Forum Discussion
Outlook Classic for M365 - File > Encrypt > 'Encrypt-Only' option applies 'Do Not Forward' label?
I recently joined a new company and am helping support their M365 tenant and admin duties.
I'm running into a very weird issue where no recipients can actually read/view the message when we encrypt emails using only 1 specific method (our organization largely uses the Outlook Classic for Microsoft 365 desktop app).
If a user follows this method, for some reason the 'Do Not Forward' label is applied to the encryption, despite specifically selecting 'Encrypt-Only' - it defaults to 'Do Not Forward' every single time:
New Email > File > Encrypt > Encrypt-Only
Sending emails with this method gives any/all recipients a "You don't have sufficient permissions to open the mail." regardless of where they try to open the email (OWA, Outlook Classic, New Outlook)
Yet, if the user tries this other method below - the proper Encrypt-Only label is applied, and any Outlook client immediately and opens/views the email as you'd expect:
New Email > Options ribbon > Encrypt properly applies the Encrypt-Only label
I verified IRM (Identity Rights Management) is enabled for our tenant:
And encryption tests pass with flying colors:
Ultimately, I'm at a loss for what's going on here and specifically where to check to fix this issue for this 1 specific encryption method.
Poking around in the Purview portal, I'm having a hard time figuring out where these encryption policies/settings lie and how to get this method to stop defaulting to 'Do Not Forward' even though 'Encrypt-Only' is checked.
2 Replies
Would suggest taking a look at the following:
- Review Sensitivity Label Configuration in Purview
- Go to Microsoft Purview portal > Information Protection > Labels.
- Check the Encrypt-Only label:
- Ensure it’s not configured with “Do Not Forward” permissions.
- Confirm it’s published to the correct users/groups.
- Verify that Outlook and OWA are selected under “Apps that support this label.”
- Check Outlook Client behavior
- Ensure users are on the latest Outlook Classic build.
- Clear Outlook cache and restart the client.
- Optionally, check registry keys under:
HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Common\SecurityLook for any overrides related to IRM or encryption.
- Test with a Clean Profile
- Create a new Outlook profile and test the File > Encrypt > Encrypt-Only path.
- If it works correctly, the issue may be profile-specific or cached label metadata.
- Consider Disabling Legacy IRM Mapping
- If your org migrated from legacy IRM templates, they may still be influencing behavior.
- You can disable legacy IRM mapping via PowerShell:
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true- Educate Users to Use the Options Ribbon
- Until resolved, recommend users always use the Options ribbon > Encrypt method.
- You can even customize the ribbon or disable the File > Encrypt path via GPO or UI customization.
Started seeing these exact same issues for multiple tenants starting around Oct 17th 2025. We're currently having end users just use the Option > Encrypt method as a work around. Users on New Outlook do not have this issue as the File > Encrypt method doesn't exist. Currently no fix found or working.
