How to Encrypt Email Across Every Major Provider

📅 July 13, 2026 ✍️ By Chris Almond ⏱️ 8 min read
how to encrypt email guide featured image

🔑 Key Takeaways

  • Three practical forms cover most senders: TLS in transit, S/MIME on both sides, and portal delivery.
  • Outlook Encrypt lives on Business Premium and up. Gmail Confidential Mode is light, not end-to-end.
  • S/MIME setup is one time per user but breaks when staff email a new patient without a public key.
  • Portal recipients stall at the sign-in step. Small practices lose hours to phone triage each week.
  • A working Encrypt button without a signed BAA still fails HIPAA. OCR audits find this gap often.

Email encryption looks different in every mail client. The button lives in different menus. The recipient sees a different sign-in flow. The license required to unlock it changes by provider tier.

This guide covers how to encrypt email in Outlook, Gmail, Apple Mail, and Yahoo, plus S/MIME certificate setup and hosted alternatives. Where a healthcare team needs a simpler flow, a dedicated secure email service with a BAA in the base plan removes the license tier and portal steps entirely.

Read the sections in order. Each includes the exact click path, the recipient experience, and the license or certificate required to make it work.

The Three Practical Types of Email Encryption

Every encryption option in a mail client falls into one of three buckets. Knowing the bucket helps predict how the recipient will open the message.

TLS handles server-to-server transit. It runs automatically between providers that support it. The sender takes no action. The recipient sees a normal email in their inbox.

S/MIME and PGP encrypt the message body end to end using certificates or keys installed on each side. Setup is per user. Once configured, the flow is one click.

Portal-based encryption from Microsoft or Google routes the message through a hosted page. The recipient clicks a link and signs in or enters a one-time passcode. This adds friction but works with any recipient regardless of their client.

The right choice depends on who the recipient is and whether both parties can maintain certificates.

Encrypting Email in Outlook Step by Step

Outlook 365 and the New Outlook client both use Microsoft Purview Message Encryption behind the Encrypt button.

Compose a new message. On the ribbon, click the Options tab. Click Encrypt. Choose Encrypt-Only for standard protection or Do Not Forward to block forwarding, copying, and printing.

Add the recipient, subject, and body. Attachments inherit the same protection as the message. Click Send.

The Encrypt button requires Microsoft 365 Business Premium, E3, E5, A3, A5, or G3/G5. Business Basic and Business Standard do not include it. The Purview Message Encryption documentation lists every eligible plan.

External recipients receive a notification email with a portal link. They sign in with Microsoft, Google, or a one-time passcode. Related guide: how to encrypt email in Outlook.

how to encrypt email in article illustration one

Encrypting Email in Gmail and Google Workspace

Gmail offers two encryption paths, each tied to a different plan level.

Confidential Mode is available on all Google accounts, including personal Gmail. In the compose window, click the lock and clock icon at the bottom. Set an expiration date and optional SMS passcode.

Confidential Mode restricts forwarding, copying, and downloading. It does not encrypt the message end to end. Google can still read the content, so it does not meet HIPAA end-to-end requirements on its own.

Hosted S/MIME is available only on Google Workspace Enterprise Plus, Enterprise Standard with add-on, and Education Plus. Admins enable it in the Google Admin console under Apps, Google Workspace, Gmail, User settings.

With hosted S/MIME on, users see a padlock icon in the compose window. Green padlock means encryption is available for the recipient.

Encrypting Email in Apple Mail on macOS and iOS

Apple Mail supports S/MIME natively. Setup happens through Keychain Access.

On macOS, obtain an S/MIME certificate from a public CA or internal PKI. Double-click the .p12 file to import into Keychain. Restart Mail.

When composing a message to a recipient whose public key is in your contacts, a lock icon appears next to the subject line. Click it to toggle encryption on.

On iOS and iPadOS, install the certificate through a configuration profile pushed from an MDM provider or emailed as an attachment. Go to Settings, Mail, Accounts, select the account, then Advanced. Toggle S/MIME on.

Apple Mail S/MIME works only when the recipient also has a certificate installed and their public key is in the sender contact record. Cross-provider encryption to Gmail requires the Gmail recipient to have hosted S/MIME.

Example

A pediatric group uses Gmail on Google Workspace Business Standard. Front desk staff need to send vaccination records to seven school districts weekly. Confidential Mode adds a passcode step but does not provide end-to-end encryption. Upgrading all 12 seats to Enterprise Plus for hosted S/MIME costs $360 per month. The office manager instead adds a $10-per-user gateway service that sits on top of Gmail. Staff type a trigger word in the subject line, the service encrypts server-side, and school nurses read records with one click.

S/MIME Certificate Setup and Exchange

S/MIME needs an X.509 certificate for each user. Certificates come from public CAs like DigiCert, GlobalSign, and Sectigo, or from an internal PKI.

Purchase a personal email certificate matching the user email address. Follow the CA verification steps, which typically involve a validation email and identity check. Download the .p12 or .pfx file.

Install the certificate to the local certificate store on Windows, Keychain on macOS, or the mail client store on mobile. Restart the mail client.

Before the first encrypted send, exchange signed messages with each recipient. Each signed message carries the sender public key, which the recipient client stores in the contact record.

Certificates typically expire after one year. Renewal happens through the CA portal. Expired certificates block new encrypted sends until reissued. Track expirations in a shared calendar.

how to encrypt email in article illustration two

PGP Encryption for Technical Users

PGP is the alternative to S/MIME. It uses key pairs generated locally instead of certificates issued by a CA. Journalists, security researchers, and open-source maintainers use it heavily.

Install GPG Suite on macOS, Gpg4win on Windows, or OpenKeychain on Android. Generate a key pair with a passphrase. Upload the public key to a keyserver like keys.openpgp.org or share it directly with recipients.

Configure the mail client extension. Enigmail for Thunderbird, GPG Mail for Apple Mail, and Mailvelope for browser-based Gmail all handle PGP encryption per message.

PGP has no central authority. Trust builds through key signing and web of trust models. The learning curve is steeper than S/MIME, which is why most business users skip it.

Healthcare senders rarely use PGP because recipients cannot install extensions on hospital systems. S/MIME or hosted encryption fits the workflow better.

What the Recipient Sees on Each Method

Recipient experience predicts adoption. If opening the message is hard, the sender gets a phone call instead of an acknowledgment.

  • TLS encrypted messages appear as normal emails in the inbox. No sign-in step. No portal.
  • S/MIME encrypted messages open directly in the recipient mail client provided their certificate is installed. Otherwise the client shows an encrypted attachment icon and refuses to display the body.
  • Microsoft Purview Message Encryption sends the recipient a notification email with a link. They sign in with Microsoft, Google, or a one-time passcode.
  • Gmail Confidential Mode sends a notification with a Google-hosted link. Non-Gmail recipients enter an SMS passcode if the sender enabled it.
  • A dedicated encrypted email service like Mailhippo delivers messages that open with one click, without portals or passcodes on the recipient side.

Practices whose recipients are older patients or busy referring physicians measure the friction cost carefully. One extra step per message compounds across a caseload.

💡Pro Tip: Match the encryption method to the recipient technical level

S/MIME works one-click for peer clinics that hold certificates but delivers unopenable attachments to patients on personal Gmail. Portal encryption works for any recipient but adds a sign-in step that slows response times. Do not force S/MIME on a patient population or portal friction on a peer network already running certificates. Pair S/MIME for known peer recipients with a portal gateway for patients and one-off contacts. Test the recipient experience with one real user before rolling out.

Automatic Encryption Rules for Consistent Compliance

Manual clicking depends on staff remembering to encrypt. Rules take that decision out of the sender workflow.

Exchange Online admins create mail flow rules that trigger on subject keywords, sender group, recipient domain, or content matching a sensitive information type. The rule action applies Office 365 Message Encryption automatically.

Google Workspace admins configure content compliance rules under Apps, Google Workspace, Gmail, Compliance. Conditions include predefined data types for medical record numbers, Social Security numbers, and credit card numbers.

Rules cover the gap when workforce members forget to click Encrypt. They also apply to messages sent from mobile devices that lack a ribbon.

Test each rule against a monitored test mailbox before pushing to production. False positives on internal messages create friction that pushes users to send from personal accounts.

HIPAA Requirements Beyond the Encryption Click

Encryption satisfies one HIPAA Security Rule safeguard. Full compliance requires several more.

The practice signs a business associate agreement with the email provider. Microsoft and Google both offer BAAs on eligible plans. Sign it before sending PHI. The HHS Security Rule guidance covers each safeguard.

Additional obligations include workforce training on PHI handling, audit logging on message access, access controls with unique user IDs, sanction policies for violations, and incident response procedures.

A healthcare practice that clicks Encrypt but leaves the BAA unsigned is not compliant. OCR breach investigations routinely surface this gap.

Practices that also run patient-facing websites face parallel obligations. See HIPAA-compliant healthcare website design for the site-side controls that pair with encrypted email.

When a Dedicated Encrypted Email Service Makes Sense

Native encryption in Outlook and Gmail works well for organizations already on the qualifying license tier with dedicated IT staff. Elsewhere, cost and complexity push practices toward a dedicated service.

Small practices on Business Basic or a starter Workspace plan avoid the per-seat cost jump to unlock encryption. Multi-provider teams running Gmail and Outlook side by side avoid maintaining certificates in two ecosystems.

Mailhippo is a HIPAA-compliant email service that works with existing Gmail and Outlook accounts, includes a business associate agreement in the base plan, and delivers encrypted email to recipients without a portal sign-in. TLS plus client-side encryption cover the transmission safeguard without per-recipient S/MIME certificates.

Related guides: how to encrypt an email across clients, how to send encrypted email, and encrypt email for the terminology overview.

Match the method to the workflow. Native buttons for standardized enterprise tenants. S/MIME for internal certificate-managed teams. A dedicated service for practices that want one-click send and one-click open across every recipient.

Frequently Asked Questions

What is the easiest way to encrypt an email? +

The easiest path depends on your existing email account. Outlook on Microsoft 365 Business Premium or higher shows an Encrypt button under Options in the ribbon, requiring one click per message. Gmail Workspace users can turn on Confidential Mode from the compose window lock icon. For senders who need HIPAA compliance without paying for a top-tier license, a dedicated encrypted email service that connects to an existing Gmail or Outlook account provides the shortest path, since the sender clicks Send as usual and the service handles encryption invisibly.

Does Gmail encrypt emails by default? +

Gmail encrypts messages in transit using TLS whenever the receiving mail server supports it. That happens for most modern providers, including Outlook, Yahoo, and Apple. Gmail does not encrypt the message body at rest in any way the sender controls, and Google can read message content on its servers for spam and abuse detection. TLS alone does not meet HIPAA compliance for PHI because it depends on the receiving server, provides no delivery guarantee, and leaves the message readable inside recipient mailboxes.

Can I send an encrypted email between Gmail and Outlook? +

Yes. If both parties hold S/MIME certificates and exchange public keys first, standard S/MIME encryption works across providers. Without certificates, the sender can use Microsoft Purview Message Encryption or Google Workspace Confidential Mode, which deliver the message through a portal that any recipient can open with their existing account. TLS also encrypts the transit path automatically. A dedicated encrypted email service handles the cross-provider case without certificates or portals on the recipient side.

What is the difference between TLS and end-to-end email encryption? +

TLS encrypts messages while they travel between mail servers but leaves them readable at each hop, including at the recipient mail provider. End-to-end encryption keeps the message unreadable until the intended recipient opens it, even if a mail server or attacker intercepts it in between. S/MIME and PGP are end-to-end methods. TLS is transport-only. HIPAA guidance treats TLS as adequate transmission security when configured correctly, but end-to-end encryption reduces exposure at the recipient mailbox.

Do I need to encrypt every email I send? +

No. Encrypt messages containing sensitive information, including PHI, financial account numbers, Social Security numbers, credentials, and legal or contractual material. Routine internal communication, meeting scheduling, and public announcements do not require encryption. Regulated industries often set encryption rules server-side so PHI and sensitive terms trigger automatic encryption without depending on sender judgment. That approach reduces the compliance risk of a busy staff member forgetting to click the Encrypt button on a records request.

Is encrypted email safe from hackers? +

Encrypted email protects message content from interception in transit and at rest, but it does not defend against every attack. Phishing and business email compromise attacks work by tricking the recipient regardless of encryption. Malware on the sender or recipient device can capture the plaintext before or after encryption. Weak passwords on the mail account bypass encryption entirely. A layered approach that combines encryption, multi-factor authentication, endpoint protection, and workforce training reduces exposure across the full attack surface.

How much does encrypted email cost? +

Cost depends on scale and method. Microsoft 365 Business Premium runs about 22 dollars per user per month and includes Purview Message Encryption. Google Workspace Enterprise Plus with hosted S/MIME runs about 30 dollars per user per month. S/MIME certificates from a public CA run 20 to 60 dollars per user per year. A dedicated encrypted email service that layers on an existing Gmail or Outlook account typically runs 5 to 15 dollars per user per month and includes a signed BAA in the base plan without a tier upgrade.

Leave a Reply

Your email address will not be published. Required fields are marked *

Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →