Architecture that employs encryption and storage of encryption keys to protect trusted client message content from an untrusted third-party hosted service. Each trusted user machine is configured to optionally apply security to messages. Rules determine when automatic protection is applied and the level of protection to apply. The trusted client automatically downloads the rules (or rules policies) from a trusted rules service and caches the rules locally. During composition, the rules analyze the message and automatically apply security template(s) to the message. The security template(s) encrypt the body of the message, but not the headers or subject. The untrusted message service processes the header and delivers the message to the correct recipient. The hosted service cannot view the contents of the message body, and only intended recipients of the protected message can view the message body. Offline protection is supported, and the user can override protection by the rules.