🔑 Key Takeaways
- Encrypted mail arrives in three shapes: portal link, S/MIME certificate, or native Purview inline.
- Outlook opens Purview mail natively; external users get a Read the message button and passcode flow.
- Gmail personal accounts can't read client-side encryption; Workspace users open it inline instantly.
- Mobile viewing works if the platform matches; iOS S/MIME needs a device profile install.
- Most open failures trace to blocked cookies, spam-filtered notifications, or expired certificates.
Encrypted email arrives in one of three formats, and the format determines the steps to view it. Portal-based delivery uses a notification with a secure link. S/MIME uses certificates that decrypt inside the mail client. Purview and Google client-side encryption open natively for recipients on the same platform.
This guide covers how to view encrypted emails across Outlook desktop, Outlook on the web, Gmail, Chrome, mobile clients, military OWA, and HCL Notes. Both consumer and enterprise scenarios are included. If you are sending rather than receiving, see the practical setup guides on encrypted email options.
The goal is to give a recipient the exact steps for their specific situation without wading through vendor documentation for a client they do not use.
Identifying which encryption method the sender used
Before opening the message, identify the encryption method. Every method looks slightly different in the inbox, and the visual cue is usually enough to pick the right steps.
Portal-based encryption arrives as a short notification email with a Read the message or View secure message button. The body contains no message content. The sender is usually a service address such as no-reply at the vendor domain.
S/MIME-encrypted messages arrive with a lock icon in the mail client if the client supports S/MIME. The body may show garbled text if the client cannot decrypt the message because the certificate is missing.
Microsoft Purview and Google client-side encryption messages open like normal messages inside Outlook or Gmail when the recipient is on the same platform. A lock icon and a note explaining the encryption appear at the top of the message body.
How to view an encrypted email in Outlook on the desktop
Outlook desktop handles two scenarios. Messages encrypted with Microsoft Purview from another Microsoft 365 sender open automatically inside Outlook when the recipient is signed into a compatible account. No extra steps are needed.
Messages encrypted with S/MIME require the recipient certificate installed in the Outlook Trust Center. Open File, Options, Trust Center, Trust Center Settings, then Email Security. The Import button loads a certificate from a file, and the certificate is then available for decryption.
Messages that arrive as a notification with a Read the message button use portal-based encryption. Clicking the button launches a browser window from Outlook. The browser handles the sign-in and decryption, not Outlook itself. How to view an encrypted email in Outlook covers the button-click flow in more detail.
Microsoft’s own documentation for Purview Message Encryption is published in the Microsoft Purview Message Encryption reference.

How to view an encrypted email in Outlook on the web
Outlook on the web behaves similarly to Outlook desktop for Purview-encrypted messages. The message renders inline for Microsoft 365 recipients. External recipients receive a notification with a link that opens the Office 365 message encryption portal.
The portal offers three sign-in methods. A Microsoft account, a Google account, or a one-time passcode sent to the recipient email address. Choose the method that matches the account associated with the receiving mailbox.
The one-time passcode option is the fallback when the recipient does not have a Microsoft or Google account tied to the address. Microsoft sends the passcode to the same email address that received the notification. Passcodes expire after fifteen minutes, so request a new one if the sign-in fails.
After sign-in, the portal displays the message content and offers Reply, Reply All, and Forward. Replies from the portal are also encrypted, which preserves the security of the conversation even when the recipient does not have their own encryption setup.
How to view encrypted email in Gmail on desktop and mobile
Gmail supports two encryption paths for reading messages. Google Workspace client-side encryption opens automatically for Workspace users whose account has a client-side encryption identity configured. Personal Gmail accounts do not support this feature.
For portal-based encrypted messages from other vendors, the notification arrives in the Gmail inbox with a link. Clicking the link opens a browser tab with the vendor portal. Sign in with a passcode you set on first access, or with a linked account.
The Gmail mobile app on iOS and Android opens the notification link in a mobile browser or in-app browser. The vendor portal loads the same as on desktop. Some portals detect the mobile view and adjust the layout.
Google publishes client-side encryption setup guidance in the Google Workspace admin help. The article covers admin configuration for enabling the feature in a Workspace tenant.
Comparing native, portal, and certificate-based viewing
The three approaches trade off between recipient convenience, sender flexibility, and administrative complexity. This table lays out the differences.
| Method | Recipient experience | Setup on recipient side | Best fit |
|---|---|---|---|
| Portal-based encryption | Click link, sign in, read | None | External recipients on any platform |
| Microsoft Purview native | Opens inline in Outlook | Microsoft 365 mailbox | Business-to-business Microsoft users |
| Google client-side encryption | Opens inline in Gmail | Workspace with CSE identity | Workspace-to-Workspace |
| S/MIME certificate | Opens inline once certificate installed | Certificate import required | Enterprise, government, military |
The choice of method usually comes from the sender, not the recipient. Understanding what each method looks like on the receiving side helps a recipient troubleshoot correctly when a message will not open.
Practitioners sending encrypted email to clients on any platform usually pick portal-based encryption for the reach, then add S/MIME or Purview for specific counterparties who prefer native inline viewing.
How to view encrypted military email through OWA
Military recipients accessing DoD email through Outlook Web Access need a Common Access Card and a reader. The card holds the certificates that decrypt encrypted email arriving at the military mailbox.
On a government workstation, the reader and middleware are pre-installed. Insert the CAC, sign in with the PIN, and the encrypted message opens inside OWA the same way as a normal message.
On a personal computer, the setup is more work. Install the DoD root certificates through the InstallRoot utility, connect a compatible CAC reader, and install middleware such as ActivClient. Once the browser recognizes the card, OWA works.
Encrypted messages will not open in a browser that cannot access the card, which is the source of most home-computer OWA issues. If the browser prompts for a certificate but no options appear, the card reader is not connected correctly or the middleware is not installed.

How to view encrypted email in HCL Notes and legacy Lotus Notes
HCL Notes, formerly Lotus Notes, handles S/MIME-encrypted messages through the Notes ID file. Import the recipient certificate into the ID file, and Notes decrypts the message when opened.
Import the certificate through File, Security, User Security, Your Identity, and Your Certificates. Choose the option to import an internet certificate and select the certificate file. The certificate is then bound to the Notes ID.
For portal-based encrypted messages, click the notification link. Notes opens the link in the default browser. Notes itself does not render the portal inline. This is the same experience as any modern mail client receiving a portal notification.
Users on older Notes versions who cannot import certain modern S/MIME certificates should raise a support ticket with the Notes administrator. Some newer certificate formats are not supported on very old Notes releases.
Why cannot view encrypted emails in Outlook and how to fix it
Recipients who see an encrypted message in Outlook but cannot open it usually run into one of a few specific problems. The fixes are targeted rather than general.
- Missing S/MIME certificate: import the certificate through Trust Center, Email Security
- Expired certificate: request a new certificate from the sender or the certificate authority
- Email address mismatch on the certificate: the certificate must match the mailbox address exactly
- Notification message in the junk folder: check junk and mark the sender safe
- Browser cookies disabled for the portal domain: enable cookies for the vendor portal
- Corporate proxy blocking the portal: ask IT to allowlist the vendor portal domain
The most common single cause is the notification message landing in junk. Many recipients assume the message never arrived when the notification was filtered before they saw it.
A recipient who has followed the steps above and still cannot open the message should reply to the sender through a separate channel and request the message be resent, potentially with a different method. Vendor differences matter here. The how to open encrypted emails in Outlook guide covers vendor-specific patterns.
Mobile viewing on iOS and Android
Portal-based encryption works well on mobile. Tap the notification link, and the vendor portal opens in the mobile browser. Sign-in works the same way as on desktop.
S/MIME on iOS requires the recipient certificate installed through Settings, General, VPN and Device Management. The certificate is delivered as a profile file. Once installed, iOS Mail decrypts S/MIME messages automatically.
Android S/MIME support depends on the mail app. Gmail on Android supports S/MIME for Workspace accounts with the S/MIME setting enabled. Outlook Mobile on Android supports S/MIME through corporate deployment. Third-party mail apps vary.
CAC-encrypted mail on mobile requires a card reader accessory that connects through Lightning or USB-C. Personal use of CAC on mobile is rare, but government-issued mobile deployments configure it directly. Guidance on federal mobile security is published by CISA cybersecurity best practices.
Best-practice recipient workflow for repeated encrypted senders
When a recipient regularly gets encrypted messages from the same sender or vendor, a small amount of setup work removes friction from every future message.
Save the vendor portal in bookmarks. Enable cookies for the portal domain permanently rather than accepting them each time. Set a memorable passcode on first access so return visits use the account credential rather than a one-time code.
For S/MIME, keep the certificate current. Certificates typically expire after one to three years. Renew before expiration to avoid a gap where new encrypted messages cannot be decrypted.
For clinicians and practices that regularly receive encrypted email from patients or insurers, a dedicated secure email service account gives one interface for both sending and receiving instead of managing multiple portal logins.
When to ask the sender to switch encryption methods
Not every encryption method works for every recipient. If a certain vendor portal is unreliable in your environment or a certificate model does not fit, ask the sender to switch.
Senders using Microsoft Purview can send to any recipient email address through the portal fallback. Senders using Google client-side encryption can only reach recipients whose Workspace account is also configured for client-side encryption.
A recipient who consistently cannot open Purview messages because of a proxy or filter should ask the sender to send through a different method. Most senders can send through both Purview and a dedicated encrypted email service depending on the recipient.
Healthcare providers running their own secure communication workflow can align their own patient-facing website security decisions with what their patients experience, guided by principles in Redefine Web’s overview of healthcare website security features.








