🔑 Key Takeaways
- The stack is filtering, DLP, outbound encryption, archiving, and identity. One layer alone has gaps.
- Encryption failures leak content in transit. Filtering failures let phishing walk in the front door.
- A VPN protects the sender network segment. Email encryption protects the body across mail servers.
- HIPAA, SOX, FINRA, and GDPR require retention. Some archivers bundle encryption, others do not.
- Every vendor touching PHI needs its own BAA. Consolidated platforms put filtering plus archive as 1.
Encryption is a checkbox item on most email security procurement forms. It sits next to inbound filtering, DLP, archiving, and identity controls. Buyers who focus on one checkbox at a time miss how the layers depend on each other.
This guide covers how encryption and email security fit together in a working stack. Where a healthcare team needs the outbound layer without integrating four vendors, a dedicated secure email service with a BAA in the base plan often solves the immediate compliance gap.
Read the sections in order. Each layer covers a different threat and a different auditor concern.
The Email Security Stack Has Five Layers
A complete email security posture combines five functional layers. Each addresses a different risk.
- Inbound filtering removes phishing, malware, and business email compromise before delivery.
- Identity controls including MFA and conditional access stop credential theft at the mailbox.
- DLP scans outbound messages for sensitive content and enforces policy actions.
- Outbound encryption protects message content in transit and at rest for regulated data.
- Archiving preserves all inbound and outbound mail in tamper-evident storage for compliance.
Skipping any layer creates a gap. Filtering without encryption leaves outbound leakage. Encryption without filtering leaves the inbox exposed to the phishing that steals the credentials that bypass the encryption.
Buyers evaluating a single feature should confirm what covers the other four.

Encryption Handles Outbound Confidentiality
Email encryption operates on outbound messages. It transforms the body and attachments into ciphertext readable only by the intended recipient.
TLS handles server-to-server transport encryption. S/MIME or hosted portal services handle content encryption end to end. Both layers combine to protect messages from interception and unauthorized access.
Related guide: email encryption covers the methods and standards in depth. See also encryption for email and files.
Encryption does not protect against outbound errors. A workforce member emailing PHI to the wrong recipient still commits a HIPAA breach even when the message is encrypted correctly to that wrong address.
The DLP layer catches that case. Encryption alone does not.
Inbound Filtering Blocks Threats Before Delivery
Inbound filtering scans every incoming message against spam signatures, malware analysis, URL reputation, and behavioral indicators of business email compromise.
Microsoft Defender for Office 365 and Google Workspace Security Sandbox both bundle inbound filtering with their mail platforms. Third-party vendors like Proofpoint, Mimecast, and Barracuda offer specialized inbound protection.
Filtering catches most commodity threats. Sophisticated targeted attacks still get through occasionally. That is why the layer above it, identity controls, matters.
The CISA guidance on phishing and ransomware covers the current threat landscape that inbound filtering has to handle.
Healthcare senders face specific targeting because PHI has direct resale value. Filtering configuration for healthcare typically runs stricter than for general business.
A twelve-provider multispecialty group builds a layered stack. Microsoft Defender for Office 365 handles inbound filtering under the Microsoft 365 E3 tier. Purview DLP rules match PHI patterns and auto-apply Encrypt-Only on outbound. A dedicated gateway service delivers encrypted mail to patients without a portal step. Mimecast archives every inbound and outbound message for the six-year HIPAA retention requirement. Entra ID enforces MFA plus conditional access on every mailbox. Four vendor BAAs live in the compliance folder, one per business associate.
DLP Enforces Policy on Sensitive Content
Data loss prevention scans outbound content for defined patterns and enforces automatic policy actions.
Common patterns include Social Security numbers, credit card numbers, medical record numbers, ICD-10 codes, and custom keyword lists specific to the organization.
Policy actions include block and notify the sender, quarantine for admin review, redirect to a manager, or apply encryption automatically. That last option closes the gap between manual encryption decisions and consistent compliance.
Microsoft Purview DLP and Google Workspace Data Loss Prevention both include predefined content types. Custom rules cover organization-specific patterns.
Test DLP rules against a monitored test mailbox before pushing to production. False positives on internal messages create friction that pushes users toward personal accounts.

VPNs Add a Network Layer That Overlaps Partially
A VPN encrypts the network path between a client device and the VPN provider. It matters when workforce members send email from public Wi-Fi or shared networks.
The VPN protects the traffic from the coffee shop to the VPN endpoint. From there, the traffic exits to the mail server as normal internet traffic protected by the mail platform TLS.
Once the message leaves the sender mail server and travels to the recipient mail server, the VPN provides no protection. The message needs TLS between the mail servers and content encryption for the body itself.
A VPN is not a substitute for email encryption. It protects the first mile only. HIPAA-regulated content still requires end-to-end encryption on the message itself.
Practices deploying VPNs should still deploy email encryption. The layers cover different segments of the message journey.
Archiving Preserves Compliance Evidence
Archiving captures every inbound and outbound message at the gateway and stores it in tamper-evident form for defined retention periods.
HIPAA calls for six-year retention of documentation supporting security policies, which includes evidence of PHI communications. SOX requires seven years of financial records. FINRA requires three years of broker communications with clients.
The archive protects against message tampering after delivery, which matters during litigation and audit. Users cannot delete archived copies from their mailbox to hide activity.
Some vendors bundle archiving with encryption in one product. Others sell them separately. Buyers should confirm which vendor covers each function to avoid gaps or duplicate contracts.
The archive itself must also be encrypted at rest. Vendors typically use AES-256 with keys managed by the customer or the vendor per contract.
Compromised mailbox credentials bypass encryption and filtering entirely because the attacker holds legitimate access. Multi-factor authentication and conditional access are the cheapest layer with the highest breach-cost prevention. Enforce MFA on every workforce member with mailbox access through Microsoft Entra ID or Google Workspace identity. Add conditional access rules that restrict logins to known devices or geographies. This stops most business email compromise attacks before any encryption or filtering product has to work.
Identity Controls Guard the Mailbox Access Point
Encryption and filtering both fail when an attacker holds the legitimate mailbox credentials. Identity controls prevent that scenario.
Multi-factor authentication blocks most credential theft attacks. Conditional access rules restrict logins to known devices, networks, or geographies. Session timeout controls limit exposure when devices are left unattended.
Microsoft Entra ID and Google Workspace identity both include MFA and conditional access as core features. Enforce MFA for every workforce member with mailbox access.
Compromised mailbox credentials are the entry point for most business email compromise attacks. See the Microsoft business email compromise guidance for attack patterns and defenses.
Identity controls are cheap compared to the breach cost they prevent. Deploy them before adding more expensive encryption or filtering products.
HIPAA Requires the Full Stack for Covered Entities
HIPAA covered entities need every layer of the stack for the Security Rule and Privacy Rule requirements.
Encryption meets the transmission security safeguard. Inbound filtering supports the malicious software safeguard. DLP supports the administrative safeguard against workforce error. Archiving supports the six-year documentation retention requirement.
Each vendor that touches PHI signs a business associate agreement. Consolidated platforms simplify BAA management by putting encryption, filtering, and archiving under one contract. Specialized services require separate BAAs.
The HHS Security Rule guidance lists every safeguard the covered entity must implement.
Practices running patient-facing websites face parallel obligations. See healthcare website security features for the site-side controls that pair with the email stack.
Choosing Between Consolidated and Best-of-Breed Vendors
Buyers face a decision between one platform that covers every layer and multiple specialized vendors that each cover one layer well.
Consolidated platforms from Microsoft, Google, or major security vendors deliver encryption, filtering, DLP, and archiving through one console. Reporting is unified. One contract covers everything. Small practices favor this model for administrative simplicity.
Specialized vendors focus on one layer and often deliver a better recipient experience or specific compliance feature. Larger organizations mix a consolidated inbound filter with a specialized outbound encryption service like Mailhippo that delivers encrypted email without portal friction.
Related guides: email encryption solutions comparison, email encryption solutions for Outlook and Gmail, and HIPAA compliant texting and email.
Match the vendor mix to the operational team size. A one-person IT department cannot maintain four separate consoles. A dedicated security team can extract value from specialized products that a consolidated platform cannot match.
Neither approach is wrong. The wrong choice is buying encryption in isolation and ignoring the other four layers.
Frequently Asked Questions
Encryption protects the content of individual messages during transit and at rest. Email security is the broader program that also filters inbound threats, prevents outbound data loss, archives messages for compliance, and controls mailbox access through authentication. Encryption alone cannot stop a phishing message from entering the inbox or catch a workforce member emailing PHI to the wrong recipient. Email security alone cannot prevent an outsider from reading intercepted messages if the content is unencrypted. Both layers are required for a complete posture.
A VPN encrypts the network connection between the client device and the VPN provider. If the mail client uses TLS to reach the mail server, the VPN adds an outer encryption layer during that first leg. Once the message leaves the VPN endpoint and travels to the recipient mail server, the VPN provides no protection. The message itself still needs TLS transport encryption and, for regulated content, S/MIME or hosted portal encryption to protect the body between mail servers and at rest.
Encryption transforms outgoing message content into ciphertext so only the recipient can read it. Filtering analyzes incoming messages for spam, phishing, malware, and business email compromise indicators before delivery. They operate on opposite directions of the mail flow and address different threats. Encryption defends confidentiality on the outbound side. Filtering defends the inbox on the inbound side. HIPAA and PCI compliance require both, plus additional controls like DLP, archiving, and access management.
Yes, if regulations require retained records of communications. HIPAA calls for six-year retention of documentation supporting security policies. SOX and FINRA require multi-year retention of email evidence. GDPR requires the ability to produce specific messages on request. Encryption protects the content but does not preserve it after the mailbox owner deletes the message. Archiving captures every message at the gateway and stores it in tamper-evident form. Some vendors bundle encryption and archiving in one product, and others sell them separately.
Data loss prevention scans outbound messages for sensitive content patterns like Social Security numbers, credit card numbers, medical record numbers, and custom keywords. When DLP detects a match, it can block the message, quarantine it for review, or apply automatic encryption. That last option is the most common integration. A workforce member who forgets to click Encrypt on a message containing PHI triggers the DLP rule, which encrypts the message server-side before delivery. This removes the compliance risk of relying on manual encryption decisions.
HIPAA treats encryption of PHI in transit as an addressable specification and treats unencrypted PHI transmission as a compliance failure in practice. PCI DSS requires encryption of cardholder data when transmitted over public networks. GLBA requires financial institutions to protect customer information in transit. GDPR requires appropriate technical measures for personal data, and encryption is treated as evidence of due diligence. State laws like California CCPA and New York SHIELD Act also incentivize encryption through breach notification safe harbors that exclude encrypted data.
The tradeoff is between integration and specialization. Consolidated platforms from Microsoft, Google, or major security vendors handle encryption, filtering, and archiving under one console with unified reporting and one contract. Specialized vendors focus on one layer and often deliver a better recipient experience or specific compliance feature. Small practices favor consolidated platforms for administrative simplicity. Larger organizations often mix a consolidated inbound filter with a specialized outbound encryption service that pairs better with their workforce workflow.








