top of page
  • Writer's pictureStephen Port

The Ultimate Guide to Sending Encrypted emails and getting them into Salesforce or other CRMs

CRMs like Salesforce don't like encrypted emails!

In today's digital age, protecting sensitive information is of paramount importance for businesses and individuals alike. As more data is exchanged through emails and various systems, it becomes crucial to ensure that sensitive content is securely transmitted to intended recipients.

One of our clients had this exact problem. They needed to send encrypted emails to clients but at the same time allow the email to route unencrypted to their CRM system (Salesforce; Pipedrive etc).

In this guide, we will walk you through the process of sending encrypted emails to recipients while keeping the content unencrypted for certain systems. By leveraging the Microsoft 365 (M365) Information Protection feature and creating a mail flow rule, you can achieve a secure and seamless communication process. Let's dive in!

Step 1: Create a Sensitivity Label

  • Head over to the Compliance Admin Centre in M365 and navigate to Information Protection > Labels.

  • Click on "Create a Label" to begin creating your sensitivity label.

  • Fill in the necessary details, such as the name and description of the label, as per your requirements. Customise the label to best suit your organisation's needs.

  • Define the scope of the label so that it is set to Items:Emails

  • Skip all other screens, ensuring that no checkboxes are selected, and proceed to create the label.

  • Your final sensitivity label settings should resemble the configuration that aligns with your security preferences.

Getting the MSIP_Label message header

Before you create the mail flow rule, you need to retrieve the message header from an email that has the new sensitivity label applied to it. This will be used in the subsequent steps.

  • Compose a new email and add the newly created sensitivity label to the email content.

  • Send the email to either yourself or a colleague for testing purposes.

  • Open the email from your desktop app and go to file > properties.

  • Copy the Internet headers text from the box and paste it into a text viewer like Notepad.

  • Use the "Ctrl+F" shortcut and search for "msip" in the text.

  • Take note of the following case-sensitive strings from the header:

    • msip_labels

    • Msip_Label_[GUID]_Enabled=True

Step 3: Creating the Mail Flow Rule

With the necessary information gathered, you can now proceed to create a mail flow rule that will handle the encryption and decryption process based on the sensitivity label.

  • Go to the Exchange Admin Centre.

  • Under Mail Flow, select "Rules."

  • Click on "Add a rule" to create a new mail flow rule.

  • Complete the form with the information gathered in Step 2.

  • Click "Next > Next > Finish" to finalize the rule creation process.

  • Ensure that the rule is enabled since it may be set to disabled by default. Double-click on the Status and switch it to "Enabled" if necessary.


Now when you send an email mark it with your sensitivity label and add your deal specific address into the BCC field or other fields as per your process. When you send the email, it will send it encrypted to the client but store it in your CRM system unencrypted allowing all staff to open it and view the information as required, even if they weren't included in the original email.


Related Posts

See All


bottom of page