Recipients can't open encrypted emails - Wrong domain in URL

Question

Recipients can't open encrypted emails - Wrong domain in URL

Josh Weigner 1

We are experiencing issues with sending encrypted emails. Recipients can't open our encrypted emails, with the error "Sorry, we can't display your message right now. Something went wrong and your encrypted message couldn't be opened. Please try again by following the instructions in the original email message in 5 minutes." When looking at the URL, it contains the domain of the last person that the sender (our user) RECEIVED an encrypted email from. If they send the same message again, the recipient can open it. It seems that the domain in the URL is behind by one, which is why resending the same email to the same recipient works. Microsoft support hasn't been useful so far.

Example:

******@contoso.com receives an encrypted email from ******@abccompany.com

******@contoso.com sends an encrypted email to ******@xyzcompany.com

**@xyzcompany.com can't open the encrypted email. When we look at the URL of the encrypted email, we see: senderorganization{longstring}%26messageid%3D%{longstring}.prod.exchangelabs.com%253e%26cfmRecipient%3abccompany.onmicrosoft.com%26consumerEncryption%3

******@contoso.com resends the same encrypted email to ******@xyzcompany.com

**@xyzcompany.com can open the encrypted email. When we look at the URL of the encrypted email, we see: senderorganization{longstring}%26messageid%3D%{longstring}.prod.exchangelabs.com%253e%26cfmRecipient%3admin.xyzcompany.com%26consumerEncryption%3

phemanth 15,320 Reputation points Microsoft External Staff

2025-02-21T17:26:13.5766667+00:00
@Josh Weigner

Welcome to Microsoft Q&A platform and thanks for posting your query here.

It seems like you're experiencing an issue with encrypted emails where the recipient is unable to open them due to a domain mismatch in the URL. This can be particularly challenging when dealing with encrypted communications, as the underlying mechanisms can be complex.

Please consider checking the following steps that help in troubleshooting the issue do confirm us after checking.

Check Email Configuration: Ensure that the email configuration for the sender's domain (contoso.com) is set up correctly for sending encrypted emails. This includes checking the settings for encryption protocols and any related policies.

Review Encryption Settings: Verify that the encryption settings for both the sender and recipient domains are compatible. Different email providers may have varying requirements for encryption.

Clear Cache and Cookies: Sometimes, browser cache or cookies can cause issues with opening encrypted emails. Ask the recipients to clear their browser cache and cookies or try accessing the email in a different browser or incognito mode.

Update Email Clients: Ensure that both the sender and recipient are using the latest version of their email clients. Outdated software can sometimes lead to compatibility issues.

Test with Different Recipients: Try sending encrypted emails to different recipients within the same domain (xyzcompany.com) and to recipients from other domains to see if the issue persists. This can help identify if the problem is specific to certain domains or recipients.

Check for Email Forwarding: If the recipient's email is being forwarded from another address, it may cause issues with the encryption. Ensure that the recipient is accessing the email directly from their inbox.

Monitor for Patterns: Keep track of any patterns in the issue, such as specific domains or types of emails that consistently cause problems. This information can be valuable for troubleshooting.

please refer ;https://learn.microsoft.com/en-us/outlook/troubleshoot/security/external-recipient-can%27t-open-encrypted-email#solution

I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
Josh Weigner 1 Reputation point

2025-02-24T12:53:47.2+00:00

We have tried all of this troubleshooting. The issue is something on the backend that Microsoft needs to resolve. The pattern is, when our user sends an encrypted email, the tenant domain in the "Read Message" button of the email is the tenant domain of the last organization that said user received an encrypted email. If said user sends the same encrypted email a second time, the URL containts the correct tenant domain. This is not anything our configuration could cause or solve.
Josh Weigner 1 Reputation point

2025-02-24T12:58:55.0666667+00:00

Thank you for response. We've already perform all of the basic troubleshooting. The issue is something on the backend that Microsoft needs to fix. Regarding point #5, the issue occurs with many recipients at multiple organizations, and with many of our users. The pattern is, the tenant domain in the URL of the "Read Message" button in the email appears to always be one behind, which is why the recipients can always retrieve the email when our user resends it.
AnnuKumari-MSFT 34,456 Reputation points Microsoft Employee

2025-02-25T14:15:12.91+00:00

Hi Josh Weigner ,

This is a known error where product team is already working. I will keep you posted about the update. Thankyou
Josh Weigner 1 Reputation point

2025-02-25T15:39:50.53+00:00

Thank you, is there an ETA to resolution?

2 answers

Your answer

Josh Weigner 1 Reputation point

2025-02-24T12:53:47.2+00:00

We have tried all of this troubleshooting. The issue is something on the backend that Microsoft needs to resolve. The pattern is, when our user sends an encrypted email, the tenant domain in the "Read Message" button of the email is the tenant domain of the last organization that said user received an encrypted email. If said user sends the same encrypted email a second time, the URL containts the correct tenant domain. This is not anything our configuration could cause or solve.
Josh Weigner 1 Reputation point

2025-02-24T12:58:55.0666667+00:00

Thank you for response. We've already perform all of the basic troubleshooting. The issue is something on the backend that Microsoft needs to fix. Regarding point #5, the issue occurs with many recipients at multiple organizations, and with many of our users. The pattern is, the tenant domain in the URL of the "Read Message" button in the email appears to always be one behind, which is why the recipients can always retrieve the email when our user resends it.
AnnuKumari-MSFT 34,456 Reputation points Microsoft Employee

2025-02-25T14:15:12.91+00:00

Hi Josh Weigner ,

This is a known error where product team is already working. I will keep you posted about the update. Thankyou
Josh Weigner 1 Reputation point

2025-02-25T15:39:50.53+00:00

Thank you, is there an ETA to resolution?

Answer 1

AnnuKumari-MSFT 34,456 Microsoft Employee

Hi Josh Weigner ,

The team confirmed that the necessary adjustments to the sensitivity label were made to allow external users access to their encrypted emails. The issue is mitigated by editing the sensitivity label to include the external addresses or domains.

Kindly check at your end and let me know if it's fixed or you are still facing the issue. Thankyou

Answer 2

Craig Manthei 0

Good afternoon,

We are running into the same issue. With us sending secure emails to 1000's of different domains, is the expectation that we are going to manually add all of those domains and external addresses to the sensitivity policy?

J N S S Kasyap 1,625 Reputation points Microsoft External Staff

2025-04-23T17:21:17.87+00:00

@Craig Manthei

Since this thread is too old, I would recommend creating a new thread on the same forum with as much details about your issue as possible. That would make sure that your issue has better visibility in the community.

Thank you.

Share via

Recipients can't open encrypted emails - Wrong domain in URL

2 answers

Your answer