You can set policies to offer all these kinds of protection and apply to specific SharePoint libraries, or to emails that match policy rules like the identity of the sender or recipient, the relationship between them, the contents of the message or attachment and many other options. As well as applying rights management to emails to protect them 'at rest' you can also use policy rules to protect them 'in motion' by telling Exchange to make Transport Layer Security-encrypted connection to the mail server of the recipient.
If you want to go a step further and encrypt information before you send it to Office 365, you'll need to buy a service from a Microsoft partner. Services like Erado and FiLink work with Exchange Online and will automatically encrypt email marked with a keyword or matching content rules; users have to go to a secure portal and log in to read the messages.
CipherCloud and Vaultive offer similar cloud encryption gateways that you can buy as a service or run as a virtual appliance on your own server (Vaultive is also available as a separate network appliance). They can protect calendar, contact and task data as well as email, encrypting information on the way in to Office 365 and decrypting it on the way out.
Users get to use the same email software and smartphones they already read email on, including Outlook Web Access, and you control the encryption keys.
These partner options increase the cost of using Office 365 and you have to do more configuration, especially if you want to use Exchange Online's spam checking. This works on unencrypted messages and then encrypts them for storing or sending on.
But if you need to comply with specific regulations that require this level of encryption, they mean you can still use Office 365. If you don't need that level of protection, the IRM service in Office 365 gives you flexible protection that does more than just encryption.