diff --git a/specification/modules/end_to_end_encryption.rst b/specification/modules/end_to_end_encryption.rst
index b224126d..fa461cc2 100644
--- a/specification/modules/end_to_end_encryption.rst
+++ b/specification/modules/end_to_end_encryption.rst
@@ -366,7 +366,6 @@ The plaintext payload is of the form:
    {
      "type": "<type of the plaintext event>",
      "content": "<content for the plaintext event>",
-     "room_id": "<the room_id>",
      "sender": "<sender_user_id>",
      "recipient": "<recipient_user_id>",
      "recipient_keys": {
@@ -379,9 +378,6 @@ The plaintext payload is of the form:
 
 The type and content of the plaintext message event are given in the payload.
 
-We include the room ID in the payload, because otherwise the homeserver would
-be able to change the room a message was sent in.
-
 Other properties are included in order to prevent an attacker from publishing
 someone else's curve25519 keys as their own and subsequently claiming to have
 sent messages which they didn't.
@@ -433,6 +429,9 @@ The encrypted payload can contain any message event. The plaintext is of the for
       "room_id": "<the room_id>"
     }
 
+We include the room ID in the payload, because otherwise the homeserver would
+be able to change the room a message was sent in.
+
 Clients must guard against replay attacks by keeping track of the ratchet indices
 of Megolm sessions. They should reject messages with a ratchet index that they
 have already decrypted. Care should be taken in order to avoid false positives, as a