How to Open Encrypted Email in Gmail Step by Step

📅 May 22, 2026 ✍️ By Chris Almond ⏱️ 9 min read
how to open encrypted email in gmail guide featured image

🔑 Key Takeaways

  • Gmail sees four wrappers: Purview, Proofpoint, Zix, and S/MIME, and each opens differently.
  • Portal messages need sign-in via Google, the sender platform, or a one-time inbox passcode.
  • S/MIME works only on Google Workspace with hosted S/MIME and a matching user certificate.
  • TLS-only mail lands as normal text; Show Original headers reveal whether TLS 1.3 was used.
  • Missing passcodes usually sit in spam; never paste a code into a mismatched portal domain.

Gmail users see encrypted mail in four common formats: Microsoft Purview, Proofpoint, Zix, and S/MIME. Each one opens a different way. Confusing them causes the recipient to give up on the message.

This guide walks the exact steps to open each type inside Gmail, plus the password and certificate issues that block delivery. For teams tired of portal friction on both sides, a dedicated encrypted email service handles the delivery in one click.

Start by identifying the wrapper. The Gmail message will say Read the message, View Encrypted Message, or Secure Message. That label tells the recipient which platform sent it.

Identify the Encryption Wrapper Before Clicking

The first step is knowing what arrived. Encrypted mail in Gmail is almost always a wrapper message with a button or link. The visible body does not contain the sensitive content.

Microsoft Purview Message Encryption arrives with a Read the message button and the phrase encrypted message from a Microsoft 365 sender. The wrapper is branded with the sender organization.

Proofpoint Encryption arrives with a Click here link that points to securereader.proofpoint.com or a custom subdomain like securemail.senderdomain.com. The subject often includes the marker Secure Message.

Zix Secure Email arrives with a similar Click here link that points to a domain under zixport.com or a custom subdomain. S/MIME arrives with an smime.p7m attachment and no visible readable body.

Open a Microsoft Purview Message in Gmail

Purview is the encryption most Outlook and Microsoft 365 senders use when they click the Encrypt button. Gmail recipients open it through a portal.

Open the wrapper email and click Read the message. A browser tab opens on the Microsoft encrypted message viewer. The viewer offers two options: Sign in with Google or Sign in with a one time passcode.

Sign in with Google is the fastest path. Click it, sign into the same Gmail account that received the mail, and the message renders inside the portal. The portal supports reply and forward when the sender allowed those actions.

If Sign in with Google fails, request a one time passcode. Microsoft sends the code to the same Gmail inbox. Paste the code into the viewer and the message opens. See Google Support on encrypted mail for Gmail side detail.

how to open encrypted email in gmail in article illustration one

Open a Proofpoint Encrypted Email in Gmail

Proofpoint Encryption uses a portal called Proofpoint Encryption Reader. First time recipients register a Proofpoint account tied to the Gmail address.

Click the Click here link in the wrapper message. The Proofpoint Encryption Reader loads in a browser tab. If this is the first time, a registration form asks for a password and security questions. Complete it and confirm the email.

Returning users sign in with the Gmail address and the Proofpoint password. The message renders inside the portal. Attachments download as separate files, and reply is available from the portal itself.

Store the Proofpoint password in a password manager. Proofpoint accounts do not federate with Google Sign In, so a lost password requires the Forgot Password link, which delivers a reset link back to the Gmail inbox.

Open a Zix Encrypted Email in Gmail

Zix Secure Email uses a similar portal model. The Gmail wrapper contains a Message from and a link to the Zix portal.

Click the link. The Zix portal loads and asks for the Gmail address and a password. First time recipients complete a short registration. The password is separate from any Google or Microsoft credentials.

Once signed in, the message renders inside the Zix portal. Reply, forward, and attachment download are supported when the sender allowed them. Some senders configure Zix to send the encrypted content as an encrypted PDF attachment instead of a portal link.

If Zix delivered an encrypted PDF, open the attachment in a PDF reader and enter the password the sender shared separately. The password is usually delivered by phone or a prior secure channel.

Example

A patient at a Gmail address receives a wrapper email from her cardiologist labeled Secure Message with a link to securereader.proofpoint.com. She clicks the link, sees a Proofpoint registration form because it is her first encrypted message from the practice, sets a password, and confirms through a link sent to the same Gmail inbox. The portal then renders her ECG summary and a follow-up recommendation. She saves the Proofpoint credentials in her password manager because the practice will send future results through the same portal, which does not federate with Google Sign In.

Open an S/MIME Encrypted Email in Gmail

S/MIME is a certificate based standard that requires matching keys on both sides. Gmail supports S/MIME only through Google Workspace with hosted S/MIME enabled by the administrator.

When an S/MIME message arrives at a properly configured Google Workspace account, Gmail decrypts the message inline. The body renders normally, and a padlock icon indicates the encryption status. No portal is involved.

Personal Gmail addresses at gmail.com do not support S/MIME. The message arrives with an smime.p7m attachment and no readable body. Ask the sender to resend using Purview Message Encryption or a dedicated secure email service.

Google Workspace administrators enable hosted S/MIME under Apps, Google Workspace, Gmail, User Settings, S/MIME. Upload user certificates for each mailbox that needs to decrypt inbound S/MIME.

Compare the Four Wrappers Side by Side

Recognizing the wrapper is half the work. The table below maps the visible signal in Gmail to the platform and the action the recipient takes.

Wrapper Visible signal in Gmail Action to open Password model
Microsoft Purview Read the message button Sign in with Google or passcode Google account or one time passcode
Proofpoint Encryption Click here link to Proofpoint domain Register or sign in on portal Proofpoint account password
Zix Secure Email Secure Message subject with portal link Register or sign in on portal Zix account password
S/MIME smime.p7m attachment, no body Decrypt inline with certificate Certificate on Google Workspace

Portal wrappers work with any Gmail address. S/MIME only works on Google Workspace with hosted S/MIME configured by the administrator.

how to open encrypted email in gmail in article illustration two

Handle the Common Password Failures

Password prompts are the most common friction point. A few predictable failures cover almost every case.

  • One time passcode never arrives. Check the Gmail spam folder. Microsoft and Proofpoint codes sometimes trip Gmail filters. Whitelist the sender portal domain.
  • Proofpoint or Zix password forgotten. Use the Forgot Password link on the portal. The reset email lands in the same Gmail inbox.
  • Portal says account not registered. First time recipients complete a short registration on Proofpoint and Zix. Fill in the required fields and confirm through the email link.
  • Sign in with Google fails on Microsoft portal. The recipient signed into a different Google account in the browser. Sign out of other accounts or use a private window.
  • Password field appears on an unfamiliar domain. Verify the domain matches microsoft.com, proofpoint.com, or zix.com before entering credentials. Phishing kits mimic these portals.

Understand What TLS Only Means

Some senders use only TLS. The Gmail message looks normal, with regular text and no wrapper. There is nothing to open.

To confirm the sender used TLS, click the three dot menu on the message and select Show original. The Received headers list the encryption cipher used on each hop. A line with TLSv1.3 or TLSv1.2 confirms the connection was encrypted.

TLS alone is not enough for regulated mail. It protects the connection between mail servers but leaves the message readable at rest in the Gmail inbox. Anyone with access to the mailbox reads it.

Healthcare and legal senders should use message level encryption on top of TLS. The National Institute of Standards and Technology publishes guidance on email security at NIST SP 800-177r1, which covers the standard controls.

💡Pro Tip: Verify the portal domain before entering credentials

Phishing kits mimic Microsoft, Proofpoint, and Zix portals convincingly. Before typing a password or pasting a one-time passcode, check the browser address bar for microsoft.com, proofpoint.com, or zixport.com plus the sender known subdomain. A password field on any other domain is likely a credential trap. If unsure, contact the sender through a separate channel and confirm the portal URL matches what they issued.

Open Encrypted Email in Gmail on Mobile

Mobile Gmail on iOS and Android opens portal based encrypted mail the same way. Tap the Read the message or portal link and the phone browser loads the portal.

Microsoft Purview portals render well on mobile browsers. Sign in with Google, or paste a one time passcode. The message shows inline in the browser.

Proofpoint and Zix portals also render on mobile. Password entry is the main friction. Store credentials in a mobile password manager to speed up return visits.

S/MIME on mobile Gmail requires a Google Workspace account with hosted S/MIME. Personal Gmail on mobile shows the smime.p7m attachment with no way to decrypt. The sibling piece on how to open encrypted email on iphone covers the mobile flow on iOS in more depth.

When Encrypted Mail Bounces or Never Arrives

Encrypted mail sometimes never lands in Gmail. Two patterns cover most cases.

The first pattern is aggressive spam filtering. Portal wrapper messages from Microsoft, Proofpoint, and Zix look similar to phishing to some filters. Search the Gmail spam folder for the sender name or the portal domain. Whitelist the portal domain in Gmail filters.

The second pattern is TLS enforcement failure. When a sender requires forced TLS and Gmail negotiation fails temporarily, the message bounces at the sender side. The sender receives a delivery failure notice. Ask the sender to retry or to send from a mail flow rule that allows opportunistic TLS.

Related sibling guides on troubleshooting sit at how to troubleshoot encrypted email and the send side coverage at how to send encrypted email. The Redefine Web guide on healthcare website security features covers the broader safeguard set for practices that rely on secure email.

Pick a Simpler Path for Regular Encrypted Sends

The four wrapper types work, but recipients on the Gmail side hit friction on every send. Password registration, portal sign in, and expired sessions cost time on both sides.

A dedicated secure email service like Mailhippo delivers encrypted mail to any inbox with a one click open. The recipient does not register an account. The sender uses the existing Gmail or Outlook mailbox, and a BAA is included in the base plan for healthcare workflows.

The tradeoff is platform coverage. Portal based services from Microsoft, Proofpoint, and Zix carry deep enterprise integration. A dedicated service is faster to deploy for small teams and lower friction on the recipient side.

Frequently Asked Questions

Why do I get a Read Message button instead of the email itself? +

The sender applied encryption that wraps the message inside a portal. Gmail cannot render the encrypted body inline because it is not the intended encryption endpoint. The Read Message button opens the portal maintained by Microsoft, Proofpoint, Zix, or another provider. Click the button, sign in with the Gmail address that received the mail, and the message renders inside the portal. The wrapper text stays in Gmail as a receipt that the encrypted send happened.

How do I open an encrypted Outlook email in Gmail? +

Outlook senders on Microsoft 365 typically use Microsoft Purview Message Encryption. Gmail recipients receive a wrapper message with a Read the message button. Click it, then choose Sign in with Google. Google authenticates with the Gmail address, redirects back to the Microsoft portal, and renders the message. If the sign in fails, the sender can request a one time passcode delivery through the Encrypt Only policy. The passcode arrives at the same Gmail inbox and unlocks the portal.

How do I open a Proofpoint encrypted email in Gmail? +

Proofpoint sends a notification with a Click here link. The link opens the Proofpoint Encryption portal at securereader.proofpoint.com or the custom subdomain the sender configured. First time users register a Proofpoint Encryption account with the Gmail address and a password. Returning users sign in with the same account. The message renders inside the portal. Save the portal password in a manager because Proofpoint accounts do not federate with Google Sign In.

How do I open a Zix encrypted email in Gmail? +

Zix messages arrive with a subject that starts Secure Message and a link that opens the Zix portal at securemail.zixport.com or the sender custom subdomain. Click the link and sign in with the Gmail address plus a Zix password. New recipients complete a short registration with a password and security questions. The Zix portal renders the message and any attachments. Zix supports password reset by email to the same Gmail inbox when the password is lost.

How do I open an encrypted email without a password? +

Ask the sender to switch to a passcode delivery option. Microsoft Purview supports a one time passcode that arrives in the same Gmail inbox and unlocks the portal without a stored account. If the sender used S/MIME to a personal Gmail address, the recipient cannot open the message without a matching certificate on a Google Workspace account. In that case, ask the sender to resend with Purview Message Encryption or a service that supports passcode based delivery.

What does smime.p7m mean in a Gmail attachment? +

The attachment is the S/MIME encrypted payload. Gmail could not decrypt it because the account does not have a matching certificate or hosted S/MIME is not enabled. Personal Gmail accounts do not support S/MIME directly. Google Workspace accounts need an administrator to enable hosted S/MIME and upload user certificates before decryption works. Ask the sender to resend using a portal based option like Microsoft Purview Message Encryption or a dedicated secure email service that does not require certificate exchange.

Is TLS encryption enough for HIPAA compliant email sent to Gmail? +

Opportunistic TLS between mail servers protects the connection but leaves the message at rest in the recipient inbox. Google supports TLS 1.2 and TLS 1.3 on inbound mail. Under HIPAA, TLS alone is treated as a supporting control rather than a complete safeguard for protected health information. Covered entities usually add message level encryption on top of TLS, either through Microsoft Purview, S/MIME, or a dedicated secure email service that includes a business associate agreement.

Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →