Issues with default encrypted label, external emails, and label persistence in Outlook

Issue 1

Outlook applies the default sensitivity label at compose time and does not re-evaluate the label when recipients change. Adding an external recipient does not trigger a prompt, banner, or dialog to review or change the label. There is currently no native Purview or Outlook feature that forces users to confirm or change a sensitivity label when sending externally.

The supported approach is to use Exchange DLP policies with policy tips or blocking actions to warn or prevent users from sending encrypted or sensitive emails to external recipients.

https://learn.microsoft.com/en-us/purview/sensitivity-labels#default-labels

https://learn.microsoft.com/en-us/purview/dlp-policy-reference#policy-tips

Issue 2 

Sensitivity labels are applied at the individual message level, not at the conversation level. Each reply or forward is treated as a new message, so label inheritance is not guaranteed.

Whether the label is retained or reset depends on factors such as the Outlook client (desktop vs OWA), reply vs forward vs new compose, client version/state, and whether the label was auto-applied or manually selected. There is no supported way to force label persistence across an entire email conversation.

https://learn.microsoft.com/en-us/purview/sensitivity-labels#how-sensitivity-labels-work-in-outlook

https://learn.microsoft.com/en-us/purview/sensitivity-labels#limitations-of-sensitivity-labels

Recommendation

Most organizations either avoid using an encrypted default label when external communication is common, or rely on DLP policies to guide or block external sends. Label selection should be treated as per-message behavior, not per-thread.

Hope this helps! 🙂