Can Copilot 365 Send Emails? (w/Examples) + FAQs

Yes, Microsoft 365 Copilot can send emails, but the answer carries important nuance. In its default form inside Outlook, Copilot drafts messages that you review and send with a click, while its advanced features—agents built in Copilot Studio, flows in Power Automate, and the Sales Copilot add-on—can actually transmit messages on your behalf with little or no human review.

The core problem is that many users treat Copilot like a human assistant, forgetting that every outbound email from a business account is governed by the federal CAN-SPAM Act of 2003, the Telephone Consumer Protection Act when messages go to wireless devices, industry rules like HIPAA and SEC Rule 17a-4, and state privacy laws such as the California Consumer Privacy Act. A single automated send to the wrong recipient can trigger fines of up to $53,088 per email under CAN-SPAM, according to the FTC’s 2024 civil penalty adjustments.

According to Microsoft’s 2024 Work Trend Index, 75% of knowledge workers already use AI at work, and email drafting is the number-one use case, making the send question more than academic.

• 📧 How Copilot drafts, replies, summarizes, and schedules emails inside Outlook
• 🤖 When Copilot agents can auto-send messages and how to turn that on safely
• ⚖️ The federal and state laws that govern every Copilot-generated email
• 🧭 Real-world examples, common mistakes, and compliance-safe workflows
• 🛡️ Admin controls, retention rules, and audit trails your legal team will demand

What “Sending Email” Actually Means in Copilot 365

The phrase sending email hides three very different Copilot behaviors, and mixing them up is the single biggest source of confusion for buyers. Copilot can draft text inside the Outlook compose window, it can execute a Power Automate flow that hits Microsoft Graph’s sendMail endpoint, and it can run a Copilot Studio agent that sends messages on a schedule or trigger. Each mode has a different compliance profile, different admin controls, and a different price tag.

The governing framework here is Microsoft’s Responsible AI Standard, which requires a “human in the loop” for any outbound action that could harm a recipient. That principle is why the default Copilot experience always surfaces a Send button the user must click. The consequence of bypassing that click—through an agent or flow—is that the legal responsibility shifts entirely to the account owner and the tenant admin who enabled the automation.

A common misconception is that Copilot itself is a licensed sender, similar to a bulk-email service like Mailchimp. It is not. Every email Copilot produces travels through your Exchange Online mailbox under your own SMTP identity, which means your domain’s reputation, your DMARC record, and your retention policies all apply.

Drafting vs. Sending

Drafting is the default. When you open Outlook on the web, desktop, or mobile and click the Copilot icon, the tool generates text inside the compose pane, and you must press Send for the message to leave your mailbox. This is the safest mode because every message passes through your eyes before transmission.

Sending, by contrast, happens only when you deliberately build an agent or flow that calls the Graph API. The consequence of this distinction is legal: under CAN-SPAM, the sender is the natural or legal person who initiates the transmission, not the software. An example is Priya, a marketing manager who uses Copilot to draft a promotional blast; she remains the CAN-SPAM sender even if the words came from the model.

A common misconception is that Copilot “auto-sends” replies by default. It does not. You must configure that behavior through a separate tool.

The Role of Microsoft Graph

Every automated send ultimately calls the Microsoft Graph sendMail endpoint. The endpoint requires a delegated or application permission scope named Mail.Send, which an admin must approve in Entra ID. Without that scope, neither Copilot Studio nor Power Automate can transmit a message.

The consequence of handing out Mail.Send carelessly is broad: any compromised service principal with that scope can spoof messages from thousands of mailboxes. An example is Marcus, an IT director who granted a vendor app tenant-wide Mail.Send and then watched a phishing incident cost his firm a six-figure incident-response bill.

A common misconception is that Mail.Send is safer than legacy SMTP AUTH. In practice, it is more powerful because it can impersonate any licensed user in the tenant.

How to Make Copilot Draft an Email (Step by Step)

Drafting is the feature most users actually want when they ask whether Copilot can send email. The process lives inside Outlook and requires a Microsoft 365 Copilot license, currently priced at $30 per user per month on an annual commitment. Without that license, the Copilot icon simply does not appear in the compose window.

Open a new message, click the Draft with Copilot icon in the ribbon, and type a natural-language prompt such as Write a polite follow-up to the attached proposal, keep it under 150 words, and include a call to book a 30-minute meeting. Copilot returns a draft inside the body of the message. You can then click Keep it, Regenerate, or Discard, and you can adjust tone, length, and formality using the slider controls.

The consequence of skipping the review step is predictable. Copilot sometimes hallucinates product names, mis-attributes quotes, and invents meeting dates that do not exist on your calendar. An example is Jordan, a paralegal who let Copilot reference a “Ninth Circuit” case that had actually been decided by the Seventh Circuit; the error made it into a client letter and required a formal correction.

A common misconception is that Copilot reads every file in your tenant when it drafts. It only pulls from items you explicitly reference or from content surfaced by Microsoft 365 semantic search, subject to your existing permissions.

Coaching and Summarizing

The Coaching by Copilot feature scores tone, clarity, and sentiment before you send. The plain-English explanation is that Copilot reads your draft and suggests edits to soften aggressive language or sharpen vague asks. The consequence of ignoring coaching feedback in a regulated industry is real; a tone-deaf collections email can trigger complaints under the Fair Debt Collection Practices Act.

An example is Elena, a credit-union supervisor whose team used coaching to strip language that a compliance officer flagged as potentially misleading. A common misconception is that coaching alone guarantees compliance. It does not; it only flags surface-level issues, not legal defects.

When Copilot Actually Sends the Email Itself

True auto-send happens in three places: Copilot Studio agents, Power Automate cloud flows, and Sales Copilot follow-up automation. In each case, you define a trigger—new CRM lead, form submission, inbound email—and the agent or flow calls Graph to send a reply, a notification, or a cascade of messages. No human click is required once the automation is published.

The governing rule is Microsoft Purview’s communication compliance policy, which lets admins scan every outbound message—Copilot-generated or not—for policy violations. The consequence of not configuring a Purview policy is that audit evidence may be incomplete if a regulator ever asks how a specific message was produced. An example is Aisha, a compliance lead at a broker-dealer who discovered during an SEC sweep that her Copilot-generated trade confirmations were not being captured in her 17a-4 archive.

A common misconception is that auto-sent messages are exempt from CAN-SPAM’s “clear and conspicuous” opt-out rule. They are not; every commercial email must include a working unsubscribe mechanism, even if a bot produced it.

Copilot Studio Agents

Copilot Studio lets citizen developers build agents using a low-code canvas. An agent can have an email action that uses the signed-in user’s mailbox or a shared mailbox to send messages. The plain-English explanation is that the agent becomes a miniature program that listens for a trigger and sends a message when conditions match.

The consequence of publishing an agent without a kill switch is that a prompt-injection attack could redirect it. An example is Daniel, who built a customer-service agent that was tricked by a malicious inbound email into forwarding internal pricing data to an external address. A common misconception is that Copilot Studio agents are isolated from the rest of the tenant; in reality, they inherit the publisher’s permissions.

Power Automate Flows

Power Automate is the workhorse. A flow can start from a Copilot prompt, a SharePoint list change, or a Dataverse row update, and it can send a templated email through the Send an email (V2) action. The consequence of a runaway flow is well-documented: Microsoft’s service limits allow up to 10,000 email actions per 24-hour period per user, which is enough to trigger a spam-filter blocklist on your domain.

An example is Rachel, whose loop-back trigger fired every time a flow-sent email bounced back, creating a 4,000-message storm before Exchange Online rate-limited the mailbox. A common misconception is that Power Automate flows always send from the flow owner’s mailbox; they can also send from shared mailboxes if the owner has Send As rights.

Federal Laws That Apply to Every Copilot Email

Federal law does not care whether a human or a model wrote the message. If the email is commercial, transactional, or regulated, the same statutes apply. Start with the CAN-SPAM Act, which requires accurate header information, non-deceptive subject lines, a physical postal address, and a functioning unsubscribe link honored within 10 business days.

The consequence of a CAN-SPAM violation is steep. The FTC’s 2024 civil-penalty adjustment pushed the per-email maximum to $53,088, and state attorneys general can sue in parallel. An example is the 2023 FTC action against Experian Consumer Services, which paid $650,000 for promotional emails that lacked a working opt-out, a defect Copilot would happily reproduce if you did not tell it otherwise.

A common misconception is that business-to-business emails are exempt from CAN-SPAM. They are not; the statute covers all “commercial electronic mail messages” regardless of the recipient’s account type.

TCPA and Email-to-SMS

The Telephone Consumer Protection Act reaches email only when the message is routed to a wireless device as a text, typically through an email-to-SMS gateway like [email protected]. The plain-English explanation is that if your Copilot flow pushes a message to a carrier gateway, it becomes a text under TCPA and requires prior express written consent for marketing content.

The consequence is $500 to $1,500 per message in statutory damages, per the FCC’s 2023 TCPA one-to-one consent rule. An example is Kevin, a realtor whose Power Automate flow pushed open-house alerts to buyer phones and who faced a class action after one recipient had never opted in. A common misconception is that a “B2B” disclaimer shields a sender; the TCPA follows the device, not the account.

HIPAA for Healthcare Emails

HIPAA’s Privacy Rule requires that any email containing protected health information be transmitted securely or with patient consent to an unsecured channel. The consequence of a breach is reportable to HHS and can reach $2,134,831 per violation category per year under the 2024 HITECH adjustments.

An example is Dr. Patel, whose Copilot agent auto-replied to new patient inquiries with appointment details that included diagnoses, a disclosure that would require Business Associate controls under HIPAA. A common misconception is that Microsoft’s default encryption satisfies HIPAA; it helps, but you still need a signed Business Associate Agreement and proper configuration.

SEC Rule 17a-4 and FINRA

Broker-dealers and investment advisers must retain every business email for at least three years under SEC Rule 17a-4 and the parallel FINRA Rule 4511. The consequence of missing records is well-illustrated by the SEC’s 2022 off-channel communications sweep, which produced $1.8 billion in fines.

An example is a regional broker-dealer that settled for $15 million after its Copilot-generated client updates bypassed the firm’s archive. A common misconception is that the archive captures everything automatically; agents and flows that send from shared mailboxes often require journaling rules to be captured.

State Laws and Cross-Border Rules

State law adds a second layer. The California Consumer Privacy Act and its CPRA amendments give consumers the right to opt out of the sale or sharing of personal information, which includes email addresses used for cross-context behavioral advertising. The consequence of ignoring a CPRA opt-out is a $2,500 fine per violation, or $7,500 per intentional violation.

An example is a Los Angeles retailer that used Copilot to segment customers by inferred income; the state’s AG argued the inference itself was a “sale” under CCPA. A common misconception is that CCPA only applies to California-based businesses; any company that does business with California residents and meets the revenue or volume thresholds is covered.

Other State Privacy Laws

Colorado’s CPA, Virginia’s VCDPA, Connecticut’s CTDPA, and Texas’s TDPSA all add consent and profiling restrictions. The plain-English explanation is that each state defines sensitive data, profiling, and consent slightly differently, and Copilot outputs can cross all four lines at once.

The consequence is overlapping enforcement; a single promotional email can draw complaints in multiple states. An example is a national fitness chain that ran a Copilot-generated re-engagement campaign and received inquiry letters from three state AGs in a single week. A common misconception is that a single privacy policy covers every state; most require state-specific disclosures.

Three Scenarios That Show the Risk

Three Named Examples

Marcus, an IT director at a Midwestern manufacturer, rolled out Microsoft 365 Copilot to 400 users without updating the firm’s acceptable-use policy. Within 30 days, a finance analyst used Copilot to draft an earnings-related message to an external investor, a disclosure that triggered a Regulation FD review. Marcus’s fix was to publish a Microsoft Purview sensitivity label that blocks Copilot from drafting when a document is labeled Material Non-Public.

Priya, a marketing manager at a Boston SaaS firm, built a Power Automate flow that auto-sent Copilot-generated nurture emails to 12,000 prospects. The flow failed to honor unsubscribe requests processed in HubSpot, producing a CAN-SPAM complaint to the FTC. Priya’s remediation was to insert a Dataverse suppression-list check before each send and to set a 10-business-day opt-out service-level agreement.

Dr. Patel, a family physician in Austin, deployed a Copilot Studio agent to answer patient scheduling questions by email. The agent pulled appointment data from the EHR and included diagnosis codes in reply snippets. Dr. Patel’s compliance officer disabled the agent, executed a Business Associate Agreement with Microsoft, and rebuilt the agent to use only de-identified scheduling tokens.

Mistakes to Avoid

• Granting tenant-wide Mail.Send to any app. Scope permissions to specific mailboxes using application access policies, or a single compromised app can impersonate every user.
• Skipping the Purview communication compliance policy. Without it, you cannot prove to a regulator which Copilot outputs were reviewed.
• Letting Copilot draft legal advice. The model hallucinates citations, and the State Bar of California fined a firm in 2024 for filing AI-generated briefs with fake cases.
• Auto-sending to unverified mobile numbers. TCPA damages start at $500 per text and scale with willfulness findings.
• Forgetting the physical postal address. Every commercial email needs one under CAN-SPAM, and Copilot templates often omit it.
• Assuming encryption equals HIPAA compliance. You also need a BAA, audit logging, and minimum-necessary disclosure controls.
• Using shared mailboxes without journaling. Agent-sent messages from a shared mailbox can escape your 17a-4 archive entirely.
• Ignoring cross-state privacy differences. A single template can violate CPRA, CPA, and VCDPA at once if it profiles recipients.
• Failing to log agent runs. Without Copilot Studio analytics, you cannot reconstruct why a message was sent.
• Letting end users publish agents. Citizen-developer governance is essential; otherwise, every marketing intern becomes a CAN-SPAM sender.

Do’s and Don’ts

Do

• Do require a Purview communication compliance policy, because it captures Copilot output for later review.
• Do train users on CAN-SPAM basics, because the sender is the human, not the software.
• Do use sensitivity labels, because they block Copilot from reading or drafting from restricted files.
• Do monitor Graph API usage, because unusual Mail.Send spikes often precede incidents.
• Do rehearse an incident-response runbook, because auto-send incidents escalate in minutes.

Don’t

• Don’t grant Mail.Send at the tenant level, because the blast radius is your entire company.
• Don’t let agents send to unverified external domains, because phishing and data-exfiltration risks rise sharply.
• Don’t skip the BAA if you touch PHI, because HIPAA liability flows to the covered entity.
• Don’t disable unsubscribe links, because CAN-SPAM violations are strict-liability for the sender.
• Don’t archive only end-user mailboxes, because shared-mailbox sends often bypass the archive.

Pros and Cons of Copilot-Sent Email

Pros

• Speed. Copilot can draft a five-paragraph email in under three seconds, which saves roughly 30 minutes per user per day based on Microsoft’s own productivity telemetry.
• Consistency. Templates enforced through agents produce uniform brand voice, which reduces tone-related complaints.
• Translation. Copilot supports more than 40 languages, which helps multinational teams serve customers in their native language.
• Context awareness. Copilot can pull from prior threads, calendar events, and attached files, which cuts research time.
• Accessibility. Coaching and summarization features help users with dyslexia or English-as-a-second-language backgrounds produce clearer messages.

Cons

• Hallucination risk. The model invents facts, names, and citations, which creates liability in regulated industries.
• Permission sprawl. Agents inherit the publisher’s access, which can leak data the publisher did not realize they could see.
• Cost. At $30 per user per month, a 500-seat deployment runs $180,000 per year before storage, training, and governance costs.
• Audit complexity. Agent-sent messages require separate journaling and analytics to meet 17a-4 and HIPAA requirements.
• Prompt-injection exposure. A malicious inbound email can hijack an agent that reads the inbox, which is a novel attack surface.

Admin Controls You Should Configure Today

Admin tooling is where compliant Copilot deployments are won or lost. Start with the Microsoft 365 Copilot admin center, which lets you assign licenses, configure data-source access, and review usage. Next, enable Microsoft Purview audit, which logs every Copilot prompt and response for one year by default and up to 10 years with an add-on license.

The consequence of running without audit is that you cannot respond to an eDiscovery request or a regulator subpoena with defensible evidence. An example is a Denver law firm that could not produce Copilot drafts in a malpractice case and faced an adverse-inference instruction from the court. A common misconception is that Microsoft stores prompts forever; the default retention is 18 months for Copilot interaction history, after which the data is purged.

Data Loss Prevention

Microsoft Purview DLP policies can block Copilot from including sensitive data types—Social Security numbers, credit-card PANs, or custom-defined trade secrets—in outbound email. The plain-English explanation is that the policy inspects content before transmission and either warns, blocks, or encrypts.

The consequence of skipping DLP is breach-notification exposure under state laws like New York’s SHIELD Act. An example is a Chicago hospital that prevented a 4,000-record disclosure by applying a DLP rule that intercepted Copilot-drafted discharge summaries. A common misconception is that DLP slows Copilot to a crawl; modern policies run in under 200 milliseconds per message.

Retention and eDiscovery

Retention labels in Microsoft Purview determine how long Copilot-generated mail survives. The consequence of short retention is regulatory exposure; the consequence of infinite retention is storage cost and litigation risk.

An example is a Seattle fintech that balanced 7-year retention for client communications with 90-day retention for internal chat, cutting its storage bill by 40 percent. A common misconception is that retention policies apply automatically to agent output; you must explicitly scope the policy to the shared mailbox the agent uses.

Court Rulings and Enforcement Snapshots

Courts have begun to treat AI-drafted communications the same as human-drafted ones. In Mata v. Avianca, the Southern District of New York sanctioned lawyers who filed a brief containing ChatGPT-hallucinated cases, a warning that applies equally to Copilot-drafted demand letters. The FTC’s Rite Aid order showed the agency will hold companies responsible for AI outputs that harm consumers.

The consequence across these rulings is a consistent theme: the human or entity deploying the AI is legally accountable for its output. An example is the 2024 Levidow sanction, in which attorneys paid $5,000 and notified affected clients after submitting AI-fabricated citations. A common misconception is that an AI disclaimer in the footer shifts liability; courts have rejected this argument repeatedly.

Walking Through the Send an Email (V2) Action

The Send an email (V2) action in Power Automate is where most Copilot-driven sends happen, so every field deserves a careful look. The To field accepts comma-separated addresses or dynamic content from a prior step, and the consequence of pasting an unverified dynamic value is that your flow can send to attacker-controlled addresses.

The Subject field supports expressions, and a common mistake is to include customer PII in the subject line, which is then logged in Exchange transport logs. The Body field accepts HTML, and the consequence of unsanitized HTML is cross-site-scripting when the recipient opens the message in a vulnerable client. An example is Rachel, who used concat() to build a body and inadvertently introduced a <script> tag from a CRM note field.

The Advanced options section includes From (Send as), CC, BCC, Attachments, Importance, and Reply To. Each field has compliance implications. The From (Send as) field requires Send As permission on the target mailbox, and abusing it is a CAN-SPAM header-deception violation. Attachments expand the DLP surface; Reply To can route responses to an unmonitored inbox and trigger Fair Debt Collection complaints if used in collections.

A common misconception is that BCC is private. In Exchange transport logs, BCC recipients are fully visible to administrators and can be produced in discovery.

FAQs

Can Microsoft 365 Copilot send emails automatically without my approval?

No. By default, Copilot only drafts messages inside Outlook and requires you to click Send. Automatic sending happens only when you deliberately build a Copilot Studio agent or Power Automate flow.

Does Copilot follow CAN-SPAM rules on its own?

No. Copilot does not automatically insert a physical postal address or unsubscribe link. The human sender remains legally responsible for every CAN-SPAM element in the final message.

Is Copilot HIPAA compliant out of the box?

No. You need a signed Business Associate Agreement with Microsoft and proper configuration of encryption, access controls, and audit logging before using Copilot with protected health information.

Can Copilot send emails from a shared mailbox?

Yes. A Power Automate flow or Copilot Studio agent can send from a shared mailbox if the running identity has Send As or Send on Behalf permission on that mailbox.

Do Copilot-sent emails show up in eDiscovery?

Yes. Messages sent through your Exchange Online mailbox are captured by Microsoft Purview eDiscovery tools, provided you have applied retention and journaling policies to the sending mailbox.

Can Copilot send text messages to cell phones?

Yes. Through email-to-SMS gateways or Twilio connectors in Power Automate, but doing so triggers TCPA consent rules and can create $500-to-$1,500 per-message liability.

Does Copilot store the prompts I use to draft emails?

Yes. Copilot interaction history is retained in your mailbox for 18 months by default and is discoverable under Microsoft Purview, so treat prompts as business records.

Can end users build their own Copilot agents that send email?

Yes. With the right licenses and a Power Platform environment, but admins should restrict agent creation to a governed group to avoid shadow-IT compliance failures.

Is a disclaimer like “Drafted by AI” enough to limit liability?

No. Courts have rejected AI-disclaimer defenses in both Mata v. Avianca and subsequent sanctions cases. The sender remains fully liable for accuracy and compliance.

Does CAN-SPAM apply to internal employee emails drafted by Copilot?

No. Purely transactional or relationship messages between employees are excluded. However, any email promoting a product or service to external recipients is covered regardless of authorship.

Can Copilot send encrypted emails?

Yes. When you apply a Microsoft Purview sensitivity label with encryption, Copilot-drafted messages inherit the label and are transmitted with rights-management protection intact.

Will Copilot honor my company’s existing email signature?

Yes. Copilot drafts inside Outlook, which appends your configured signature automatically, though agents that send through Graph may require you to build the signature into the template.