Office 365 Message Encryption protection is not available for messages sent to dynamic distribution groups. It’s all to do with rights management licensing. However, if you need to protect messages sent to dynamic distribution groups, for instance to make sure that confidential messages are inaccessible to external recipients use a sensitivity label instead and assign the special tenant-wide permission to recipients.
Now that SharePoint Online supports Office 365 Sensitivity Labels, it’s time to consider how to protect files stored in document libraries. When you compare the two approaches, there’s really only one winner. And there’s no surprise in saying that the winner is Office 365 Sensitivity Labels.
Microsoft has released a new setting in the tenant Information Rights Management (IRM) configuration to control if attachments of messages encrypted with the Encrypt Only feature (in OWA and Outlook) are decrypted when downloaded. In fact, two settings are available. One for people with Azure AD accounts, and one for those without.