I haven't been able to find a clear answer on this anywhere, so I'm hoping someone can offer some clarification.
The Secure Message policy allows you to define TLS settings for both incoming and outgoing email messages. It also allows you to fallback to push encryption if the receiving mail server cannot communicate over TLS. Users can also force encryption of individual messages by adding a tag to the subject line.
All of this works well enough when the setup is in gateway mode. When you change to M365 Mailflow mode, the following appears in the Secure Message policy window:
"You are using M365 MFR mode. We exchange messages with M365 over TLS. However, you need to configure TLS in M365 to ensure that your emails are delivered to your recipients over TLS."
That sound suspiciously like the Secure Message policy doesn't work when you're in M365 Mailflow mode. At the very least, it looks like there is some additional, unspecified setup that needs to be done.
Can anyone with more knowledge comment? Does the Secure Message policy still work in M365 Mailflow mode, or is it useless?
