and did nothing extra to secure the attachment, the user could have downloaded a copy and done all kinds of things with it, so you really only secure the content of the email. This also brings us back to the post I wrote about protecting our content if it get's into the wrong hands.

There may be many other things to consider when creating a sensitivity label for external email, and if you have anything to add, please let me know either here in the comments section or on twitter. (@pewinther)



  1. What about both securing the document with encryption (using a label) + DNF on email?

    1. Good question! This is probably the way to do it if you want to make sure your attachment has a certain kind of protection. Protect first, and you can then decide how to protect the email (with DNF/Ecrypt or what ever you choose). Like Microsoft says in the documentation: "If you want different usage rights for an attachment, or your attachment is not an Office document that supports this inherited protection, protect the file before you attach it to the email. You can then assign the specific usage rights that you need for the file.”

      Also the documentations states: When an email is labeled, do any attachments automatically get the same labeling?

      No. When you label an email message that has attachments, those attachments do not inherit the same label. The attachments remain either without a label or retain a separately applied label. However, if the label for the email applies protection, that protection is applied to Office attachments.


Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments