How to Encrypt Email Messages Step by Step

📅 April 16, 2026 ✍️ By Chris Almond ⏱️ 18 min read

Encrypting email messages keeps sensitive content away from prying eyes. The words in the body of the email are encrypted, making them readable only by the right people. That matters for patient notes, invoices, HR updates, legal talks, and any message you would not pin on a notice board.

You do not need to be technical to use message encryption. Modern tools hide most of the complex parts. With a few clear steps, you can turn plain emails into protected ones. If you want a broader overview first, you can read the MailHippo guide to encrypted email and then come back to this step-by-step article.

What message encryption does

Message encryption changes the body of an email from readable text into scrambled data. To anyone without the right access, the content looks like random characters that make no sense. Mail servers can still move the message, yet they no longer see what it says.

At the other end, the recipient’s email tool or secure portal turns that scrambled data back into normal text. It uses a key, a certificate, or a protected account to do that work. The person sees the message in a familiar view and can reply as usual.

The goal stays simple. Keep the content private during the trip and while it rests on servers. Even if someone grabs a copy of an encrypted message, they get very little they can use.

Before you begin

Know which email tool you are using.

Your first step is to know the main email tool you and your team use. That might be Outlook with Microsoft 365, Gmail with Google Workspace, a hosted business service, or a secure email portal. Each one handles encryption slightly differently.

Open your inbox and check the branding and menus. Look in the help section for words like security, protect, or encryption. Many business platforms already have some form of built-in protected sending that you can enable.

Write down the main tool you use and how you reach it, such as a desktop app, a web browser, or a phone app. That list guides which parts of this guide apply to you and which parts you can skim.

Check how the recipient will open the message.

Message encryption only works well when the person at the other end can open the protected email without stress. Think about who you write to most. Staff inside your company, patients, clients, partner firms, or all of these.

People inside your own domain often use the same platform as you. They can usually open encrypted messages right inside their inbox. People outside your company may use a variety of services, such as free webmail or older tools.

For outside people, a secure portal with browser access often feels easiest. They receive a short-notice email, click a link, and read the message on a web page after a quick identity check. Keep their skills and devices in mind when you pick a method.

Decide if attachments need separate protection.

Many important details hide in attachments rather than in the body of the email. That includes PDFs, Word files, spreadsheets, scans, and zip folders. Encrypting the message body helps, yet it does not always cover what happens after the recipient saves a file.

Decide whether your attachments need extra protection that travels with the file. In many cases, the answer is yes. Password-protected PDFs and zip files provide strong file-level locks that stay in place even when the email thread moves or is forwarded.

For a deeper look at file protection, you can read the MailHippo guide on how to encrypt email attachments. Keep that in mind while you plan your message encryption steps.

The main ways to encrypt email messages

Built-in protected sending

Many modern email services include built-in protected sending. These options often appear as a padlock icon, a protect button, or a menu item labeled confidential or secure. When you turn this on, the platform encrypts the message body and often the attachments.

From the sender’s side, this feels close to writing a normal email. You draft your message, add files, click the lock, and send. The system uses standards such as TLS and S MIME, as well as proprietary tools, to keep the content private.

From the recipient side, the message may open directly in their inbox, or a button may send them to a protected view in the browser. The details vary by platform, so testing with a colleague first helps.

Portal-based message delivery

Portal-based delivery keeps the full message in a secure web application. The email that lands in the inbox is only a short notice. It might say that a secure message is waiting and include a button labeled “Read secure message”.

When the recipient clicks the button, a browser opens the portal. The person proves who they are with a password, a one-time code, or a trusted login. The portal then displays the encrypted message in plain text and can keep replies within the same protected space.

This method works well for clinics, law firms, and other teams that send many messages to people on mixed email services. Recipients only need a browser and basic instructions.

PGP

PGP uses public and private keys for each user. When you use PGP, your email content is encrypted on your device before it leaves your device. Only the private key that matches the recipient’s public key can unlock the message.

In a classic PGP setup, each person manages their own key pair and shares their public key with others. Mail tools or plugins then use those keys to encrypt messages when you click send.

PGP offers strong end-to-end protection, yet it can feel complex for non-technical staff in its raw form. Many secure email services now use PGP behind the scenes and hide key details behind simple buttons.

S MIME

S MIME uses digital certificates that link keys to people or roles. Many enterprise tools, such as Outlook and Apple Mail, support S MIME natively. Companies and health networks often use it for both encryption and digital signatures.

In an S MIME setup, IT teams or providers issue certificates to users and install them on devices. The mail client then uses these certificates to encrypt outgoing messages and decrypt incoming ones that match.

This method fits well in managed environments with central IT. Once the first setup is done, staff mainly see small lock or signature icons and send emails as usual.

Step-by-step guide for built-in message encryption

Draft your message

Open a new message in your email tool or portal. Type the recipient address and a short, clean subject. Write the body of the email in plain language, keeping private details in the body rather than the subject line.

Explain what you are sending and what action you need. Mention that the message is protected if you think that will reassure the reader. Keep the tone clear and calm.

Treat the body as the primary thing you want encrypted. That is where names, notes, and case details should live.

Add files if needed

Attach any files that support the message. These might be reports, invoices, forms, or scans. Check that you attach the final versions, not old drafts, and that they open correctly on your own device.

Think again about whether these files need their own locks. If they do, apply password protection or other file-level security before you attach them. That way, the files stay protected even if someone moves them outside the email.

Attach all required files before you enable the protection setting for the message. This keeps the process clean and easy to repeat.

Turn on the protection setting.

Look for the built-in option that controls message protection. In some tools, this is a padlock icon near the send button. In others, it sits in a menu called options, security, or similar words.

Click this option, then choose the setting that best matches your needs. Many systems offer a simple encryption option, and some add extra labels that limit forwarding or keep messages within your company domain.

Once active, you may see a lock icon near the subject or a banner indicating that the message will be sent in a protected form. If nothing visual changes, send yourself a test next to confirm what happens.

Review recipient details

Pause before you click send. Check every address in the To, Cc, and Bcc fields. Make sure you are sending this encrypted message only to people who truly need it. One wrong character in an address can send a private note to a stranger.

Keep the number of people on the thread as small as possible. The more inboxes a message enters, the greater the chance that someone mishandles it later.

If you are not sure about a new address, you can send a short, plain test email first and wait for a reply before sending the protected content.

Send a test message

For a new setup, send yourself or a trusted colleague a test encrypted message. Keep the content simple and harmless. The goal is to see how it looks and behaves.

Open the test message on a desktop and on a phone. Note whether it opens in the inbox or in a portal. Count how many clicks or taps it takes. Adjust settings if anything feels confusing or slow.

Once you feel confident that the flow makes sense, begin using encryption for real messages that carry sensitive information.

Step-by-step guide for PGP

What you need before sending

To use PGP directly, you need email software or a plugin that understands PGP and a key pair for yourself. You may also need the public keys for the people you want to write to.

Generate your PGP key pair with a trusted tool, or have your secure email service create it for you. Keep the private key safe and protect it with a strong passphrase. Share your public key with the contacts who need it.

Collect and import the public keys of your frequent recipients. Store them in your keyring inside the PGP tool or plugin. This setup stage may need help from IT if your team is new to PGP.

How keys are used

When you send an encrypted message with PGP, your software uses the recipient’s public key to encrypt the email body and often the attachments. The result is a block of scrambled data that only their private key can unlock.

Your private key does not encrypt their mail. It comes into play when you receive PGP-protected messages from others. Their tools use your public key, and your software uses your private key and passphrase to decrypt.

This key pairing lets many people send you encrypted mail without ever seeing your private key. It keeps control of each inbox in its owner’s hands.

Basic send process

Open a new email in your PGP-aware mail client. Write your message and add attachments as usual. Select the option to encrypt the message, often a small PGP or lock icon in the compose window.

Pick the right recipient from your address list and make sure their public key is present and trusted in your keyring. Then click send. Your tool encrypts the content with its public key and passes the coded message to the mail system.

Ask the person to confirm that they can open your first few PGP messages. If they cannot, you may need to check keys, plugins, or passphrases on their side.

Step-by-step guide for S MIME

What you need before sending

For S MIME, you need a digital certificate for your email address and a mail client that supports S MIME. Outlook and Apple Mail are common examples. An IT team or certificate provider usually handles certificate issuing.

Install your certificate in your mail client following the client’s instructions or your IT guide. You may also need to import certificates from external contacts to send them encrypted messages.

Check that your client now shows options for signing and encrypting emails. These often appear as small icons or checkboxes in the compose window.

How certificates are used

Each S MIME certificate links a public key to an identity such as your name and email address. The certificate includes details about who issued it and how long it is valid. Your mail client trusts it because it comes from a known authority.

When you send an encrypted message to someone, your client uses the recipient’s public key from their certificate to encrypt the message. Their private key, stored on their side, decrypts the email when they open it.

Certificates can also be used to add digital signatures to messages. These signatures prove that a message came from the holder of the private key and that it has not been altered in transit.

Basic send process

Open a new email in your S MIME-aware client. Write your message and attach the needed files. Turn on the encryption setting (often a lock icon) and optionally turn on the signature setting.

Choose the recipient. Make sure your client has a valid certificate. If it does not, you may need them to send you a signed message first so your client can learn their public key.

Click send. Your client uses S MIME to encrypt the email and passes it to the mail system. Ask your contact to confirm that they can open and read the message without errors, especially on mobile devices.

What the recipient may need

Inbox access

With built-in or S MIME encryption, the recipient may open the message directly in their normal inbox app. They need a working account, the correct keys or certificates, and sometimes a passphrase or device unlock.

On their screen, the encrypted message looks like any other email, with perhaps a lock icon or banner. Their client handles decryption as soon as it opens.

Browser access

With portal-based methods, the inbox holds only a short notice. The person needs a browser to open the secure link. Once in the browser, they see login or code prompts and then the protected message.

This model suits people who use many different email services. As long as they have a modern browser, they can read your encrypted message.

Passcode access

Some services send one-time codes by text or to a second email address. The person needs both their inbox and that extra channel to open the email.

They request or receive a code, type it into the portal page, and then read the message. The code may expire after use, which adds safety if the email notice is later exposed.

Key or certificate access

With PGP and S MIME, the recipient needs their private key or certificate installed and ready in their mail client. They may also need to remember a passphrase for that key.

Without these pieces, their client cannot decrypt the message and will often show an error or scrambled text. Setting up keys and certificates is usually a one-time task, yet it must be done well.

How to handle attachments

Attachments often carry the most sensitive data. When you encrypt a message, many tools apply the same protection to attachments in that email. That means the files travel as scrambled data along with the body.

You still want to think about what happens after the recipient saves a file. Once outside the protected email, the file may be stored in plain text on their device. For high-risk content, add file-level locks such as password-protected PDFs or encrypted zips.

In short, treat message encryption as the first layer and file protection as the second. This pair gives you better results than either method on its own.

Common mistakes

Putting private details in the subject line

Subjects often remain visible in plain text, even when the body is encrypted. Mail tools show them in lists and on phone alerts. A detailed subject, such as a full lab report for Maria Lopez, can leak more than you intend.

Keep subject lines neutral for sensitive content. Words like “Your report” or “Your documents” are safer. Place names, dates, and medical or financial details in the encrypted body and files only.

Sending passwords in the same message

Some people encrypt a file or set up a portal and then send the password in the same email. That gives an attacker both the lock and the key at once. Message encryption does not fix that mistake.

Share passwords or passcodes via a separate channel, such as text or a phone call. For more ideas on safe sharing, see the guide on password sharing vs encrypted email.

Assuming every service works the same way

Different mail platforms handle encryption and portals differently. A method that works within your company may not work the same way when you write to a patient using a free webmail account.

Test your approach with real outside recipients before you roll it out widely. Adjust your method to match the tools and skills that they actually have.

Forgetting mobile access

Many people read email on phones or tablets first. A method that works fine on a desktop might feel clumsy on a small screen. That can lead people to avoid or delay reading your secure messages.

Test every encryption method on mobile devices. Count how many taps and screens it takes. Aim for flows that a busy person can follow on a phone with one hand.

How to confirm the message was protected

After you send, check the copy of the message in your Sent folder. Many tools show a lock icon or a label such as “encrypted” or “protected” near the subject or in the message details. That sign tells you the system treated it as an encrypted email.

You can also send a test to another account you control and inspect the raw message, though that is more technical. For most users, visual markers and simple tests with colleagues give enough reassurance.

If you ever find that a message you thought was protected went out in plain form, review your steps and settings right away and correct them.

When message encryption is the right choice

Message encryption is a good fit when you send information that could harm someone if exposed, and you still want to use email as the main channel. That includes health notes, legal updates, HR messages, and client advice.

It lets you keep your normal tools while raising the safety of the content. It also helps you meet many policy and regulatory expectations about data in transit.

If your work already depends heavily on email, message encryption is a natural next step rather than a complete change in workflow.

When a secure link may work better

Secure links often work better when files are very large, many people need access, or you want more control after sending. Links keep documents in one protected place instead of scattering copies in many inboxes.

You can pair links with short, plain emails. The email tells people that a new document is ready. The link and the storage service handle the protection.

For more help choosing between links and encrypted messages, you can read the MailHippo guide on secure links vs encrypted email.

Common questions

How do I encrypt email messages?

You write your message, attach any necessary files, enable the encryption or protection option in your email tool or secure portal, and send. For PGP or S MIME, you also need to set up keys or certificates first.

If you want a focused walk-through with screen-level steps, the MailHippo article on how to encrypt an email step by step is a helpful next read.

Can I encrypt messages for free?

Many email services already support basic encryption for messages in transit, and some include content protection in their standard plans. Free tools for PGP and file protection also exist.

Free options often need more setup and manual checks. Paid secure email services usually hide more complexity and add support. Start by asking your current provider what they already offer.

Do encrypted messages cover attachments?

In many systems, yes. When you encrypt a message, the service encrypts both the body and the attached files in transit and often while they rest on servers.

You still gain additional security by encrypting the key files themselves, especially when recipients might save or forward them. Message and file encryption work well together.

Can encrypted messages be forwarded?

People can still click forward on an encrypted email. What happens next depends on the system. Some tools keep the content tied to the original recipients, so a forward only sends a link or shell. Others may decrypt and re-encrypt for new people.

If someone copies text from a decrypted view into a new plain email, that new message will not be encrypted. Training and simple rules help staff avoid this for private topics.

Read next

For a closer look at each step you take as a sender, you can read how to encrypt an email step by step. It builds on this guide with more detail.

Suppose you want to sharpen how you send protected mail in real life, read “How to Send an Encrypted Email Safely.” That article links encryption steps with everyday habits.

To dig deeper into strong end-to-end protection, including how keys work from one device to another, see end-to-end encryption for email. It explains how to get the highest level of privacy that modern email tools can offer.

Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →