🔑 Key Takeaways
- Email encryption works at two layers: TLS on the wire and end-to-end on the message body itself.
- Outlook 365 Business Premium unlocks the Encrypt button; lower tiers get no message protection.
- Gmail Confidential Mode is portal access control, not encryption, and fails every HIPAA audit.
- Yahoo and AOL rely on opportunistic TLS alone with no S/MIME, no BAA, no fit for PHI workflows.
- GoDaddy Professional Email runs on Microsoft 365 and inherits Encrypt on Business Premium plans.
Every major email client handles encryption differently, and the differences matter the moment a message carries patient data, financial records, or contract terms. The Encrypt button in Outlook does one thing. The Confidential Mode toggle in Gmail does something else entirely. AOL and Yahoo do a third thing, which is essentially nothing at the body level.
This guide walks through how to encrypt email in Outlook, Outlook on the Web, Gmail, Yahoo Mail, AOL Mail, and GoDaddy Professional Email. Each section covers the real steps, the license requirements, and what happens on the recipient side. For teams that need HIPAA-covered encryption without per-recipient certificate management, a dedicated encrypted email service handles the workflow with a signed business associate agreement in the base plan.
The article closes with a comparison table, a short section on encrypted HTML messages, and answers to the questions readers most often ask about specific providers.
Email Encryption Has Two Layers That Behave Differently
The word encryption covers two separate protections in email. Transport Layer Security wraps the connection between mail servers so intercepted traffic looks like noise. End-to-end encryption protects the message body itself so the recipient inbox holds ciphertext until they authenticate.
Every major provider now uses TLS by default when the other side supports it. Google, Microsoft, Yahoo, and AOL all handshake to TLS 1.2 or 1.3 automatically. That covers the wire, which is one leg of the trip.
The body is a separate problem. TLS does nothing for a message once it lands on the recipient server. If an attacker gets into that inbox through credential theft or a backdoor, TLS did not encrypt what they can read. That is the gap end-to-end encryption closes.
The NIST cybersecurity framework treats these as two distinct controls. Regulated industries in the United States including healthcare, finance, and legal services are expected to apply both layers when sensitive data is in the message.
Outlook Desktop Uses the Encrypt Button Under Options
Outlook 365 on Windows and Mac exposes an Encrypt control on the Options ribbon when the underlying Microsoft 365 plan supports Purview Message Encryption. Open a new message, click the Options tab, then click Encrypt. Pick either Encrypt or Do Not Forward.
Encrypt allows the recipient to reply. Do Not Forward removes reply and forward permissions. Both options run through Microsoft cloud key management and require Azure Rights Management to be active on the tenant.
External recipients on any email platform get a link to a Microsoft portal. They sign in with their Microsoft, Google, or Yahoo account, or they request a one-time passcode delivered to that address. The portal shows the message body inside the browser without exposing the ciphertext.
Tenants below Business Premium do not see the Encrypt button. The Microsoft documentation on Message Encryption lists the exact eligible plans. Practices on lower tiers add the license across seats or move sensitive workflows to a dedicated service.

Outlook on the Web Mirrors the Desktop Encrypt Menu
Outlook on the Web, sometimes called OWA, provides the same encryption control through a slightly different menu. Compose a new message. Click the three-dot menu next to the send button. Select Encrypt, then pick the policy.
The behavior on the recipient side is identical to desktop Outlook. External addresses get a portal link. Microsoft 365 and Google Workspace recipients often experience a direct inline decryption if their tenant is configured for it.
When the Encrypt menu does not appear in OWA, the tenant lacks the required license. Administrators can verify this in the Microsoft 365 admin center under Licenses. The affected users need a plan that includes Azure Information Protection or Microsoft 365 Business Premium and above.
Users authenticated through single sign-on with hardware keys retain the security posture on both platforms. The encryption policy travels with the message regardless of where the sender composed it.
Gmail Handles Encryption Three Different Ways
Gmail encrypts email in three modes that many users conflate. The first is TLS in transit, which every Gmail message uses when the receiving server supports it. Gmail shows a small padlock icon in the message header to indicate TLS status.
The second is Confidential Mode, which any Gmail user can activate by clicking the padlock-clock icon in the compose window. Confidential Mode adds expiration dates, passcodes over SMS, and revocation, but the body itself is stored on Google servers without additional cryptographic wrapping.
The third is client-side encryption on Workspace Enterprise Plus, Education Plus, and Education Standard. Admins enable it through the admin console, and users see a shield icon in the compose bar. Keys stay under the customer control through an external key service.
S/MIME support is also available on Workspace and can be enforced per-domain. The Google Workspace admin guide on hosted S/MIME covers configuration. Confidential Mode alone does not qualify as HIPAA-covered encryption because it lacks cryptographic body protection.
Yahoo Mail and AOL Mail Rely on Transport Encryption Only
Yahoo Mail and AOL Mail both use TLS for server-to-server delivery and HTTPS for the browser session. Neither service offers a native encryption button in the compose window. Neither supports S/MIME certificate installation in the web interface.
A Yahoo user sending to a Gmail user gets TLS on the wire. The message body lands in Google storage in a form Google can read, and it stays that way until the recipient opens it. That is standard consumer webmail behavior.
Neither Yahoo nor AOL offers a business associate agreement for HIPAA-regulated senders. A dental practice, therapy clinic, or medical billing office using an AOL address for clinical correspondence has no compliant encryption path inside that account.
The remediation is straightforward. Move the mailbox to a Workspace or Microsoft 365 plan that supports encryption, or route sensitive messages through a dedicated encrypted email service that layers on top of the existing address.
GoDaddy Professional Email Inherits Microsoft 365 Encryption
GoDaddy Professional Email product runs on Microsoft 365 infrastructure under the hood. Users on the Business Premium tier and above get the same Encrypt button and Purview Message Encryption behavior as customers who buy directly from Microsoft.
The Encrypt control lives in the same place in Outlook desktop and Outlook on the Web. Portal delivery for external recipients works identically. GoDaddy also sells a Microsoft 365 Advanced Email Security add-on that adds threat protection on top of the base encryption feature.
GoDaddy Webmail Classic, the older non-Microsoft product, does not offer a native encryption interface. Accounts still using Webmail Classic should upgrade to the Microsoft-backed Professional Email product or route sensitive messages through a separate encrypted platform.
Practices in healthcare using GoDaddy for domain email should verify the specific product tier attached to the mailbox. The tier determines whether encryption is one click away or requires an entirely different tool.

S/MIME and PGP Are the Certificate-Based Options
S/MIME and PGP are the two long-standing certificate-based encryption standards. Both require the sender and recipient to exchange public keys before the first encrypted message can travel. Both work across email clients that support the standard.
S/MIME is the dominant standard in enterprise environments. Outlook, Apple Mail, and Workspace on eligible plans support S/MIME natively. Certificates come from commercial certificate authorities like DigiCert, Sectigo, and Entrust, or from an internal PKI.
PGP, and its open source implementation GnuPG, is dominant in developer, journalist, and activist communities. Thunderbird ships with OpenPGP support built in. Outlook and Gmail require add-ons to work with PGP.
The friction with both standards is key management at scale. A clinic emailing 300 patients cannot ask each patient to install a certificate. That is where portal-based delivery from Microsoft Purview, dedicated encrypted email services, or client-side encryption on Workspace replaces per-recipient certificate exchange.
Encrypting an HTML Email Uses the Same Native Controls
HTML formatting and encryption are independent. The Encrypt button in Outlook, the client-side encryption shield in Workspace, and the S/MIME toggle all encrypt the entire message body including HTML markup, inline images, and attachments.
Do not attempt to encrypt HTML inside the source using scripts or base64 obfuscation. That approach breaks rendering across most clients and does not provide real cryptographic protection. Spam filters also flag obfuscated HTML.
Compose the message normally with rich formatting. Apply the native encryption control before pressing send. The recipient sees decrypted HTML with all formatting intact after authenticating through the portal or with their certificate.
Newsletter platforms and transactional email services handle HTML separately and often add DKIM and DMARC signatures without body encryption. Those signatures verify sender identity but do not encrypt content. Encryption is a separate step, applied by the sender.
Comparison of Native Encryption Options Across Providers
The table below summarizes native encryption support in the major email platforms. Availability shifts with license tier, so verify the specific plan attached to a mailbox before assuming a feature is present.
| Platform | TLS in transit | End-to-end body | BAA available | License needed |
|---|---|---|---|---|
| Outlook 365 | Yes | Yes, via Purview | Yes | Business Premium and above |
| Outlook on the Web | Yes | Yes, via Purview | Yes | Business Premium and above |
| Gmail free | Yes | No, Confidential Mode is portal only | No | Free |
| Workspace Enterprise Plus | Yes | Yes, client-side encryption | Yes | Enterprise Plus, Education Plus |
| Yahoo Mail | Yes | No | No | None |
| AOL Mail | Yes | No | No | None |
| GoDaddy Professional Email | Yes | Yes, via Purview | Yes | Business Premium and above |
Practices that need encryption without navigating license tiers often pair their existing Gmail or Outlook mailbox with a secure email service that applies encryption and a signed business associate agreement to every outgoing message without changing the sending address.
Common Mistakes When Setting Up Email Encryption
The most common mistake is assuming that a padlock icon in Gmail or the presence of HTTPS in the browser means the message body is encrypted end-to-end. Neither indicator means that.
The second most common mistake is turning on Confidential Mode and treating the result as HIPAA compliant. Confidential Mode is portal access control. It does not carry the cryptographic and BAA coverage HIPAA requires.
A third mistake is deploying S/MIME to internal staff and skipping the certificate distribution to external counterparties. Encryption then works only within the domain, which is not what the policy usually intends.
Before rolling out encryption to a practice, verify three items:
- The license tier on every mailbox actually includes the encryption feature.
- External recipients on major providers can decrypt without extra setup on their side.
- A signed business associate agreement covers the specific product feature used, not just the base mailbox.
When a Dedicated Encrypted Email Service Makes Sense
Native encryption in Outlook and Workspace works well for organizations already on the required license tiers with IT staff to manage certificates, portal experiences, and admin console configuration. It fits enterprises with mature identity systems.
Smaller practices, solo providers, and multi-location dental groups often carry a different profile. They run on lower Microsoft 365 or Workspace tiers, they lack dedicated IT staff, and they need HIPAA coverage without buying enterprise seats across every user.
Mailhippo is a secure email service built for this profile. It works with existing Gmail and Outlook accounts, applies TLS and client-side encryption automatically, includes a business associate agreement in the base plan, and delivers messages through a one-click recipient experience without PGP keys or S/MIME certificate management. One brief mention here, in case the license math on native tools does not work out for the practice.
Healthcare practices weighing the tradeoffs between native and dedicated encryption often benefit from a broader look at their site and communication stack. A healthcare marketing agency can help align patient-facing channels with the encryption layer sitting behind them.
For a deeper look at the security controls that pair with encrypted communication in medical environments, review the guidance on security features on healthcare websites. Encryption is one control in a broader posture that includes authentication, backups, and monitoring.








