Can I Encrypt an Email in Gmail (and Every Other Client)

📅 March 18, 2026 ✍️ By Chris Almond ⏱️ 8 min read
can i encrypt an email in gmail guide featured image

🔑 Key Takeaways

  • Gmail offers three paths: Confidential Mode, native S/MIME, or a third-party portal extension.
  • Confidential Mode is not real encryption; Google reads the body and it fails HIPAA audits.
  • Native S/MIME needs Enterprise Plus and the recipient public cert, which patients rarely have.
  • Outlook 365 Business Premium unlocks the Encrypt button; Outlook Desktop S/MIME works on any plan.
  • GoDaddy Professional Email offers no BAA; healthcare needs Microsoft 365 Business Premium or higher.

Encrypting an email should be a one-click operation. In practice it depends on which client, which plan, and which recipient the sender is dealing with.

The core question, can I encrypt an email in Gmail, has three answers. So does the same question for Outlook and GoDaddy. This guide walks through each path, when to use it, and when a hosted encrypted email service is the simpler choice.

The setup order matters. Check the client, check the plan, then choose the encryption method that matches the recipient. A method that works for a colleague on the same tenant may not work for a patient on a free consumer account.

Gmail Confidential Mode is not encryption

Confidential Mode appears in the Gmail compose window as a lock icon at the bottom of the toolbar. Clicking it opens a dialog for expiration and passcode settings.

The message body is not encrypted. Google servers store the message in the same format as any other Gmail message. The controls are behavioral, meaning they restrict what the recipient can do in the Gmail interface.

The recipient can still screenshot the message, retype it, or print the screen. The expiration setting removes access from the Gmail viewer, but any content already read is out of the sender’s control.

For casual privacy, Confidential Mode is useful. For HIPAA or any regulated data, it is not sufficient. The Security Rule requires actual encryption of the transmitted content.

Native S/MIME in Gmail requires Enterprise Plus

Google Workspace supports hosted S/MIME on Enterprise Plus, Education Standard, and Education Plus. Business Starter, Standard, Plus, and Enterprise Standard do not include native S/MIME.

To enable S/MIME, an administrator uploads each user’s S/MIME certificate through the Admin console and configures the S/MIME setting under Apps, Google Workspace, Gmail, User settings.

Sending an encrypted message to an external recipient requires the recipient’s public certificate. If Gmail does not have the certificate on file, the compose window shows the message as signed but not encrypted.

The certificate exchange problem is the reason most practices skip S/MIME even when the plan supports it. Patients and external contacts rarely have S/MIME certificates.

can i encrypt an email in gmail in article illustration one

Third-party extensions add encryption to any Gmail plan

Browser extensions like Mailhippo, Virtru, and FlowCrypt add an encryption toggle to the Gmail compose window. When the toggle is on, the extension encrypts the message before it leaves the browser.

External recipients receive a link and open the message in a portal. They authenticate with a Google, Microsoft, or email-verified passcode, depending on the extension.

The advantage over S/MIME is that recipients need no configuration. The advantage over Confidential Mode is that the encryption is real. The trade-off is a per-user monthly fee.

For healthcare senders, the extension has to come with a signed BAA. Mailhippo, Virtru, and Paubox all offer BAAs. FlowCrypt does not, which rules it out for HIPAA use. Practices weighing which extension to install often compare notes across how can i encrypt my emails and similar decision guides.

Outlook 365 has an Encrypt button that triggers Purview

Can I encrypt an email in Outlook? Yes. On Microsoft 365 Business Premium or higher, the Encrypt button appears on the Options ribbon in Outlook Desktop and in the Actions menu in Outlook on the web.

Clicking Encrypt applies Microsoft Purview Message Encryption. The message body and attachments are encrypted, and external recipients receive a portal link that they open after authenticating with Microsoft, Google, or a one-time passcode.

The Encrypt button only appears if Azure Rights Management is active on the tenant. If a super administrator has never enabled it, the button is invisible even on the correct license.

On Business Basic or Business Standard, the Encrypt button is not available. Practices on those plans need to upgrade to Business Premium or use a third-party gateway.

Example

A family law attorney on GoDaddy Professional Email started sending confidential settlement drafts to opposing counsel and clients. She assumed the padlock icon in her webmail meant messages were encrypted end-to-end. Her paralegal researched the plan and discovered GoDaddy Professional Email uses TLS in transit only, with no message-level encryption and no BAA. The firm migrated the 4 mailboxes to Microsoft 365 Business Premium through GoDaddy at $88 per month total, activated the Encrypt button, and set a mail flow rule requiring encryption on all outbound client mail.

Outlook Desktop supports S/MIME on any plan

Outlook Desktop has supported S/MIME for over 20 years. The setup runs through File, Options, Trust Center, Trust Center Settings, Email Security.

A user imports an S/MIME certificate from a certificate authority into the Windows certificate store, then binds it to their Outlook profile. Digital signing and encryption become available on the compose window.

To send an encrypted message to an external recipient, the sender needs the recipient’s public certificate. Outlook stores public certificates from previously received signed messages, which is how the exchange usually happens.

Outlook on the web has more limited S/MIME support and requires the S/MIME control installed through the browser. Outlook Mobile does not support S/MIME send at all on most versions.

can i encrypt an email in gmail in article illustration two

Consumer Outlook.com has free encryption between Microsoft accounts

Outlook.com consumer accounts include free encryption for messages between Microsoft accounts. The shield icon in the compose window toggles encryption on.

The recipient experience depends on what account they use. Other Outlook.com or Microsoft 365 users see the decrypted message natively. External recipients on Gmail, Yahoo, or similar receive a portal link.

The free encryption tier does not include a BAA. Microsoft signs BAAs on Microsoft 365 business plans, not on consumer Outlook.com. Healthcare users on Outlook.com are not compliant.

For a personal user who wants to send an encrypted message once in a while, Outlook.com’s built-in encryption is a fine free option. For a practice, it is not.

GoDaddy email splits into two products with different encryption options

GoDaddy sells two email products under two brand names. Professional Email is GoDaddy’s own product, and Microsoft 365 from GoDaddy is a rebranded Microsoft 365 tenant.

On Professional Email, transit encryption uses TLS whenever the receiving server supports it. There is no built-in body encryption. Users who need it install a third-party extension or upgrade.

On Microsoft 365 from GoDaddy, encryption works exactly like any Microsoft 365 tenant. Business Premium and higher get the Encrypt button. Lower tiers do not.

GoDaddy does not sign a BAA for its consumer-tier products. Healthcare senders on GoDaddy need to be on the Microsoft 365 Business Premium tier, activate the BAA through the Microsoft admin center, and use Purview or a third-party service for encryption.

💡Pro Tip: Confirm the BAA is signed before trusting any padlock icon

Every email vendor displays some security indicator, and users routinely interpret padlock icons as evidence of HIPAA compliance. The icon usually indicates only TLS-in-transit, not message-level encryption or business associate coverage. Before sending PHI through any account, verify the BAA is signed and covers the specific service in use. Google Workspace Admin console records the acceptance under Legal and compliance. Microsoft 365 records it in the Service Trust Portal. GoDaddy Professional Email offers no BAA at all.

Comparison of encryption methods across common clients

The three main methods, TLS, S/MIME, and portal-based, each have trade-offs. TLS is automatic and covers most modern receivers, but the sender has no visibility into whether a specific message actually used TLS on delivery.

S/MIME is strong when both sides have certificates, but the certificate exchange kills the workflow for most external recipients. Portal-based services solve the certificate problem but add a step for the recipient.

Method Recipient effort HIPAA-ready Included in
TLS only None Only with signed BAA plus verified TLS enforcement Every provider
Gmail Confidential Mode Passcode entry No Every Gmail plan
S/MIME Certificate install Yes, if BAA in place Enterprise Plus, Outlook Desktop, Microsoft 365
Purview Message Encryption Portal login Yes, if BAA in place Microsoft 365 Business Premium+
Third-party portal service Portal login Yes, with signed BAA Mailhippo, Virtru, Paubox

The right column matters more than the others for a healthcare practice. If the encryption method is not paired with a signed BAA, it does not meet the Security Rule requirement regardless of how strong the cryptography is.

What to choose based on the sender’s situation

A solo practitioner on Gmail should install a hosted encryption service and skip the plan-tier gymnastics. The monthly fee is smaller than the friction of managing S/MIME certificates for every recipient.

A small group practice on Microsoft 365 Business Standard should upgrade to Business Premium, activate the Encrypt button, and train staff on when to use it. That is the shortest path to compliance for a Microsoft-first shop.

A larger clinic with mixed email systems benefits from a gateway service that sits in front of every outbound path. The gateway enforces encryption regardless of which client the user sends from.

Practices that want the marketing site and patient intake to match the email compliance posture should work with an agency familiar with HIPAA-compliant website design so the intake forms, the appointment reminders, and the outbound clinical mail all share the same encryption story.

Quick setup steps for the three most common configurations

For Google Workspace Business Standard with a hosted encryption service: sign up with the vendor, connect the Gmail account through OAuth, install the browser extension, and send a test message to a personal address on a non-compliant server. Confirm the recipient sees a portal link.

For Microsoft 365 Business Premium: activate Azure Rights Management under Settings, Org settings, Services, Microsoft Azure Information Protection. Confirm the Encrypt button appears in the Outlook ribbon. Send a test message.

For Outlook Desktop with S/MIME: purchase a certificate from a certificate authority, install it in the Windows certificate store, bind it under Trust Center, Email Security, and exchange a signed message with the intended recipient to swap public certificates.

The Google Confidential Mode help page and the Microsoft Purview documentation both walk through the client-side steps for reference.

  • Check the plan tier before choosing an encryption method.
  • Skip Confidential Mode for any regulated data.
  • Use a third-party hosted service if S/MIME certificate exchange is not practical.
  • Confirm a signed BAA is in place before sending PHI over any channel.
  • Test with a real external recipient before rolling out to staff.

Answering can i encrypt an email in gmail is the easy part. The harder question is which method fits the sender’s plan, the recipient’s setup, and the compliance requirements attached to the content. The right combination changes the moment any of those three factors change.

Frequently Asked Questions

Can I encrypt an email in Gmail without upgrading my plan? +

Yes. Confidential Mode is available on every Gmail plan, though it is not real encryption. For actual body encryption on a Business Starter, Standard, or Plus plan, install a third-party extension like Mailhippo, Virtru, or FlowCrypt. The extension encrypts the message before it leaves the browser and delivers external recipients a portal link. Native S/MIME requires Enterprise Plus. The extension route is the simplest way to add real encryption to a Gmail account without changing the plan tier.

How can I encrypt an email for free? +

Free options exist but each has a limit. ProtonMail encrypts messages to other ProtonMail users automatically and delivers messages to outside recipients through a password-protected portal. FlowCrypt adds free PGP encryption to Gmail through a browser extension. Outlook.com sends free encrypted messages between consumer Microsoft accounts. None of the free options include a business associate agreement, so they are unsuitable for healthcare use. Compliance-grade sending requires a paid service with a signed BAA.

Can I encrypt an email in Outlook? +

Yes. On Microsoft 365 Business Premium or higher, click the Encrypt button on the message ribbon to trigger Purview Message Encryption. On any plan with S/MIME certificates installed, click the security icon and choose Encrypt Message Contents. On Outlook.com consumer, click the shield icon in the compose window to send a message with Microsoft encryption. Each option produces a slightly different recipient experience, but all three encrypt the message body and support external delivery.

How can I easily encrypt an email from any client? +

The easiest path across every client is a third-party encryption service that connects to the existing account. Mailhippo works this way with Gmail, Outlook, and any IMAP or SMTP account. Send from the normal compose window, and the service encrypts the message automatically before it reaches the recipient. No certificates, no toggle, no compose window changes. The recipient gets a portal link or an encrypted TLS-delivered message depending on their provider’s support.

How does GoDaddy encrypt email on its Professional Email plan? +

GoDaddy Professional Email uses TLS for transit encryption whenever the receiving server supports it. There is no built-in body encryption on the standalone Professional Email product. Users who need message-level encryption on GoDaddy Professional Email have to install a third-party extension or upgrade to the Microsoft 365 tier sold through GoDaddy. GoDaddy does not sign a BAA for its consumer or small-business tiers, so healthcare senders need to be on a Microsoft 365 plan that qualifies for the Microsoft BAA.

Does encrypting an email guarantee the recipient can read it? +

No. If the recipient does not have S/MIME certificates configured and the encryption path used S/MIME, they cannot decrypt the message. Portal-based services solve this by delivering a link the recipient opens in a browser, which works on any email client. Before sending an encrypted message to a first-time recipient, most encryption services show a preview of what the recipient will see. That preview is useful for confirming the recipient will actually be able to open the message.

What is the difference between encryption and Confidential Mode in Gmail? +

Confidential Mode adds three controls to a message. The recipient cannot forward, copy, print, or download the message from the Gmail interface. The message expires on a schedule the sender sets. The recipient must enter a passcode sent by SMS to open it. None of those controls encrypt the message content. Google can still read the body, and a determined recipient can screenshot the content. Real encryption protects the body from anyone without the decryption key.

Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →