How to only encrypt emails with PII and not the rest of the emails in the chain?

Hi Ahmad Fadil
Thanks for sharing your scenario - this is a common question when configuring DLP with auto-encryption.

Currently, Microsoft Purview DLP policies apply actions (like encryption) to the message instance that triggered the policy, but not selectively to only an attachment. However, in threaded email chains, especially in clients like Outlook, sensitivity labels or encryption may propagate to replies/forwards, depending on:

How the label is configured (e.g., with persistent protection),

Whether the entire message is retained in the reply chain,

The client behavior (Outlook desktop vs. web vs. mobile).

Here are a few suggestions:

Scope the encryption action to "the message" instead of entire thread:

• Ensure your DLP rule action is set to apply encryption only on the specific match (i.e., when the sensitive info is in the attachment).
• Use auto-labeling policies with user justification prompts, so users can review before sending.

Prevent downstream replies from inheriting encryption:

• Avoid using persistent protection labels if not needed.
• Alternatively, consider using Just-In-Time encryption via Microsoft Defender for M365 + Purview, where encryption is revoked if no sensitive data remains.

Use Outlook mail flow rules or MIP SDK for fine control (advanced):

• For more granular behavior (e.g., encrypting only attachments), integration with the Microsoft Information Protection SDK or Exchange Transport Rules might be needed -but this is more involved and typically requires a custom solution.

I hope this information helps. Please do let us know if you have any further queries.

Hope this helps. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.