Skip to content
logo The magazine for digital lifestyle and entertainment
A brand of Bild
E-Mail Microsoft News All topics
Investigation by the BSI (Federal Office for Information Security)

Outlook Sends Email Content to Microsoft–But This Goes Unmentioned in the Test

BSI Addresses Non-Critical Data Sharing in Outlook
A new BSI report examines email clients Photo: Getty Images
Share article

December 16, 2025, 3:14 pm | Read time: 3 minutes

The Federal Office for Information Security (BSI) has examined the security of popular email programs. The overall result is positive, but one detail is puzzling: The new Outlook from Microsoft lacks a critical assessment on a key issue. It uses a feature that experts consider problematic.

The study shows that many programs support solid security standards. Transport encryption, spam filters, prevention of tracking pixels, and sometimes even end-to-end encryption are now standard features for many clients. However, there is a notable outlier in handling access data.

Outlook Forwards Access Data

As reported by “heise,” the BSI tested twelve email programs that are particularly popular in Germany. These include Apple Mail, Betterbird, Blue Mail, eM Client, Gmail, KMail, Mailbird, Outlook (new), Proton Mail, Spark Mail, Thunderbird, and Tuta Mail. BSI experts assess how reliably the programs establish encrypted connections, detect spam and phishing, block tracking, protect local data, and respond to security vulnerabilities.

The test field mostly meets these requirements. However, it is notable that Outlook forwards access data for IMAP accounts to Microsoft. According to another report by “heise,” Microsoft allows its cloud servers to scan all incoming and outgoing messages to provide AI functions. As a result, a significant portion of communication is no longer only on the device or with the user’s email provider but also with Microsoft.

This is precisely where one would expect an assessment from the BSI—whether this practice is relevant to data protection or security. However, the report does not provide a critical evaluation of this point. The agency evaluates other features like encryption or tracking protection but completely omits this issue.

More on the topic

Further Test Results

It is positive that most tested programs offer basic security features. Spark Mail performs weaker, as it does not provide its own email encryption or phishing and spam protection in the test. Overall, the BSI reports that security requirements are largely met.

The BSI tests the programs on macOS, Windows 11, and Ubuntu, running them in their default settings to achieve practical results. For the tests, experts start the Windows and Linux systems from an offline medium to prevent any external software from influencing the test. In contrast, macOS is examined directly during operation.

Also interesting: Those who do not respond may soon be unable to retrieve emails on Gmail

BSI Recommendation

Users should not only focus on usability and appearance when choosing their mail client but also specifically look for additional security features like tracking protection, transparent encryption, and the handling of access data.

The BSI also points out that protection against phishing and identity theft still has gaps in many webmail services. The agency recently published a white paper on this topic and additionally presented a report on password managers, highlighting further areas for improvement.

This article is a machine translation of the original German version of TECHBOOK and has been reviewed for accuracy and quality by a native speaker. For feedback, please contact us at info@techbook.de.

You have successfully withdrawn your consent to the processing of personal data through tracking and advertising when using this website. You can now consent to data processing again or object to legitimate interests.