🔑 Key Takeaways
- Smarsh bundles encryption with archiving and supervision for FINRA, SEC, and HIPAA workflows.
- The encryption piece uses TLS transport plus portal delivery with a one-time passcode fallback.
- Onboarding runs four to eight weeks through a Smarsh implementation team, not self-service.
- Broker-dealers value the multi-channel supervision; small practices find it heavier than needed.
- Smarsh holds SOC 2 Type II and signs BAAs; portal deliverability is the main recipient friction.
Smarsh email encryption is one part of a wider compliance platform rather than a standalone encryption product. Firms in financial services, healthcare, and insurance use it when they need encryption, archiving, and supervision under one contract.
This guide covers what Smarsh encryption actually does, how the platform is set up, and when a lighter encrypted email service covers the same compliance ground with less overhead. Comparing honestly matters because the fit varies with firm size and use case.
The audience for this article is a compliance officer, IT lead, or practice manager evaluating Smarsh against alternatives. The details focus on functional behavior rather than sales positioning.
What Smarsh email encryption actually is
Smarsh is a communications compliance company that acquired Actiance in 2017 and expanded through further acquisitions to become a broad archiving and supervision vendor. Email encryption sits inside the Smarsh Professional Archive and Enterprise Archive product families.
The encryption piece is not sold as a standalone product for most customers. Firms that buy Smarsh for encryption alone are rare. The typical purchase includes archiving, supervision, and encryption together to satisfy a regulatory obligation that spans all three.
Transport encryption uses TLS 1.2 or higher between mail servers. Message-level encryption uses a portal delivery model where the recipient reads the message inside a Smarsh-hosted web view after authenticating with a one-time passcode.
The architecture is designed for compliance-heavy environments where messages must be retained, searchable, and reviewable by a supervisor. Encryption alone does not require this depth of infrastructure, which explains the fit question for smaller firms.
Which regulations Smarsh encryption is designed to satisfy
The primary compliance drivers for Smarsh customers are FINRA Rule 3110, SEC Rule 17a-4, and HIPAA. Each of these regulations imposes obligations that extend beyond encryption itself.
- FINRA Rule 3110 requires broker-dealers to supervise associated persons and review certain communications
- SEC Rule 17a-4 requires certain records to be retained in a non-erasable, non-rewritable format for defined periods
- HIPAA requires encryption of protected health information in transit and at rest, plus audit logging and access controls
- State privacy laws such as CCPA add breach notification and data subject rights obligations on top of federal rules
A pure email encryption service covers HIPAA on its own. Adding supervision and non-rewritable archiving is what makes Smarsh a fit for a broker-dealer rather than a therapy practice.
Compliance officers evaluating Smarsh should map their specific regulatory obligations against the platform’s features rather than buying the full stack by default. A single-rule requirement rarely justifies the full stack.

Smarsh email encryption setup end to end
Smarsh onboarding is not a self-service signup. A prospective customer talks to a sales engineer, scopes the deployment, and works with a Smarsh implementation team through provisioning.
The customer connects their email platform to Smarsh through mail flow rules on Exchange Online, Google Workspace, or on-premises Exchange. The connection routes outbound messages through Smarsh gateways for policy inspection.
Encryption policies are defined using keyword lists, sender groups, subject line patterns, or attachment content matching. A common example is triggering encryption on any outbound message containing an account number pattern or specific medical terminology.
Once policies are active, supervisors are configured for review queues, archive retention is set to match the regulation, and users are onboarded. A typical mid-sized firm rollout runs four to eight weeks. Microsoft’s own Exchange mail flow rule documentation is published in the Microsoft Exchange documentation.
Accessing a Smarsh encryption account as an end user
Two different login experiences exist. Firm employees log into a Smarsh admin portal to manage archives, run searches, or handle supervision queues. Message recipients log into a separate portal to read encrypted messages.
Firm users receive credentials from their internal compliance administrator during onboarding. Password resets and access changes are handled through the firm’s admin, not through Smarsh support directly. This model protects segregation of duties.
Message recipients receive an email notification with a secure link. Clicking the link opens a login prompt on the Smarsh portal domain. First-time recipients set a passcode. Return recipients enter the credentials they set previously.
Recipients who lose the passcode can request a reset from the same portal. The reset flow uses email verification back to the original recipient address, which is the standard model for portal-based encrypted delivery across most vendors.
How Smarsh compares to lighter encrypted email services
The comparison matters most for practices that need encrypted email without the wider supervision and archiving stack. The tradeoffs are real, and neither option is universally better.
| Capability | Smarsh | Dedicated encrypted email service |
|---|---|---|
| TLS transport encryption | Yes | Yes |
| Portal-based message encryption | Yes | Yes |
| FINRA-grade archiving and supervision | Yes, core feature | Not the primary use case |
| Business associate agreement for HIPAA | Yes, on request | Yes, in base subscription |
| Typical onboarding time | Four to eight weeks | Same day to one week |
| Fit for solo practice or two-person firm | Heavy for the use case | Well-matched |
A broker-dealer that must supervise communications across email, chat, and social media benefits from Smarsh as one contract covering all channels. A four-clinician therapy office that only needs encrypted email to patients does not.
The email encryption service category has matured to the point where dedicated products handle HIPAA well without archiving depth that a small practice will never use.
Smarsh email encryption reviews from compliance teams
Reviews from Smarsh customers cluster around a few consistent themes. The archiving and supervision are strong. The encryption is a supporting feature rather than a headline capability. Support quality depends on the tier.
Broker-dealers and registered investment advisers give positive reviews on the ability to search across email, chat, social, and voice channels from one interface. FINRA examiners are familiar with the platform, which reduces friction during exams.
Healthcare customers on the mid-market end of the range report solid HIPAA coverage. Smaller practices sometimes report that the platform’s breadth is more than they need for encrypted patient communication alone.
Onboarding time is the most common negative theme in reviews. A multi-week implementation is normal for a compliance platform of this scope, but it can be a surprise to teams expecting a faster start.

Deliverability and spam concerns with portal-based encryption
Portal-based encryption sends the recipient a notification email with a link to a secure portal. This model is standard across Smarsh, Microsoft Purview Message Encryption, and most enterprise-grade encrypted email services.
The deliverability question is whether the notification lands in the recipient inbox. Aggressive spam filters on the recipient side occasionally flag portal notifications because the message is short, contains a login link, and comes from a domain the recipient may not recognize.
The fix is on the recipient side. A mail flow rule that allowlists the Smarsh notification domain resolves the flagging. Firms with a large recipient base sometimes publish a one-page guide for external counterparties explaining the setup.
Sender-side deliverability issues almost always trace back to DMARC, SPF, or DKIM misconfiguration on the customer’s own domain. The National Institute of Standards and Technology publishes email authentication guidance in NIST SP 800-177 Rev. 1.
Signing the business associate agreement for HIPAA coverage
Healthcare customers using Smarsh for HIPAA-covered communications need a signed business associate agreement in the compliance file. Smarsh signs BAAs with covered entities, but the process is not automatic on sign-up.
The BAA is requested through the Smarsh account team during onboarding. The signed document is returned to the customer for records retention. HIPAA does not accept a BAA that is only stored on the vendor’s side.
The HHS Office for Civil Rights publishes a sample BAA at HHS.gov sample BAA provisions. Vendors typically use their own template that covers the required clauses.
The BAA is the legal piece. The technical piece is configuring mail flow rules that force encryption on any outbound message containing protected health information. Both pieces are required for HIPAA coverage, not just one.
Integrating Smarsh with Microsoft 365 and Google Workspace
Most Smarsh customers run either Microsoft 365 or Google Workspace as their primary mail platform. Both platforms integrate with Smarsh through mail flow connectors and journal rules.
On Microsoft 365, the connector routes outbound messages through Smarsh for policy inspection, and a journal rule copies messages to the Smarsh archive for retention. The Exchange admin center handles the connector configuration.
On Google Workspace, the routing setup uses content compliance rules and an outbound gateway configuration. Google publishes admin guidance in the Google Workspace admin help center.
Configuration errors during the connector setup are the most common source of incident tickets during onboarding. Testing the flow with a small pilot group before rolling out firm-wide catches most issues before they affect production traffic.
When a firm should look at alternatives to Smarsh
Alternatives to Smarsh fall into two groups. Full compliance platforms compete with Smarsh directly for broker-dealer and hospital-scale customers. Dedicated encrypted email services target smaller practices where archiving and supervision are not the primary need.
- Solo therapy practices, two-person insurance offices, and small clinics rarely need Smarsh-level archiving depth
- Broker-dealers, registered investment advisers, and hospital systems usually do need it and stay with a platform like Smarsh
- Firms that only need encrypted patient email save time and cost with a dedicated secure email service that ships the BAA in the base plan
- Firms that need full-stack supervision across email, chat, social, and voice cannot replicate that with a dedicated encryption service
The decision is not about which platform is better in the abstract. It is about which platform matches the regulatory footprint of the specific firm.
Compliance officers who inherit a Smarsh contract at a smaller organization should review whether the full stack is still needed. Compliance officers at growing firms should confirm the current encryption service will scale to the archiving and supervision requirements the firm is heading toward.
Practical next steps for a compliance officer evaluating Smarsh
Start with the regulatory map. List every rule the firm must satisfy and mark which of them require encryption, archiving, supervision, or all three. This grid drives the platform choice.
Request a scoped Smarsh quote alongside a quote from at least one dedicated encrypted email service. Comparing pricing at the same feature scope is more useful than comparing full-stack Smarsh against encryption-only alternatives.
Run a small pilot before committing. A two-week test with a handful of users on real message flows reveals deliverability, portal experience, and administrator workflow issues that a demo cannot surface.
For healthcare organizations building a website that will collect protected health information alongside encrypted email, the HIPAA-compliant website design considerations pair naturally with the email compliance decision. Both belong on the same risk register.








