🔑 Key Takeaways
- Email encryption splits three ways: native platform, enterprise appliance, or dedicated service.
- HIPAA needs a signed BAA; Microsoft, Google, and Mailhippo all offer one, free tiers do not.
- Sender workflow beats algorithm on daily use; AES-256 is standard across every serious service.
- Portal sign-ins drop open rates; one-click delivery beats registration on outbound to patients.
- Real cost is license plus seat fees plus support hours, not the sticker rate on the pricing page.
Email encryption services cover a wide field. Native platform tools sit alongside enterprise appliances and dedicated third party services. Each fits a different buyer.
This guide breaks the market into three buyer categories, walks the leading services in each, and covers the practical factors that matter more than encryption algorithm names. For teams that need a simple encrypted email service with a BAA in the base plan, the last section covers what to look for.
Start by identifying the buyer profile. Platform, budget, and regulated data all narrow the choice fast.
Three Buyer Categories for Email Encryption
The market splits into three groups. Each has different requirements and different budget expectations.
Native platform buyers already run Microsoft 365 or Google Workspace and want encryption inside the platform. They pay for it inside a Business Premium or Enterprise Standard license. Adoption follows the platform admin workflow.
Enterprise appliance buyers run Cisco, Proofpoint, or Mimecast for inbound email security. They add the encryption module from the same vendor for consistency. Budgets sit at the higher end. Deployment involves security team change management.
Dedicated service buyers want a single purpose encrypted email tool that includes a BAA and a simple recipient experience. Small to mid size healthcare practices, legal firms, and financial advisors sit in this group. Deployment is fast, and the mailbox provider does not change.
Native Platform Encryption Services
Microsoft Purview Message Encryption is the native path for Microsoft 365 customers on Business Premium and higher. The Encrypt button in the Outlook ribbon triggers the encryption. External recipients open the message through a portal.
Google Workspace hosted S/MIME is the native path for Google Workspace Enterprise Standard and higher. Administrators upload user certificates. Gmail encrypts and decrypts messages inline for compatible recipients.
Both native paths carry BAA coverage under the respective vendor agreements. Microsoft covers Microsoft 365 workloads. Google covers Google Workspace core services. Confirm the exact workload list in the signed BAA before sending PHI.
Sibling reading on the pure concept side sits at email encryption and on the S/MIME format at s mime email encryption.

Enterprise Appliance Encryption Services
Cisco Secure Email Encryption Service, formerly Cisco Registered Envelope Service, encrypts outbound mail on top of the Cisco Secure Email appliance. Recipients open messages through the Cisco encrypted envelope viewer.
Proofpoint Encryption sits on top of Proofpoint Email Protection. Senders trigger encryption through a subject line keyword, a mail flow rule, or a policy match on message content. Recipients open messages through the Proofpoint Encryption Reader portal.
OpenText Voltage Secure Email uses identity based encryption. Recipients receive a link and read the message through a browser or an add in for Outlook. No certificate exchange is required, though the platform supports S/MIME as well.
Enterprise appliance services fit organizations already committed to the same vendor for inbound email security. Adding the encryption module keeps procurement and support simple. New buyers usually pick a lighter dedicated service instead.
Dedicated Encrypted Email Services
Dedicated services layer on top of an existing Gmail or Outlook mailbox. They add a send workflow for encrypted messages and a portal or link based recipient experience.
Mailhippo is a HIPAA compliant secure email service that adds a send flow through the existing Outlook or Gmail account. The BAA is included in the base plan. Recipients open messages through a one click link without account registration.
Barracuda Email Encryption offers a similar bolt on model with portal based recipient delivery. Barracuda ties the encryption into the wider Barracuda Email Protection stack for buyers who want a broader security posture from one vendor.
A regional accounting firm with 45 seats runs a 14-day pilot across two candidates. Team A tests Microsoft Purview at $22 per seat bundled inside a Business Premium upgrade. Team B tests Mailhippo at $8 per seat added to their existing Business Standard tenant. Purview scores 3.2 support tickets per week from external recipients confused by the portal sign-in. Mailhippo scores 0.4 tickets thanks to one-click open links. The firm picks Mailhippo, saves $7,560 per year, and ships full deployment inside four hours.
Compare the Three Buyer Categories
The table below maps the three categories against the factors that matter on selection. Use it as a shortlist filter before deep evaluation.
| Factor | Native platform | Enterprise appliance | Dedicated service |
|---|---|---|---|
| Typical buyer | Existing Microsoft 365 or Google Workspace tenant | Large org with Cisco, Proofpoint, or OpenText | Small to mid size healthcare, legal, or financial team |
| BAA in base plan | Yes on eligible tiers | Yes on qualifying plans | Yes on Mailhippo and similar |
| Sender workflow | Encrypt button or auto S/MIME | Subject keyword or policy rule | Add on button or keyword |
| Recipient experience | Portal sign in or inline S/MIME | Portal registration and sign in | One click open link |
| Deployment time | Days if licensed | Weeks with change management | Hours with existing mailbox |
| Per user cost band | Bundled in platform license | Quote based, higher end | Flat monthly per seat |
Native platform and dedicated services cover most small and mid size buyers. Enterprise appliances fit larger organizations with existing vendor commitments.
HIPAA Fit and BAA Requirements
HIPAA requires a signed BAA from any vendor that handles protected health information. Email encryption services either offer a BAA or they do not. There is no partial coverage.
Microsoft, Google, Mailhippo, Virtru, Barracuda, Cisco, and Proofpoint all offer BAA coverage on qualifying plans. Free tiers on Proton, Tuta, and Mailfence do not include a BAA. Free email encryption software like Thunderbird OpenPGP is not a service and does not sign a BAA.
The BAA covers the vendor side of the compliance boundary. The customer still owns internal access controls, workforce training, incident response, and risk assessments. HHS publishes the full requirements at the HIPAA Security Rule reference.
For a broader compliance walkthrough, the sibling piece on hipaa compliant email services covers the vendor list and evaluation criteria for regulated buyers.

Sender Workflow and Adoption Friction
The sender workflow determines whether the encryption service actually gets used. If the encrypt button is buried three menus deep, staff route around it.
Microsoft Purview places the Encrypt button on the Options ribbon in Outlook. One click applies the default policy. Staff pick it up fast because it looks like existing Outlook controls.
Google Workspace S/MIME automates the encryption when a valid recipient certificate is available. Senders do not click anything extra. That is the lowest friction option, though it depends on the recipient having a certificate too.
Dedicated services usually add a button through an Outlook add in or a Gmail extension. Some also support a subject line keyword like [encrypt] that triggers the encrypted send from any client. Choose the trigger method staff will actually use.
Recipient Experience and Open Rates
Recipient experience is the largest driver of open rate on outbound encrypted email. Portal registration costs recipients time. Some just abandon the message.
Microsoft Purview supports Sign in with Google and Sign in with Microsoft for external recipients. Users with those accounts open the message in about 15 seconds. Users without either account fall back to a one time passcode delivered by email.
Proofpoint and Zix require the recipient to register an account with the portal on first send. Registration adds two to three minutes. Return users sign in faster but still need the password stored somewhere.
Dedicated services like Mailhippo deliver a one click link that opens the message without account registration. That is the lowest friction path and produces the highest open rate on outbound to patients and clients. Sibling coverage on the concept sits at end to end encrypted email services.
Vendor demos hide recipient friction. Set up trial accounts for two or three staff and send encrypted mail to real external addresses across Gmail, Outlook, Yahoo, and one enterprise domain. Track opens, support tickets, and time to first open. Score on four factors: BAA coverage, sender workflow, recipient open rate, and support burden. The service with the highest recipient open rate and fewest support tickets almost always wins on total cost of ownership over the license year.
Total Cost of Ownership Considerations
License cost is only one part of the total. Support hours, training time, and change management add up.
- License cost. Bundled in the platform for native, per seat for dedicated services, quote based for enterprise appliances.
- Deployment hours. Native paths are the fastest if the tenant is licensed. Enterprise appliances need weeks of change management.
- Training hours. Staff need a short session on the encrypted send workflow. Simpler workflows cut training time.
- Support tickets. Portal registration on the recipient side generates support requests. One click delivery reduces them.
- Compliance audits. Documented workflows, audit logs, and BAA archives take less staff time when the service produces them by default.
Model the total across a year including support hours. A cheap service with heavy recipient friction often costs more than a mid priced service with a one click open flow.
Regional and Vertical Specialization
Some buyers filter services by region or vertical. California based practices sometimes ask for services with a state data residency preference. Healthcare buyers filter for HIPAA and 42 CFR Part 2 experience. Legal buyers filter for attorney client privilege support.
Most major services store customer data in US regions by default and offer EU regions on request. California based buyers looking for local vendor presence should look at Mailhippo, Virtru, and Barracuda, all with US operations. Sibling coverage on regional buyer questions sits at email encryption services for business nj.
Healthcare specific coverage sits at Redefine Web healthcare website design for the broader digital estate that pairs with encrypted email in a healthcare deployment.
The HIPAA Journal analysis of email encryption covers the compliance side of vendor selection.
Building a Shortlist and Running a Pilot
Once the buyer category is clear, shortlist two to three services and run a short pilot. A two week pilot on a live team catches problems that a demo cannot.
Set up trial accounts for two to three staff. Send encrypted mail to real external recipients across Gmail, Outlook, Yahoo, and one enterprise domain. Track opens, support questions, and time to first open.
Score on the four factors that matter: BAA coverage, sender workflow, recipient open rate, and support burden. The service with the highest recipient open rate and the fewest support tickets usually wins.
For dedicated services, Mailhippo runs a free trial that includes the BAA workflow. Sibling coverage on the free service side sits at free email encryption service. Buyers on Microsoft 365 Business Premium can pilot Purview at no incremental cost inside the existing tenant.
Frequently Asked Questions
An email encryption service is a hosted platform that handles key management, encryption, and delivery on behalf of the customer. Email encryption software is a client side tool that runs on the sender device and encrypts locally, usually through OpenPGP or S/MIME certificates. Services scale better because the vendor handles infrastructure. Software gives the sender full control over keys and does not depend on a vendor portal. Most healthcare and business buyers pick a service for the operational simplicity and the BAA coverage.
Not always. Microsoft 365 Business Premium and above ship with Purview Message Encryption, and Google Workspace Enterprise Standard supports hosted S/MIME. Both cover the encryption use case for tenants already licensed. A separate email encryption service becomes necessary when the platform license does not include the encryption path, when the recipient experience is a friction point, when a BAA is missing, or when the team runs mixed Gmail and Outlook environments that need a common encrypted send workflow.
HIPAA compliant email encryption services sign a business associate agreement with the customer, encrypt messages in transit and at rest, restrict access to authorized personnel, maintain audit logs, and support retention policies. The service handles the technical safeguards for the transport layer. The customer still owns access controls, employee training, and incident response on their side. Confirm the BAA covers the specific service and workflow before sending PHI. A signed BAA is the compliance floor, not a substitute for internal policy.
Start with the platform. Microsoft 365 customers on Business Premium or higher can use Purview natively. Google Workspace Enterprise customers can use hosted S/MIME. Teams outside those license tiers should evaluate dedicated services on four factors: BAA coverage, sender workflow, recipient experience, and total cost including seats and support hours. Do a two week pilot with the top two candidates. Measure open rates on outbound and support tickets from recipients. The service with fewer tickets wins in most cases.
End to end encryption means the message is encrypted on the sender device and decrypted only on the recipient device. The service provider cannot read the message. Transport encryption means the message is encrypted only on the connection between mail servers using TLS. The service reads the message during processing. End to end is stronger but often adds recipient friction. Transport is transparent but leaves the message readable at rest on the receiver side. Most services combine both layers for regulated workflows.
Portal based encryption services like Mailhippo, Virtru, and Zix work across any inbox because the recipient opens the message through a browser. S/MIME works in Outlook, Apple Mail, and Google Workspace with hosted S/MIME. Microsoft Purview works cleanly for outbound to any inbox but requires a Microsoft 365 sender. OpenPGP works across Thunderbird and browser extensions like Mailvelope but requires per recipient key exchange. Check both the sender platform and the recipient environment before committing to a service.
Pricing varies widely. Microsoft Purview is bundled in Business Premium at 22 dollars per user per month. Cisco Secure Email Encryption Service is usually quoted per user per year on top of an existing Cisco email security appliance. Proofpoint Encryption pricing is quote based and depends on user count and features. Dedicated services like Mailhippo publish flat per user monthly pricing that includes the BAA. Add support hours and change management to reach the total cost of ownership. Larger deployments often negotiate volume discounts.








