Redacting an email in Outlook or Office 365 is a common requirement for organizations handling sensitive data — and it is widely misunderstood. Microsoft Outlook and Office 365 do not provide a native "redact email" action: once an email has been sent, the sensitive content cannot be retroactively masked or removed from the recipient's inbox. Office 365 includes detection (Microsoft Purview) and compliance tooling, but actual redaction requires inspecting and rewriting content before or during delivery, not after the fact.

This guide, updated for 2026, covers how to redact an email in Outlook in practice — the recall workaround, the limits of Outlook's native redaction, and how to use Hexamail Flow to connect mailboxes or import files, bulk-redact, refine results, and output to HTML, email, or PDF. This gap is why many security teams look beyond native controls in Microsoft Office 365 when email contains PII, PHI, PCI, or confidential business data.

Redacting an email: the basics

Email redaction is the process of removing or obscuring sensitive information from an email before it is sent. This practice is crucial for protecting personal data and maintaining privacy, especially in professional settings where confidential information may be shared. Typical data that should be redacted includes:

Social Security numbers
Bank account details
Personal identification numbers
Addresses & dates of birth

Understanding when and how to redact emails helps prevent data breaches and potential legal issues arising from unauthorized information disclosure.

You cannot redact an email in Microsoft Outlook

It's important to note that Microsoft Outlook does not have a built-in feature for redacting emails. Once an email is sent, you cannot edit it to remove sensitive information. The only options available are to attempt to recall the email (which has limitations) or to send a follow-up email clarifying the mistake.

Therefore, using dedicated redaction tools before sending emails containing sensitive information is essential for ensuring data security.

Redact an email in Office 365?

There is a need to redact an email to protect sensitive, confidential or personal information. Redaction helps to ensure that information such as:

  • Financial data like credit card numbers
  • PHI — medical records
  • PII — personal addresses and phone numbers
  • Classified documents
  • Audio containing sensitive PII, PHI, or financial data

Additionally, redaction may be required to comply with privacy laws and regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), or it may be required for compliance like SOC 2, PCI (Payment Card Industry) DSS requirements.

How to redact an email in Outlook / Office 365

Hexamail Redaction (using Hexamail Flow) is the automatic way to redact sensitive parts in an email body or sensitive attachments. There is no manual way to redact an email in Office 365; however, you can take some manual steps to either recall if you are a sender OR delete what you received if you are a receiver. If a sender accidentally sends an email containing sensitive data, the sender can recall the message.

Hexamail Flow — how to redact email

  1. 1 Connect your mail — link Outlook, Office 365, or Gmail, or import EML, MSG, or PST files.
  2. 2 Automatically redact email in bulk — PII, PHI, PCI, and custom patterns are detected and masked.
  3. 3 Refine redactions as needed — unredact phrases or adjust what was masked.
  4. 4 Output redacted email — export to HTML, email, or PDF documents.
Download Hexamail Flow trial →

When recalling an email in Outlook isn't an option… what next?

Sometimes, hitting "send" can be premature. And while recalling an email in Outlook is handy, it's not always guaranteed, especially if the recipient has opened your message. The solution? Use Outlook's delay delivery feature! It gives you a buffer to rethink, redact, or simply refine your emails before they're sent out.

  1. 1 Launch Outlook and hit the File button, top-left.
  2. 2 Head down and select Manage Rules & Alerts.
  3. 3 In the window that pops up, go for New Rule.
  4. 4 Select Apply Rule on Messages I Send, and then Next.
  5. 5 On the ensuing screen, just hit Next again.
  6. 6 Spot the Defer Delivery By a Number of Minutes option. Set your buffer time (up to 120 minutes). Hit OK and then Next.
  7. 7 If you have certain emails or contacts you don't want the delay for, set those exceptions and continue by clicking Next.
  8. 8 Make sure Turn On This Rule is checked, and then seal the deal with Finish.

But is it an ideal solution? Absolutely not! That's where redaction comes to play.

Recall vs redaction

Recall

Recall is a reactionary measure. It's something you'd use after realizing you made an error. It offers a way to potentially "undo" sending an email, but with significant limitations based on the recipient's email provider and their actions.

"Oops! Let me try to take that back."

Redaction

Redaction is a proactive measure. Before you even hit send, you're ensuring that the confidential information is obscured. It's a method of sending the necessary data without exposing sensitive details.

"Let me cover this up before it goes out."

While both serve the purpose of data protection in their own right, their methods, applications, and effectiveness vary. Relying solely on recall can be risky, while redaction provides more assured protection of sensitive details.

How to recall an email in Outlook step-by-step

While redaction is the most secure way to protect sensitive information in emails, sometimes users may need to recall an email that has already been sent. Microsoft Outlook offers a recall feature that can be useful in certain situations, although it has limitations.

  1. 1 Open Outlook & go to the Sent Items folder.
  2. 2 Locate and double-click the email message that needs to be recalled. This will open the email in a new window.
  3. 3 In the message window, click on the Message tab in the top ribbon.
  4. 4 Look for the Actions dropdown menu. If using the simplified ribbon view, click on the three dots (…) icon on the right side of the ribbon.
  5. 5 Select Recall This Message from the dropdown menu.
  6. 6 Choose: Delete unread copies of this message or Delete unread copies & replace with a new message, then click OK.

Recall success depends on

  • ×Both sender & recipient must use Microsoft Exchange or Microsoft 365 within the same organization.
  • ×The recipient must not have read the email yet.
  • ×The email must not have been moved to a different folder by the recipient's rules.

While the recall feature can be helpful in some cases, it's not a foolproof solution for protecting sensitive information. Organizations handling confidential data should consider implementing more robust email DLP solutions like Hexamail Redaction to prevent data leaks before they occur.

For businesses dealing with enormous volumes of sensitive data, a comprehensive sensitive data discovery and classification system can help identify potential risks before emails are sent. This proactive approach is far more effective than relying on email recalls. By combining email recall techniques with advanced data security posture management, organizations can significantly reduce the risk of accidental data exposure and maintain compliance with data protection regulations.

How to redact an email before sharing it with a third party

When you need to share an email containing sensitive information with a third party, use Hexamail Flow:

  1. 1
    Connect the relevant Outlook, Office 365, or Gmail account — or import the EML, MSG, or PST file.
  2. 2
    Automatically redact sensitive content in bulk.
  3. 3
    Refine redactions — unredact phrases or adjust what was masked.
  4. 4
    Output the redacted email as HTML, email, or PDF for the third party.

By following these steps, you can ensure that sensitive information is not disclosed when sharing emails with third parties, thus maintaining compliance with privacy regulations and protecting personal data.

Why is redaction a better option than Outlook's in-built recall feature?

Outlook/Office 365 comes with several limitations in the recall feature such as:

1

Recipient's email client: The recall feature is specifically designed for Outlook. If the recipient isn't using Microsoft Outlook, you cannot recall the message.

2

Email status: For a recall to be successful, the recipient should not have read the email. Once they've opened it, the recall option won't work as intended.

3

Recipient's mailbox configuration: If the recipient's Outlook delivers new messages directly to a folder other than the inbox, recalling the message will fail.

4

Notifications: Outlook might send a notification to the recipient informing them that you are trying to recall the message — drawing more attention to the email you're trying to take back.

5

External email addresses: Recalling an email sent to addresses outside of your organization (like Gmail, Hotmail, or live.com) is typically not possible.

6

Interruption: If the recipient is working on the email while you try to recall it, the recall might not be successful.

7

Public folders: If the email is saved to a public folder and someone reads it, the recall action will not be successful.

Hexamail Redaction

Email data loss prevention in Office 365

Hexamail Flow is an email redaction platform for organizations handling sensitive data in Office 365 and Outlook. Connect your mailbox or import EML, MSG, and PST files, automatically redact PII, PHI, and PCI in bulk, refine results by unredacting phrases as needed, and output redacted email to HTML, email, or PDF. Configure sensitive data elements (SSN, DoB, DL, Passport, CC#, Debit Card, API Keys, etc.) with full audit reports for compliance officers.

Hexamail Flow processes entire mailboxes and archives — including older emails — making it straightforward to comply with privacy laws that require customer data to be removed once the business function is done.

PII
SSN, addresses, names
PHI
Medical records, HIPAA
PCI
Credit cards, financial data
Download Hexamail Flow trial

Is it possible to redact old emails?

Yes — connect your Office 365 or Outlook mailbox to Hexamail Flow (or import PST, MSG, and EML archives) and redact all sensitive content from the body and attachments in bulk. Refine individual messages as needed, then output to HTML, email, or PDF. This satisfies many compliance frameworks and privacy laws where businesses must remove customer data from older emails once the business function is done.

Bottom line: how to redact an email in Outlook & Office 365 (2026)

If you need to redact an email in Office 365, the key truth is simple: Microsoft Outlook and Office 365 do not natively support true post-send email redaction. Once sensitive data is sent, recall features are limited and unreliable, especially outside your organization.

That is why businesses handling PII, PHI, PCI, or confidential data need proactive controls like Office 365 Data Loss Prevention and automated bulk redaction before sharing sensitive content. Hexamail Redaction (using Hexamail Flow) connects to Outlook, Office 365, or Gmail — or imports EML, MSG, and PST files — to redact in bulk, refine results, and output to HTML, email, or PDF.

The smartest path is prevention, not recall. If protecting sensitive data in Microsoft 365 matters to your business, proactive Office 365 Data Loss Prevention should be part of your security stack.

FAQ — how to redact an email in Outlook

Can you redact an email in Outlook after it is sent?
No. Microsoft Outlook does not have a native "redact email" function for messages already delivered. Outlook's recall feature can attempt to delete an unread email from a recipient's mailbox on the same Microsoft 365 tenant, but if the email has been opened, forwarded, or sent to an external recipient, recall will not work. The only reliable way to "redact" an email is to inspect and mask sensitive content before the email leaves the mailbox.
How do I redact an email in Outlook before sending?
Outlook's native data loss prevention rules (Microsoft Purview DLP) can detect sensitive content and either block, warn, or notify — but they do not rewrite the message body to mask sensitive portions. With Hexamail Flow, connect your Outlook or Office 365 account (or import EML, MSG, or PST files), automatically redact in bulk, refine or unredact phrases as needed, then output redacted email as HTML, email, or PDF.
Is email redaction the same as recall in Outlook?
No. Recall attempts to remove an already-sent email from the recipient's mailbox; redaction prevents the sensitive portions from ever reaching the recipient in plaintext. Recall is best-effort and frequently fails. Redaction is a control: applied before or during delivery, it is auditable evidence that sensitive data did not leave the organization.
Does Outlook on the web (OWA) support email redaction differently from desktop Outlook?
No — the same limits apply. Outlook on the web, the desktop client, and the Outlook mobile apps all rely on Microsoft 365 server-side controls. Native redaction (rewriting the message body) is not available in any client. Use Hexamail Flow to connect your mailbox or import files, bulk-redact, refine results, and output to HTML, email, or PDF — regardless of which Outlook client you use.
What is the best way to redact an email in Office 365?
The best way to redact an email in Office 365 is to use Hexamail Flow: connect Outlook, Office 365, or Gmail (or import EML, MSG, or PST files), automatically redact sensitive content in bulk, refine redactions as needed, and output to HTML, email, or PDF. Native Outlook tools do not offer reliable true redaction.
Does Microsoft Office 365 have built-in email redaction?
No. Microsoft Office 365 does not provide built-in post-send email redaction. You may recall some messages internally, but recall is limited and does not equal secure redaction.
What is Microsoft Office 365 Data Loss Prevention?
Microsoft Office 365 Data Loss Prevention refers to controls that help detect and prevent sensitive data leaks across Outlook, Exchange, Teams, SharePoint, and OneDrive. Advanced solutions like Hexamail Flow can also redact, block, or quarantine risky content.
Can I redact attachments in Outlook or Office 365?
Not natively. To redact PDFs, images, spreadsheets, or documents sent through Outlook or Office 365, use Hexamail Flow — connect your mailbox or import EML, MSG, or PST files, redact in bulk, refine as needed, and output redacted email and attachments to HTML, email, or PDF.
Why do companies need Office 365 Data Loss Prevention?
Companies need Office 365 Data Loss Prevention to prevent accidental leaks of customer data, employee records, payment data, health information, and trade secrets. It also supports compliance with GDPR, HIPAA, PCI DSS, and SOC 2.