Secure Email Encryption Service Buyer Guide for 2026

secure email encryption service guide featured image

๐Ÿ”‘ Key Takeaways

  • Three questions decide a secure email vendor: BAA included, auto-trigger, and recipient friction.
  • Office 365 and Gmail bundle native encryption on higher plans, but neither ships a BAA by default.
  • Free services like Proton and Tutanota work for personal use; small clinics outgrow them fast.
  • Entry tier plans run $3 to $8 per seat; enterprise bundles with DLP and archiving hit $10 to $25.
  • Recipient experience drives adoption; portals create tickets, one-click links keep patients happy.

A secure email encryption service protects the contents of a message from the moment a sender hits send to the moment a recipient opens it. Covered entities under HIPAA, financial institutions under GLBA, and law firms handling privileged material all use these services to meet regulatory requirements.

The market splits into three groups. Native tools built into Microsoft 365 and Google Workspace, dedicated third party services like Mailhippo encrypted email, and enterprise gateways from Barracuda, Cisco, and Proofpoint. Each group solves a different problem.

This guide walks through what a secure email encryption service actually delivers, how the main providers compare, and how to test recipient experience before you sign anything.

Secure email encryption service defined

A secure email encryption service scrambles message content so only the intended recipient can read it. The service uses TLS between mail servers as the baseline layer.

On top of TLS, providers add a second layer through S/MIME certificates, PGP keys, or a portal-based delivery model. The second layer protects the message once it lands on a server the sender does not control.

Enterprise services stack more features. Data loss prevention scans outbound content for regulated data. Archiving retains messages for compliance audits. Phishing filters catch inbound threats. Administrative controls let IT enforce encryption on messages that match specific policies.

The core deliverable stays the same across every vendor. Content confidentiality, sender identity verification, and delivery proof. Everything else is packaging.

Office 365 email encryption service options

Microsoft ships Office 365 Message Encryption with Business Premium, E3, and E5 plans. The service runs on Microsoft Purview and adds the Encrypt button to the Outlook Options ribbon on desktop, web, and mobile.

Senders click Encrypt, pick a permission preset, and send. External recipients get a portal link and sign in with Microsoft, Google, or a one-time passcode. Internal recipients see the encrypted message in Outlook without extra steps.

Business Basic and Business Standard plans do not include the Encrypt button. Practices on those SKUs need to upgrade to Business Premium at $22 per user per month or add a dedicated encryption gateway.

Microsoft signs a business associate agreement with covered entities on qualifying plans. Admins need to accept the BAA in the Microsoft 365 admin center under Contracts before sending PHI. Documentation lives at Microsoft Learn Purview Message Encryption.

secure email encryption service in article illustration one

Gmail email encryption service options

Gmail encrypts every message in transit using TLS. Google Workspace paid plans add S/MIME support on Enterprise Plus, which requires certificate management for both senders and recipients.

Confidential mode adds link expiry and SMS passcode options on every Workspace tier. Confidential mode does not encrypt content end to end. The message content sits in Google servers in a readable form for the sender organization.

Google signs a business associate agreement with covered entities on paid Workspace plans configured for HIPAA. Admins accept the BAA in the Workspace admin console. The BAA covers Gmail, Drive, Calendar, Meet, and other core services.

Practices sending real PHI usually stack a dedicated encryption gateway on top of Workspace. The gateway triggers on subject line keywords, data patterns, or recipient domain rules, then routes the message through an encrypted delivery path. See Google Workspace encryption documentation for the current feature matrix.

GoDaddy email encryption service pricing

GoDaddy resells Proofpoint-powered email encryption as an add-on to its Microsoft 365 packages. The add-on runs about $7 per user per month on top of the base 365 license, so a five-seat practice pays roughly $85 per month total.

Senders trigger encryption by adding [encrypt] to the subject line or clicking a button. Recipients register a Proofpoint portal account or verify a one-time code to open messages.

GoDaddy signs a business associate agreement on qualifying plans. The BAA covers the encryption service and the underlying Microsoft 365 tenant. Practices with existing Proofpoint contracts should compare direct Proofpoint pricing at higher seat counts, which often beats the GoDaddy reseller rate.

Support quality varies. GoDaddy phone support handles billing and provisioning. Encryption configuration issues route back to Proofpoint, which adds a delay when a message fails to send. Test the escalation path before you deploy across all seats.

Example

A 20-provider urgent care group ran a 30-day pilot comparing Proofpoint via GoDaddy at $7 per user against Mailhippo at $4.95 per user. They sent 50 identical PHI messages through each service to a mix of iOS, Android, and desktop recipients. Proofpoint required 60 percent of recipients to register a portal account, generating 14 support calls in three weeks. Mailhippo delivered a one-click link that opened for 46 of 50 recipients without an account. The group signed with Mailhippo, saving $492 per month across 20 seats.

Free secure email encryption service trade offs

Free encryption services exist for personal use. ProtonMail, Tutanota, and Skiff offer end to end encrypted email between accounts on the same platform.

Messages to external recipients require the recipient to accept a link, verify a passcode, or install a certificate. Solo practitioners often use free plans for the first quarter of operation, then upgrade once patient email volume rises past 200 messages per month.

Free services rarely sign a business associate agreement. ProtonMail offers a paid Business plan that includes a BAA at $12.99 per user per month. Tutanota and Skiff do not currently offer a BAA at any tier.

Free plans also lack retention controls, audit logs, and admin tools. Compliance risk usually outweighs the license savings once real PHI enters the mailbox. Read the HHS guidance on business associate agreements before picking any free tier for regulated content.

US Bank secure email encryption service model

US Bank uses a portal-based encryption service to send account statements, wire transfer confirmations, and loan documents to customers. Recipients get a notification email with a link to the portal.

The recipient registers an account on the first message, sets a password, and opens the message inside the browser. Follow-up messages from US Bank arrive at the same portal. The model works well for high volume, low urgency correspondence.

Portal-based encryption pushes friction onto the recipient. A customer who cannot find the login page will call the bank. A customer with an expired portal password will call the bank twice.

Financial institutions accept the friction because regulatory pressure outweighs support cost. Healthcare practices with lower call center capacity often pick a zero-step model instead, which delivers the encrypted message directly to the recipient normal inbox.

secure email encryption service in article illustration two

Nonprofit 365 pricing for email encryption service

Microsoft runs a nonprofit program that discounts 365 plans by 30 to 75 percent. Business Basic drops to $0 per user per month for the first 10 seats. Business Standard runs about $3 per user per month.

Business Premium, the plan that includes Purview Message Encryption, drops to about $5.50 per user per month for verified nonprofits. A community clinic with 20 seats pays $110 per month for encrypted email plus Office desktop apps, Intune, and Defender.

Nonprofits still sign the standard business associate agreement in the admin center. The BAA does not change with nonprofit pricing. Documentation lives at the Microsoft Nonprofits portal.

Barracuda, Cisco, and Proofpoint also offer nonprofit discounts of 20 to 50 percent. The discount usually applies to the base plan and not to compliance add-ons, so a small clinic saving money on seats still pays list price for the archiving module.

Mobile and desktop email encryption service parity

The best encryption service works identically on mobile and desktop. Services that require an S/MIME certificate on each device create setup pain for both senders and recipients.

Portal-based services often break the reply flow on mobile browsers. A recipient on an iPhone taps the portal link, logs in, reads the message, then hits reply and gets bounced to a login page again.

Zero-step encryption models handle the mobile case best. The sender uses the normal Gmail or Outlook app on any device. The recipient opens the message inside a standard inbox view on any device.

Test the reply flow on iOS Safari, Android Chrome, and desktop Chrome before committing to a multi-year contract. Vendors will send a test message on request. A five-minute test saves months of user complaints later.

๐Ÿ’กPro Tip: Ask for second-year pricing in writing

Enterprise email security vendors routinely quote a discounted first-year rate that jumps 30 to 50 percent on renewal. Ask for the second-year and third-year rate in writing before signing anything longer than a monthly agreement. Confirm the renewal cap is contractual, not verbal. If the vendor refuses to commit to future pricing, price in an assumed 40 percent renewal jump when comparing total cost of ownership against services with flat published rates.

Provider comparison for secure email encryption service buyers

Buyers picking between vendors weigh four factors above everything else. BAA inclusion, delivery model, price predictability, and admin controls.

Native Microsoft and Google options work well for organizations that already pay for the higher tier plans. Dedicated services like email encryption service providers and encryption email service platforms fit organizations that need a signed BAA in the base plan without a Business Premium upgrade.

Enterprise gateways from Barracuda email encryption service and secure email encryption service cisco add DLP, phishing protection, and archiving in one bundle. The bundles fit organizations with dedicated security teams.

Key evaluation questions:

  • Does the vendor sign a BAA in the base plan or as an add-on
  • Does encryption trigger automatically on regulated content patterns
  • Does the recipient need a portal account, a certificate, or a passcode
  • Does the price stay flat on renewal or jump after year one
  • Does the admin console log every encrypted message for audit

Healthcare practices and secure email encryption service selection

Healthcare covered entities and business associates carry the highest regulatory load. HIPAA, state privacy laws, and payer contracts all require encrypted transmission of PHI.

The right service for a five-person dental practice looks nothing like the right service for a hospital system with 4000 clinicians. Practices with under 50 seats usually pick a zero-step service with a bundled BAA. Larger organizations layer an enterprise gateway on top of Microsoft 365 or Google Workspace.

Practice websites also need to match the same security posture. Patient intake forms, appointment booking, and portal login pages all handle PHI. A HIPAA compliant website design partner handles the web side while the email service handles the mail side.

Practices running healthcare website security features already have most of the operational habits needed to run an encryption service. Password rotation, MFA on admin accounts, and audit log review carry over directly.

Choosing a secure email encryption service without regret

Most buying regret traces back to two mistakes. Picking a vendor without testing the recipient experience, and signing a long contract to lock in a first-year discount that resets on renewal.

Run a 30-day pilot with a single department. Send 50 real messages. Track how many recipients open the message on the first try, how many call for help, and how many ignore the message entirely.

Mailhippo works as an alternative when HIPAA compliance and per-recipient friction both matter. The service adds a BAA in the base plan, works with existing Gmail or Outlook accounts, and delivers messages without asking the recipient to install a certificate or register a portal account. The setup takes minutes.

Whatever vendor you pick, read the renewal clause before signing. Ask for the second-year rate in writing. Confirm the BAA transfers with account transfers. A secure email service that hides its renewal pricing is a service that plans to raise the price on renewal. Reference materials from HIPAA Journal on compliant email and NIST SP 800-177 Trustworthy Email help buyers write a defensible selection memo.

Frequently Asked Questions

What is a secure email encryption service? +

A secure email encryption service scrambles the contents of an email so only the intended recipient can read it. The service uses TLS to protect the connection between mail servers, then adds a second layer with S/MIME certificates, PGP keys, or portal-based delivery. Enterprise services also add data loss prevention, phishing filters, and archiving. Healthcare, finance, legal, and government users pick these services to meet HIPAA, GLBA, or CJIS requirements. The core deliverable is content confidentiality, sender identity verification, and delivery proof.

Does Office 365 include encryption? +

Yes, Office 365 Business Premium, E3, and E5 include Microsoft Purview Message Encryption at no extra cost. Users click the Encrypt button in the Options ribbon before sending, and external recipients open the message through a secure portal after signing in with Microsoft, Google, or a one-time passcode. Basic and Standard plans do not include the Encrypt button. Practices on those plans need to upgrade or add a dedicated encrypted email service to send protected health information under a signed business associate agreement.

Is Gmail encrypted email HIPAA compliant? +

Gmail encrypts email in transit using TLS on every Workspace tier, but transit encryption alone does not meet HIPAA. A covered entity needs a signed business associate agreement with Google, which comes only with Workspace paid plans configured for HIPAA. Confidential mode adds link expiry and passcode options but does not encrypt content end to end. Practices sending real PHI usually add a dedicated encryption gateway on top of Workspace, or route sensitive messages through a third party service like Mailhippo.

How does GoDaddy Email Encryption work? +

GoDaddy sells Proofpoint-powered email encryption as an add-on to its Microsoft 365 packages. Senders trigger encryption by adding a keyword to the subject line or by clicking a button. Recipients open messages through a Proofpoint portal after registering an account or verifying a one-time code. GoDaddy signs a business associate agreement on qualifying plans, and pricing runs about $7 per user per month on top of the base 365 license. Larger practices usually negotiate direct Proofpoint pricing at higher seat counts.

What is the best encryption service for mobile and desktop use? +

The best service works identically on mobile and desktop without extra apps. Services that require an S/MIME certificate on each device create setup pain, and portal-based services often break the reply flow on mobile browsers. Zero-step encryption models handle the mobile case best because the sender uses the normal Gmail or Outlook app and the recipient opens the message in a standard inbox view. Test the reply flow on iOS Safari and Android Chrome before committing to a multi-year contract with any vendor.

Can nonprofits get discounted encrypted email? +

Yes, most major vendors run nonprofit programs. Microsoft, Google, Barracuda, and Cisco publish nonprofit pricing at 30 to 50 percent off list. Microsoft 365 Business Premium runs about $5.50 per user per month for verified nonprofits, which includes Purview Message Encryption. Discounts usually cover the base plan and not the compliance add-ons, so a small clinic saving money on seats still pays list price for the archiving module. Submit IRS 501(c)(3) documentation and a signed nonprofit attestation to activate the pricing.

What features matter most when comparing providers? +

BAA in the base plan, zero-step delivery, mobile-friendly recipient experience, archiving, admin controls, and pricing predictability. Practices sending regulated content should not settle for a vendor that treats the BAA as an upsell. Zero-step delivery keeps staff from forgetting to encrypt. Archiving and audit logs matter when a HIPAA auditor asks for six years of message history. Predictable pricing avoids the trap of a low first-year deal that jumps 40 percent on renewal, which happens often in the enterprise email security market.

HIPAA Email Rules Encryption and Enforcement for Healthcare Teams

hipaa email guide featured image

๐Ÿ”‘ Key Takeaways

  • HIPAA email needs encryption plus a signed BAA, workforce training, audits, and incident response.
  • OCR email settlements range from $25,000 for small practices to millions for larger organizations.
  • Monitoring requires six-year log retention with monthly review and alerts on off-hours access.
  • Wrong-recipient sends stay breaches; MFA, external tags, and delayed-send catch human errors.
  • Newsletters without PHI skip encryption; appointment details and clinical notes always need it.

HIPAA email is one of the most common compliance failure points in healthcare. Practices that pass every other Security Rule check often lose points on email because the workflow is distributed across every staff member.

This guide covers the encryption requirement, retention rules, monitoring practices, fine history, and workflow controls that separate a compliant practice from a settlement candidate. Practices building the stack from scratch benefit from a HIPAA-compliant secure email service that bundles encryption, BAA, and audit logging.

Read the sections in order. Each one narrows the compliance gap.

HIPAA Email Rules Start With the Security Rule

The HIPAA Security Rule at 45 CFR Part 164 Subpart C covers electronic PHI, including email. Practices navigate the rule through administrative, physical, and technical safeguards.

Technical safeguards cover encryption, access control, integrity controls, and audit logging. Administrative safeguards cover workforce training, policies, and risk assessments. Physical safeguards cover device security and workstation access.

Encryption sits inside the technical category as an addressable specification. Addressable means the covered entity implements the control or documents a reasonable equivalent that achieves the same protection.

The HHS Security Rule reference covers the full text and interpretive guidance. Practices should read the guidance section rather than only the rule text.

OCR investigations treat unencrypted PHI email as a violation unless the practice documents a compensating control. Documentation alone rarely holds up. Practices should encrypt.

The Business Associate Agreement Is Non-Negotiable

Every third party that handles PHI on behalf of a covered entity must sign a business associate agreement. Email providers, encryption services, and hosted email platforms all fit this definition.

The BAA covers the vendor obligations for PHI handling, breach notification, and audit response. It sits alongside the practice compliance program and provides contractual assurance that the vendor meets its share of the Security Rule.

Microsoft and Google both offer BAAs on eligible plans. Microsoft 365 Business Basic and higher qualify. Google Workspace Business Standard and higher qualify. Free tiers do not.

Dedicated encryption services like Mailhippo, LuxSci, and Virtru include the BAA in the base plan without requiring a broader license upgrade. Practices avoid the Business Premium tier cost that would otherwise be required for encryption features.

Practices should ask for the BAA before signing. Any vendor unable to produce one immediately does not belong on the shortlist.

hipaa email in article illustration one

HIPAA Email Fines Have a Consistent Pattern

OCR settlements involving email have followed a consistent pattern over the past decade. Reviewing recent cases sharpens the compliance priority.

Small practices that sent unencrypted PHI in response to a records request have settled for twenty-five thousand to one hundred fifty thousand dollars with two-year corrective action plans.

Mid-sized organizations that lacked BAAs with email vendors have settled for hundreds of thousands to low millions. The Advocate Aurora and University of Rochester cases both included email failures alongside broader breaches.

Large organizations with system-wide encryption gaps have settled for tens of millions. Anthem paid sixteen million dollars in 2018 following a breach that exposed nearly seventy-nine million records, with email failures among the contributing factors.

The HHS enforcement highlights page tracks recent settlements. Practices should review the list quarterly to understand the current enforcement priorities.

Monitoring and Audit Logging Requirements

HIPAA requires audit controls that record and examine activity in systems that contain or use PHI. Email systems fall inside this scope.

Baseline audit fields include sender identity, recipient identity, timestamp, encryption method, delivery status, and recipient access events. Missing any field creates a gap that fails HITRUST, SOC 2, or an OCR investigation.

Retention runs six years to meet the accounting of disclosures requirement. Some states impose longer retention. California, Texas, and New York all have state-specific rules that may extend the federal minimum.

Best practice exports logs from the vendor console to a separate storage system. The separation prevents a compromised vendor account from erasing evidence.

Monthly log review catches configuration drift early. Practices that only look at logs during audit season find gaps that developed over months and cannot easily reconstruct the record.

Example

A three-physician cardiology practice responds to a records request from an attorney by sending 47 pages of PHI through unencrypted Gmail. A patient later complains to OCR about the disclosure path. Investigators find no BAA on file for the Gmail account, no audit log for the send, and no documented risk assessment justifying the unencrypted transmission. The practice settles for $85,000 with a two-year corrective action plan requiring workforce training, encrypted email deployment, and quarterly log review. Total remediation cost exceeds $180,000 over 24 months.

Comparison of Common HIPAA Email Approaches

The table below compares four common approaches to HIPAA email across the fields that matter most in practice.

Approach Encryption BAA Cost Per User Setup Time
Microsoft 365 Business Premium Purview Message Encryption Yes on eligible plan $22 2 to 6 hours
Google Workspace Enterprise Plus Client-side encryption Yes on eligible plan $30 4 to 8 hours
Mailhippo AES-256 with portal fallback Yes on base plan $5 to $12 1 to 4 hours
Barracuda Email Gateway Defense Gateway policy encryption Yes $18 to $30 1 to 3 days

Prices reflect 2026 published rates on annual billing. Actual quotes vary by seat count and add-on selection.

HIPAA Email Newsletters and Marketing Content

Newsletters, appointment reminders, and marketing content sit in a gray area that many practices misclassify. The classification decides whether encryption applies.

General practice information sent to patients who have opted in usually does not carry PHI. Wellness tips, staff announcements, and holiday hours fall into this category and do not require encryption.

Content that references specific patient conditions, treatment plans, appointment details, or billing balances carries PHI. Encryption applies. Bulk marketing platforms without a BAA cannot carry this content.

Appointment reminders that include only date, time, and provider name typically qualify as PHI under the HIPAA identifier list. Best practice routes these through the encrypted pipeline or a HIPAA-covered reminder platform.

Practices with mixed content types benefit from separating the newsletter platform from the clinical email platform. Marketing tools like Mailchimp, Constant Contact, and Infusionsoft need HIPAA-specific configurations or a BAA to carry PHI.

hipaa email in article illustration two

Sender Precautions Reduce the Human Error Rate

Most HIPAA email breaches trace back to human error, not technical failure. Sender precautions reduce the error rate.

  • Verify recipient address before sending sensitive content. Address autocomplete errors are common.
  • Encrypt any message carrying PHI regardless of urgency. Time pressure does not create an exception.
  • Do not forward PHI to personal email accounts even for temporary access.
  • Use multi-factor authentication on the work mail account.
  • Follow the practice signature template with the secure fax number for PHI.
  • Report suspected phishing or misdirected messages to the compliance officer within twenty-four hours.

External recipient warnings that trigger on messages to non-domain addresses add another pause before staff send. Microsoft 365 and Google Workspace both support external tags.

Delayed-send windows give staff ninety seconds to recall a wrong-recipient message. Both Microsoft and Google support delayed delivery natively.

Retention Policies Extend Beyond Six Years for Some States

HIPAA sets a six-year federal minimum for retention of records related to compliance activities. Email records related to PHI disclosure fall inside this scope.

Some states impose longer retention. California requires seven years for adult medical records and until age twenty-five for minor records. Texas requires seven years. New York requires six years for adults and six years past age eighteen for minors.

Practices operating across state lines use the longest applicable retention period across all their locations. The alternative is per-state retention configuration that complicates audit response.

Archive systems separate from the active email platform provide the tamper-evident retention that regulators expect. The active mailbox is not a compliant archive.

Related coverage in HIPAA email retention requirements and HIPAA email archiving covers the specifics of building a compliant archive alongside the encrypted email workflow.

๐Ÿ’กPro Tip: Route every patient email through the encryption pipeline

Practices that try to classify each patient message before deciding whether to encrypt build a decision point that fails under time pressure. Staff misclassify, urgent messages skip the pipeline, and audit samples find unencrypted PHI. Set a blanket policy routing every patient-directed email through the encrypted service regardless of content. General newsletters without PHI go through the encrypted channel too. The single-path rule removes the classification burden and eliminates the biggest source of OCR settlement findings.

Breach Notification Timelines and Response

The HIPAA Breach Notification Rule at 45 CFR 164.400-414 covers what practices do after a suspected email breach.

Practices notify affected individuals within sixty days of discovery. Individual notification includes what happened, what information was exposed, what the practice is doing about it, and what the individual should do.

Breaches affecting more than five hundred individuals in a single state trigger media notification and immediate reporting to HHS. Smaller breaches are logged and reported annually.

The incident response plan should cover roles, communication templates, forensic evidence preservation, and legal counsel engagement. Practices without a plan lose the first critical hours reconstructing what happened.

Tabletop exercises quarterly keep the plan current. Practices that draft a plan once and file it typically find gaps when a real incident occurs.

Related HIPAA Email Reading

HIPAA email covers multiple adjacent topics. Practices building the full compliance program benefit from the companion guides below.

The foundational HIPAA compliant email guide covers the encryption, BAA, and workforce training requirements. It is the starting point for practices new to the topic.

Practices building disclaimers and signature templates should review HIPAA email disclaimer guidance. The disclaimer serves as legal notice but does not create compliance.

The HIPAA email rules deep dive covers the specific 45 CFR sections that OCR investigators reference in enforcement actions.

Practices with records retention concerns should review HIPAA email requirements and the retention-specific guides. Records posture affects audit outcome as much as encryption posture.

Where Redefine Web Fits the Practice Compliance Stack

HIPAA email covers the email pipeline. Website contact forms, patient portals, and marketing platforms carry PHI that must reach the same compliance controls.

A contact form on the practice website that emails PHI to a generic Gmail address bypasses every encryption control the practice buys. The submission arrives unencrypted and the audit trail does not exist.

Redefine Web builds HIPAA-aware healthcare websites and integrates the forms with encrypted delivery paths. Details on healthcare website security features cover the surface area that sits alongside encrypted email.

A closed-loop review across website, forms, email, and portal reduces the risk that a PHI leak lands in an unencrypted channel by mistake.

Mailhippo fits practices that want HIPAA-ready encrypted email with the BAA, audit logging, and policy-based encryption controls in one product. The service integrates with existing Gmail or Outlook accounts and covers the practical HIPAA requirements without requiring an enterprise license tier. A structured implementation reinforces the surrounding administrative and physical safeguards rather than substituting for them.

Frequently Asked Questions

Does HIPAA require email encryption? +

HIPAA does not name encryption as a strict requirement. The Security Rule designates encryption as an addressable specification, which means the covered entity implements it or documents a reasonable alternative that achieves equivalent protection. OCR guidance and breach settlements consistently treat unencrypted PHI transmission as a compliance failure. In practice, healthcare organizations encrypt PHI email or restrict PHI to encrypted channels like patient portals. Practices that send unencrypted PHI without documented compensating controls have paid substantial settlements when the practice was investigated.

What are the typical HIPAA email fines? +

HIPAA fines follow a tiered structure. The lowest tier covers unknowing violations with fines from one hundred dollars to fifty thousand dollars per violation. The highest tier covers willful neglect with fines up to sixty-eight thousand dollars per violation, capped at just under two million dollars per calendar year per identical violation. Recent settlements involving email failures range from twenty-five thousand dollars for small practices to several million for larger organizations. Corrective action plans typically accompany the fine and extend for two to three years.

What is required for HIPAA email monitoring? +

HIPAA email monitoring covers access logging, retention, review cadence, and incident response. Baseline logs include sender identity, recipient identity, timestamp, encryption method, delivery status, and recipient access events. Retention runs six years to meet the accounting of disclosures requirement. Best practice reviews logs monthly against expected sending patterns and correlates access events with staff role changes. Automated alerts on unusual volume or off-hours access add early detection. The vendor console is a starting point, not a complete monitoring program.

Are HIPAA email newsletters allowed? +

Practice newsletters that contain general health information, practice announcements, or wellness content to patients who have opted in are generally allowed without encryption because they do not carry PHI. Newsletters that reference specific patient conditions, treatment plans, or personalized recommendations carry PHI and require encryption. Practices should document the classification decision for each newsletter type. Many practices route all patient email through the encrypted pipeline to eliminate the classification burden. Opt-in and unsubscribe controls remain required regardless of encryption.

What HIPAA email precautions should staff follow? +

Staff should follow six precautions. Verify recipient address before sending sensitive content. Encrypt any message carrying PHI, regardless of urgency. Do not forward PHI to personal email accounts. Use multi-factor authentication on the work mail account. Follow the practice signature template with the secure fax number for PHI. Report any suspected phishing or misdirected message to the compliance officer within twenty-four hours. These precautions reinforce the technical encryption controls and reduce the human error rate that drives most breaches.

What is 3 phase HIPAA email conformance? +

The three-phase model breaks HIPAA email conformance into technical, administrative, and physical safeguards. Technical safeguards cover encryption, access control, and audit logging. Administrative safeguards cover workforce training, policies, procedures, and risk assessments. Physical safeguards cover device security, workstation access, and facility controls that prevent unauthorized viewing of email. Practices that address only the technical phase leave the administrative and physical phases exposed. OCR investigations regularly find gaps in the administrative phase because practices assume encryption alone is sufficient.

Is 8x8 HIPAA compliant for email? +

8×8 offers business communication and cloud contact center services with HIPAA-compliant configurations available on eligible plans. Email specifically requires a signed business associate agreement from 8×8, along with proper configuration of retention, access controls, and audit logging. Practices should verify the current BAA availability and covered services with 8×8 sales before deploying for PHI. The same verification applies to any vendor. Marketing claims of HIPAA compliance do not substitute for a signed BAA and documented technical configuration that meets the Security Rule.

Virtru Email Encryption Reviewed with Pricing and Setup Details

virtru email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • Virtru adds client-side encryption to Gmail and Outlook via extension in minutes, not weeks.
  • The proprietary TDF format supports revocation and expiration that S/MIME and PGP cannot match.
  • Pricing runs free personal, Pro at about $79 per user yearly, and custom Enterprise with DLP.
  • The Pro tier BAA covers Virtru servers but not the underlying Gmail or Outlook mailbox itself.
  • Reviews praise setup speed and post-send controls; recipient Secure Reader is the top friction.

Virtru email encryption is one of the most widely adopted client-side encryption products in the small and mid-market segment. The service plugs into Gmail and Outlook through a browser extension or add-in and encrypts messages on the sender’s device before they leave the mail client.

This guide covers how virtru email encryption works, what it costs, and where it fits. Sections address pricing tiers, HIPAA coverage, the proprietary Trusted Data Format, review sentiment, and honest deployment trade-offs.

The material is aimed at IT decision makers evaluating Virtru against alternatives. Every section reflects Virtru documentation, published pricing on the Virtru site, and aggregated review sentiment from Gartner Peer Insights, G2, and TrustRadius.

How Virtru Email Encryption Works

Virtru installs as a browser extension for Gmail and as an add-in for Outlook. Once installed, the compose window in either application displays a Virtru toggle above the message body.

Enabling the toggle before Send encrypts the outbound message using Virtru’s Trusted Data Format. The message body and attachments are wrapped in a TDF container that includes policy metadata and references to encryption keys held on Virtru servers.

The recipient receives an email with a Secure Reader link. Clicking the link opens the Virtru Secure Reader in a browser and displays the decrypted content. First-time recipients complete a short verification flow. Returning recipients read directly.

The sender can also enable post-send controls at the time of encryption: message expiration, disable forwarding, disable printing, watermarking, and read receipt visibility. Those controls are enforced by the Secure Reader when the recipient opens the message.

Virtru Email Encryption Pricing Tiers

Virtru publishes three pricing tiers on its site. The tiers scale from free personal use to enterprise deployments with custom pricing.

The free personal tier supports encrypted send and receive on personal Gmail accounts. Basic post-send controls are included. The tier does not include a BAA and is not suitable for HIPAA-covered content.

  • Free tier: personal Gmail encryption, basic controls, no BAA
  • Pro tier: approximately $79 per user annually, BAA included, full post-send controls
  • Enterprise tier: custom pricing, adds DLP, key management options, advanced integrations
  • Volume discounts: apply above ~100 seats on the Enterprise tier

The Pro tier at $79 per user per year sits above the Zixcorp base tier ($30 to $50) and roughly comparable to portal-based products such as Barracuda Email Gateway Defense at the small business scale. Enterprise negotiations often move on volume and add-on scope.

virtru email encryption in article illustration one

Downloading and Installing Virtru

Installation is one of the shorter paths in encrypted email deployment. The Virtru extension for Chrome installs from the Chrome Web Store in under a minute. Firefox and Edge extensions install through their respective add-on stores.

The Outlook add-in installs through Microsoft AppSource for Outlook 2016 and later, Outlook for Mac, and Outlook on the web. Enterprise administrators can deploy the add-in centrally through the Microsoft 365 admin center for all users at once.

After installation, the user signs in to Virtru with their existing Gmail or Microsoft 365 credentials through OAuth. That step links the mail account to the Virtru service. No new mailbox or address is created.

Total time from installation to sending the first encrypted message is typically under five minutes. That contrasts with the 30 to 90 day tuning cycle common for gateway policy products such as Zixcorp or Proofpoint.

The Trusted Data Format and Its Trade-Offs

Trusted Data Format (TDF) is Virtru’s proprietary encryption container. It wraps content in a package that includes both the ciphertext and policy metadata such as expiration dates, forwarding restrictions, and watermark instructions.

The design gives senders post-send controls that neither S/MIME nor PGP provide. A sender can revoke access to a message after delivery, change the expiration date, or add a watermark. Those features rely on the Secure Reader enforcing the policy at open time.

The trade-off is interoperability. TDF is not an open standard supported by native mail clients. Recipients read TDF messages through the Virtru Secure Reader, not through Outlook’s or Apple Mail’s S/MIME support. That dependency ties recipient access to Virtru infrastructure remaining operational.

Organizations that need standards-based encryption for interoperability with S/MIME or PGP users need a different tool. Our guide to S/MIME email encryption signature covers the standard-based approach.

Example

A boutique law firm with eight attorneys picks Virtru Pro at $79 per user annually for client communication involving privileged material. Setup finishes in under an hour on a Tuesday morning. Within two weeks, attorneys use post-send revocation four times to pull back messages sent to wrong recipients from autocomplete errors. Clients on Gmail open messages through the Secure Reader with a verification code on first read. The firm accepts the modest recipient friction because revocation and expiration controls justify the pricing above simpler portal options.

Virtru Email Encryption and HIPAA

Healthcare practices use Virtru on the Pro and Enterprise tiers to send HIPAA-covered PHI through Gmail or Outlook. The BAA covers Virtru’s services under HIPAA’s business associate rules.

The BAA scope includes Virtru servers, the Secure Reader portal, and the TDF encryption process. Practices should confirm the signed BAA is in force before routing PHI. HHS publishes sample provisions at the HHS BAA reference page.

The Virtru BAA does not extend to the underlying Gmail or Outlook mailbox. For full HIPAA coverage across the mail path, the practice needs Google Workspace on a BAA-eligible plan or Microsoft 365 on a business plan with a BAA. Free consumer Gmail does not qualify. Our companion piece on HIPAA compliant email Gmail covers the Workspace plan requirements.

Practices building broader HIPAA compliance often pair encrypted email with hardening on the web side. Our team at Redefine Web has published guidance on healthcare website security features.

virtru email encryption in article illustration two

Virtru Review Notes from Peer Sources

Aggregated reviews from Gartner Peer Insights, G2, and TrustRadius cluster around consistent themes. Positive scores focus on ease of setup, Gmail and Outlook integration quality, and the post-send controls.

The setup speed is a common highlight. Reviewers frequently note that a small practice can be sending encrypted email within an hour of purchasing. That contrasts with 30 to 90 day gateway deployments and drives adoption in the small business segment.

Negative scores focus on the proprietary TDF model, the recipient Secure Reader experience (which has improved but historically drew complaints), and pricing above budget-conscious small practices. Reviewers also occasionally cite the OAuth reauthentication cycle in Gmail as a friction point after Google credential rotation events.

Deliverability and the sender experience rarely draw complaints. The integration into the existing mail client keeps sender workflow essentially unchanged. That is a real strength compared to portal-based products where the sender must remember to route sensitive mail through a separate compose interface.

Post-Send Controls in Virtru

Post-send controls are one of the strongest Virtru differentiators. The sender can enforce policy on a message after it has already left the outbox by adjusting metadata stored on Virtru servers.

Message expiration lets the sender set a date after which the Secure Reader refuses to display the content. Useful for time-limited offers, contract negotiations, and clinical results with a documented review window.

Revocation lets the sender cut off access to a specific message even before expiration. Useful when a message was sent to the wrong recipient or when a situation changes after send.

Disable forwarding, disable printing, and watermarking add friction against internal or accidental redistribution. None of these controls are cryptographically enforceable in the strict sense, since a determined recipient can screenshot or transcribe. They act as policy signals and legal deterrents rather than technical guarantees.

๐Ÿ’กPro Tip: Verify post-send controls fit your actual workflow

Virtru's revocation, expiration, and disable-forwarding controls are its strongest differentiator. Before signing, list the last twenty sensitive messages the team sent and ask whether any of them would have benefited from those controls. A workflow of routine patient reminders rarely uses revocation. A workflow of contract negotiations, clinical results with review windows, or attorney-client documents uses them weekly. Match the tier to actual usage patterns, not to the theoretical value of features that sit unused.

The Recipient Experience with Virtru

Recipients of Virtru-encrypted messages receive a normal-looking email with a Secure Reader link. Clicking the link opens the Secure Reader in a browser tab and displays the decrypted content.

First-time recipients complete a short verification flow. Virtru typically sends a verification code to the recipient’s email address to confirm identity. That step reduces phishing risk but adds a small friction to the first read.

Returning recipients read directly through the Secure Reader with a shorter session flow. Recipients who receive frequent messages from the same sender often find the Secure Reader workflow acceptable. Recipients who receive occasional messages find the extra click and verification step noticeable.

For senders whose recipients want no portal or Secure Reader step at all, inbox-native services such as Mailhippo deliver decrypted content directly to the recipient’s regular inbox with a one-click experience.

Virtru Compared to Alternatives

Virtru competes with three categories of alternatives: gateway policy products (Zixcorp, Barracuda, Proofpoint), Microsoft-native encryption (Purview Message Encryption), and inbox-native services.

Against gateway policy products, Virtru wins on setup speed and loses on policy-based enforcement. A Virtru sender must remember to enable the toggle. A Zixcorp gateway scans every outbound message automatically. For high-volume regulated senders, that enforcement gap matters.

Against Microsoft Purview Message Encryption, Virtru offers more granular post-send controls and works with both Google Workspace and Microsoft 365. Purview is bundled with M365 E3 and E5 and works transparently between M365 tenants without additional cost for licensed users. Purview documentation lives at learn.microsoft.com purview ome.

Against inbox-native services, Virtru offers more post-send controls and a longer feature list. Inbox-native services offer a smoother recipient experience and often a lower price point. Our companion piece on email encryption service covers the category comparison.

When Virtru Fits and When It Does Not

Virtru fits small to mid-size teams that use Gmail or Outlook, need HIPAA-compliant email quickly, and value post-send controls such as revocation and expiration. Legal firms, healthcare practices, and financial advisors are common Virtru customers.

Virtru does not fit large enterprises with heavy regulated content flow that need policy-based automatic enforcement across thousands of users. The user-triggered toggle model depends on the sender remembering to encrypt, which introduces enforcement gaps at scale.

Virtru also fits less well for organizations that need cryptographic zero-knowledge encryption with recipient-held keys. TDF holds encryption keys on Virtru servers, so Virtru servers can decrypt if compelled by legal process. Organizations with true zero-knowledge requirements need S/MIME or PGP.

For a broader view, our companion articles on secure email encryption service and email encryption cover the category landscape and help match tool to workflow.

Frequently Asked Questions

What does Virtru email encryption cost? +

Virtru offers a free personal tier for individual users. The Pro tier for business users is priced around $79 per user annually and includes the BAA for HIPAA coverage. The Enterprise tier is custom-priced and adds data loss prevention, key management options, and integration features. Volume discounts apply at higher seat counts. Small practices under 10 seats pay approximately full list. Enterprises above 500 seats typically negotiate below list. Confirm current pricing on the Virtru site because published rates are updated periodically.

Is Virtru email encryption free for personal use? +

Yes. Virtru offers a free tier for personal Gmail users that supports encrypted send and receive with basic controls. The free tier does not include a BAA and is not suitable for HIPAA-covered PHI. It also lacks the DLP integrations and advanced management features of the Pro and Enterprise tiers. The free tier works well as an evaluation environment or for individual privacy-focused users who want client-side encryption on a personal Gmail account without paying for a business plan.

How does Virtru email encryption work in Gmail and Outlook? +

Virtru installs as a browser extension for Gmail (Chrome, Firefox, Edge) and as an Outlook add-in for Outlook desktop and Outlook web. Once installed, the compose window shows a Virtru toggle. Enabling the toggle encrypts the outbound message using Virtru’s Trusted Data Format. The recipient receives a normal-looking email with a Secure Reader link that opens the decrypted content in a browser. The sender can also enable post-send controls such as expiration, disable forwarding, and watermarking through the same interface.

What is the Virtru Trusted Data Format? +

Trusted Data Format (TDF) is Virtru’s proprietary encryption container. It wraps message content and attachments in a package that includes policy metadata and references to encryption keys held by Virtru servers. TDF supports features that S/MIME and PGP do not, such as post-send revocation, expiration, disable forwarding, and watermarking. The trade-off is that TDF is not an interoperable open standard. Recipients read TDF-wrapped content through Virtru’s Secure Reader rather than through their normal mail client’s native encryption support.

Does Virtru email encryption include a BAA for HIPAA? +

The Pro and Enterprise tiers include a Business Associate Agreement covering Virtru’s services under HIPAA. The free personal tier does not include a BAA and is not suitable for PHI. The BAA covers the Virtru servers, the Secure Reader portal, and the TDF encryption process. Healthcare organizations should confirm the signed BAA is in force before routing PHI. The BAA does not extend to the underlying Gmail or Outlook account, so the mail platform must also be on a BAA-eligible plan for full path coverage.

How does Virtru compare to Zixcorp email encryption? +

Virtru and Zixcorp target different segments. Virtru fits small to mid-size teams that want quick setup on existing Gmail or Outlook accounts. Zixcorp fits enterprises with heavy regulated content flow, mature IT teams, and a need for policy-based enforcement across large user populations. Pricing overlaps in the middle. Virtru at $79 per user is competitive with the Zix base tier at $30 to $50 per user, though Zix drops with volume. Our companion piece on Zixcorp email encryption covers Zix in detail.

Can Virtru email encryption prevent phishing? +

Virtru is an outbound encryption product. It does not scan inbound mail for phishing. Preventing phishing requires a separate inbound email security product such as those offered by Microsoft Defender for Office 365, Google Workspace advanced security, Barracuda Email Gateway Defense, or a dedicated anti-phishing service. Virtru complements those products by protecting outbound content but does not replace them. Practices should treat encryption and phishing defense as separate categories of protection and evaluate each independently.

Are Emails Encrypted by Default in 2026

are emails encrypted guide featured image

๐Ÿ”‘ Key Takeaways

  • About 95% of Gmail traffic runs on TLS, but any relay refusing the handshake drops to plain SMTP.
  • Encryption at rest guards disks, not access; a court order or hijacked account still reads inboxes.
  • Internal 365 mail stays inside Microsoft’s network and never touches the public internet.
  • True end-to-end mail needs S/MIME, PGP, or a portal service like Purview or Mailhippo.
  • HIPAA won’t accept TLS alone for PHI; regulators expect message-level encryption on external sends.

Most email today rides on some form of encryption. The question is which kind, at what stage, and whether it survives long enough to matter.

Ask are emails encrypted and the honest answer is a qualified yes. Transport encryption covers the connection between mail servers when both sides support it. Message-level encryption, the kind used for encrypted email delivery, protects the content from the sender’s device to the recipient’s inbox.

The gap between those two matters for anyone sending regulated data. This guide walks through where each layer applies, which providers use which methods, and what changes when HIPAA or a business associate agreement enters the picture.

TLS in transit is the default, not end-to-end protection

TLS, or Transport Layer Security, is the standard method for encrypting the link between two mail servers. When a sending server hands a message to a receiving server, both sides negotiate a TLS session and the traffic across that hop is encrypted.

Google reports that around 95 percent of Gmail traffic uses TLS on outbound and inbound. Microsoft 365 numbers are similar. The 5 percent gap is real, and it usually reflects small receiving servers that do not support modern TLS versions.

TLS does not encrypt the message body itself. It encrypts the connection. Once the receiving server accepts the message, it stores the content in whatever form its policies dictate.

Opportunistic TLS also falls back to plain SMTP if the handshake fails. MTA-STS and DANE are the two standards that force a receiving server to require TLS, and they close that downgrade path. Most large providers publish MTA-STS records now, but many smaller domains do not.

Gmail encrypts in transit and at rest, but not end to end

Are all Gmail emails encrypted? In transit, almost all of them are, when the receiving provider supports TLS. Google publishes real-time transparency numbers on this at their Safer Email Transparency Report.

At rest, Gmail stores every message with server-side encryption using keys Google manages. That protects the mailbox from disk theft or unauthorized physical access to Google data centers.

End-to-end encryption is a different layer. Gmail supports S/MIME on Google Workspace Enterprise Plus and Education Plus, which encrypts the message body before it leaves the sender’s device. Personal Gmail accounts do not include native S/MIME.

For consumer-grade Gmail users who need to send an encrypted message once in a while, the practical options are Confidential Mode, which sets an expiration and a passcode but does not encrypt the body, or a browser extension that layers PGP over the compose window.

are emails encrypted in article illustration one

Microsoft 365 encryption depends on the license tier

Are Microsoft emails encrypted? Internal messages between two users on the same Microsoft 365 tenant stay on Microsoft’s network and are encrypted the entire way. External messages use opportunistic TLS.

Purview Message Encryption, which was previously called Office 365 Message Encryption, is Microsoft’s message-level product. It encrypts the body and attachments and delivers external recipients a portal link. Recipients sign in with a Microsoft or Google account, or with a one-time passcode.

Purview requires Business Premium, Microsoft 365 E3, or higher. Business Basic and Business Standard do not include it. Practices on lower tiers either need to upgrade the entire tenant or send outbound clinical mail through a dedicated encrypted service.

Azure Rights Management sits behind Purview and handles the actual key management. If a tenant has never activated Azure Rights Management, the Encrypt button in the Outlook ribbon does not appear even on the correct license.

Internal Office 365 traffic never leaves Microsoft infrastructure

Are internal Office 365 emails encrypted? Yes, at every layer. Internal email between two users on the same tenant traverses Microsoft’s private network and never touches the public internet.

The traffic between Exchange Online servers is TLS-protected. The mailboxes themselves are encrypted at rest with BitLocker at the storage level and additional service-level encryption in the message database.

Cross-tenant email is a different case. A message from one Microsoft 365 tenant to another still uses Microsoft infrastructure end to end, but it is treated as external and subject to standard transport encryption rules.

Administrators can enforce Modern Authentication, disable legacy protocols like POP and IMAP, and turn on Customer Key to hold their own encryption keys. Those steps harden the tenant but do not change the underlying encryption layers already in place.

Example

A cardiology group assumed their Google Workspace Business Starter setup encrypted patient lab results because Gmail showed the padlock icon on outbound messages. During a HIPAA risk assessment, the security consultant tested by sending a message to a legacy mail server at a rural referring clinic that did not support TLS. The delivery downgraded to plain SMTP silently. The group enforced MTA-STS on their domain, added Mailhippo for external PHI sends at $4.95 per user per month, and closed the finding within one week.

DocuSign notifications are not encrypted documents

Are DocuSign emails encrypted? The notification email itself is an ordinary message sent over TLS. It contains a link, a sender name, and a subject line, and none of that content is encrypted end to end.

The signed document lives inside the DocuSign platform, not in the email. When the signer clicks the link, they authenticate to DocuSign and view the document over HTTPS. The document itself is protected by DocuSign’s platform encryption and access controls.

The gap this creates is that anyone with mailbox access to the recipient can click the link and, if additional authentication is not enforced, sign the document. DocuSign offers signer authentication options like SMS codes, knowledge-based questions, and ID verification. Those are separate from the email.

Providers like Adobe Sign, Dropbox Sign, and PandaDoc all follow the same pattern. The document is protected in the platform, and the notification is a routine email.

Are emails automatically encrypted or does the sender configure it

Are emails automatically encrypted? Transport encryption is automatic when both servers support it. Message-level encryption is not automatic on any consumer email service.

The sender has to take an action. On Outlook 365, that action is clicking the Encrypt button on the message ribbon. On Gmail Enterprise, S/MIME messages are marked automatically if certificates are installed on both sides.

Some services automate the encryption trigger based on content. Data loss prevention rules can inspect outbound mail for patterns like credit card numbers, Social Security numbers, or clinical terms, then apply encryption when a rule matches.

For healthcare senders who need every message with protected health information to be encrypted without depending on user behavior, the practical approach is a gateway service that encrypts by default. Mailhippo works this way, applying encryption to every outbound message from the connected account rather than relying on a user to remember the correct button.

are emails encrypted in article illustration two

End-to-end encryption requires S/MIME, PGP, or a portal service

Three technologies deliver true end-to-end email encryption today: S/MIME, PGP, and portal-based services. Each protects the message body from the sender’s device to the recipient’s inbox or portal.

S/MIME uses X.509 certificates issued by a certificate authority. Each user has a personal certificate, and the sender needs the recipient’s public key to encrypt a message to them. Certificate management is the hardest part of running S/MIME at scale.

PGP uses a similar public-private key pair model but operates through a web of trust rather than a central authority. It is common in developer and privacy-focused circles but rare in mainstream business email.

Portal services like Purview Message Encryption and Mailhippo skip the certificate problem by delivering messages through a browser-based portal. The recipient does not need to manage keys, and the sender only needs an account.

HIPAA requires encryption when it is reasonable and appropriate

The HIPAA Security Rule lists encryption as an addressable specification for transmitting electronic protected health information. Addressable means the covered entity must implement it if it is reasonable and appropriate, or document why it is not.

In practice, HHS treats email encryption as the default expectation for any transmission of PHI outside a covered entity’s internal network. The 2013 Omnibus Rule reinforced that position by tying breach notification safe harbor to encryption of the data involved.

The HHS guidance on the Security Rule and NIST Special Publication 800-52 Rev. 2 both point to TLS 1.2 or higher for transport and AES-128 or AES-256 for content encryption. Meeting those baselines matters more than the specific product chosen.

Practices that route external clinical email through a service with a signed business associate agreement satisfy the encryption requirement and the vendor accountability requirement at the same time. Emails that carry hipaa phishing emails patterns still need employee training on top of encryption.

๐Ÿ’กPro Tip: Enforce MTA-STS to block silent TLS downgrades

Opportunistic TLS falls back to plain SMTP whenever the receiving server refuses the handshake, and the sender never sees a warning. Publish an MTA-STS policy on your domain so receiving servers know to require TLS on inbound. Configure enforced TLS on outbound to any recipient domain that regularly gets PHI. If TLS negotiation fails, the message queues instead of shipping in plaintext. This one change removes the most common HIPAA transport gap.

Free and consumer options do not include a BAA

ProtonMail sends encrypted messages to other ProtonMail users automatically. Messages to outside recipients go through a password-protected portal that the recipient opens in a browser.

Outlook.com supports Microsoft’s free encryption for consumer accounts through the same Purview infrastructure used by business tenants. The recipient experience is identical to the paid version.

Free S/MIME certificates are available from providers like Actalis for personal use. Setting them up requires installing the certificate in the operating system’s certificate store and pairing it with each mail client.

None of the free options include a business associate agreement. For a healthcare practice, that rules them out for anything involving protected health information. If a topic covers are there free tools for encrypting emails, the compliance angle is where free services fall short. Compliance requires a paid service that will sign a BAA and accept vendor liability.

Steps to confirm your email is being encrypted correctly

Gmail shows a small padlock next to the sender address on received mail. A closed padlock means TLS was used on the last hop, an open one means it was available but not enforced, and no padlock means the message arrived over plain SMTP.

Outlook shows a shield icon on S/MIME-signed or encrypted messages. A green check inside the shield means the signature validated. A red X or a missing shield means the message was not S/MIME protected.

Portal messages arrive as a link rather than an inline body. Recipients who see a Read the message button and a sender-branded landing page are receiving a message-level encrypted message.

For senders who want to confirm their outbound TLS posture, tools like the NIST SP 800-52 Rev. 2 guidelines outline the correct cipher and version baseline, and free tests like CheckTLS or the Google Postmaster Tools show the negotiated TLS status per destination domain.

What to configure for a healthcare or compliance-heavy practice

Start with a written policy that defines what qualifies as protected health information and which outbound messages need encryption. Staff cannot apply a rule they do not know exists.

Configure MTA-STS and DANE on the practice domain to prevent TLS downgrade attacks on outbound mail. Publish DMARC at reject or quarantine to stop spoofed messages from reaching patients.

Choose one encryption path and stick with it. Options include Microsoft 365 Business Premium plus Purview, Google Workspace Enterprise plus S/MIME, or a gateway service like Mailhippo that layers encryption over the existing Gmail or Outlook account without a license upgrade.

Practices that want a broader marketing and website foundation to match the security posture often work with a specialist agency. Firms that focus on healthcare marketing services understand how encryption, patient acquisition, and HIPAA-safe intake forms fit together, and how a compliant healthcare website security setup supports the practice’s digital communications.

  • Verify TLS 1.2 or higher on outbound and inbound mail flow.
  • Enable MTA-STS and DANE on the practice domain.
  • Enforce Modern Authentication and disable legacy IMAP and POP.
  • Route external PHI-bearing mail through an encrypted service with a signed BAA.
  • Train clinical and administrative staff on when encryption is required.

Answering the core question, are emails encrypted, comes down to which layer and which sender. Transport encryption is close to universal between major providers. Message-level protection is the sender’s responsibility, and it is what compliance rules actually require.

Frequently Asked Questions

Are Gmail emails encrypted end to end? +

No. Gmail encrypts messages in transit using TLS whenever the receiving server supports it, and it encrypts stored messages at rest on Google’s servers. Neither method prevents Google from reading the content, and neither protects the message once it lands in a mailbox on a provider that does not enforce TLS. For true end-to-end encryption inside Gmail, the sender needs S/MIME through Google Workspace Enterprise or an external tool that encrypts the body before the message reaches Google.

Are Microsoft 365 emails encrypted? +

Internal messages between users on the same Microsoft 365 tenant stay on Microsoft servers and are encrypted the entire way. External messages use TLS when the receiving server supports it. Microsoft 365 also offers Purview Message Encryption on Business Premium and higher, which applies message-level encryption and delivers external recipients a portal link. Encryption at rest is enabled by default on all Microsoft 365 mailboxes, but that only protects stored data on disk.

Are internal Office 365 emails encrypted? +

Yes. Internal email between two users on the same Microsoft 365 tenant never leaves Microsoft’s infrastructure, and the traffic is encrypted across every internal link. The mailbox contents are also encrypted at rest with Microsoft-managed keys. That protects the message from external interception, but it does not stop a compromised account or an administrator with the correct role from reading the content. Internal encryption is not the same as end-to-end encryption.

Are DocuSign emails encrypted? +

The notification emails DocuSign sends are ordinary messages over TLS, and they contain a link rather than the document itself. The signed document lives on DocuSign’s servers, protected by DocuSign’s platform encryption and access controls. When a signer clicks the link, they authenticate to the DocuSign platform and view the document over HTTPS. The email notification is not encrypted end to end, and anyone with mailbox access can click the link.

How can I tell if an email I received was encrypted? +

Gmail shows a small padlock icon next to the sender address that indicates the transport encryption status between servers. A green padlock means TLS was used, a gray one means TLS was available but not enforced, and a red one means no encryption at all. Outlook displays a similar shield icon for S/MIME-signed or encrypted messages. Portal-based services deliver a link rather than an inline message, which itself is a sign the sender used message-level encryption.

Is there a free way to send an encrypted email? +

Free options exist but each carries a trade-off. ProtonMail sends encrypted messages to other ProtonMail users automatically, and to outside recipients through a password-protected portal. Outlook.com supports Microsoft’s free encryption for consumer accounts. Some sender-side tools also offer free S/MIME certificates from providers like Actalis. Free tiers do not include a business associate agreement, which rules them out for healthcare use. Compliance-grade sending requires a paid service with a signed BAA.

Does encryption protect an email from being read once it arrives? +

No. Once the recipient decrypts and opens the message, the content sits in their mailbox as readable text. Anyone with access to that mailbox, including a shared inbox user, an assistant with delegated access, or a malicious actor with stolen credentials, can read the content. Encryption protects the message during transmission and, in some cases, during storage. It does not protect against account takeover, screen capture, or forwarding by the recipient after decryption.

Email Encryption Explained (Methods, Standards, and Costs)

email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • TLS transport runs server to server. Content encryption via S/MIME, PGP, or portal locks the body.
  • S/MIME wins in enterprise Outlook and Apple Mail but small practices abandon key exchange in months.
  • Hosted encryption from Purview, Confidential Mode, or vendor gateways skips certs but adds friction.
  • HIPAA needs a signed BAA, audit logs, workforce training, and policy above any working algorithm.
  • A ten-seat practice pays about $1,200 a year on a gateway vs $3,600 on Workspace Enterprise Plus.

Email encryption sounds like one feature. It is actually a stack of choices about transport, content, keys, licensing, and recipient experience. Getting the stack wrong leaves gaps that compliance auditors find.

This guide covers email encryption methods, the standards that back them, the platforms that implement each one, and the price ranges buyers see. For HIPAA senders who want to skip the license tier upgrade, a dedicated secure email service often removes the portal step and includes a BAA in the base plan.

Read the sections in order. Each layer builds on the one before it.

Transport and Content Encryption Are Different Layers

Two encryption layers cover email. Buyers often confuse them, which leads to gaps.

Transport encryption uses TLS between mail servers. When Gmail sends to Outlook, both servers negotiate TLS 1.2 or 1.3 and the message travels encrypted. Neither user takes any action.

Content encryption protects the message body and attachments themselves. S/MIME, PGP, and hosted portal encryption all fit here. The message remains encrypted at rest in the recipient mailbox until decrypted with a key or portal credential.

TLS alone leaves messages readable at the recipient provider, in server logs, and in backup snapshots. HIPAA and PCI treat that exposure as non-compliant for regulated content. Content encryption fixes it.

Every serious encryption deployment uses both layers together.

email encryption in article illustration one

S/MIME Is the Enterprise Standard for Content Encryption

S/MIME encrypts message bodies using X.509 certificates issued by a certificate authority. It is the default choice for organizations with dedicated IT.

Outlook, Apple Mail, and Google Workspace Enterprise Plus all support S/MIME natively. No plugin required. The mail client handles encryption and decryption behind the compose window.

Setup requires purchasing a personal certificate from a public CA like DigiCert, Sectigo, or GlobalSign, installing it in the local certificate store, and exchanging signed messages with each recipient to share public keys.

Certificates typically expire after twelve months. Renewal happens through the CA portal. Expired certificates block new encrypted sends until reissued.

Related guide: S/MIME email encryption covers the certificate model in detail.

OpenPGP Serves Technical and Journalism Communities

OpenPGP is the alternative content encryption standard. It uses locally generated key pairs instead of CA-issued certificates.

Users install GPG Suite on macOS, Gpg4win on Windows, or Mailvelope in the browser. The tool generates a key pair with a passphrase. The user shares the public key with recipients through a keyserver or direct email.

Trust builds through key signing rather than a central authority. Security researchers, journalists, and open source maintainers use PGP heavily because it does not depend on any CA infrastructure.

Business adoption of PGP stays limited. Recipients cannot install extensions on locked-down corporate systems. Healthcare and financial senders skip PGP for that reason.

The technical strength of PGP is not the barrier. The recipient-side friction is.

Example

A ten-person orthopedic practice compares annual encryption costs. Microsoft 365 Business Premium at $22 per seat totals $2,640 per year and includes Purview Message Encryption plus a BAA. Google Workspace Enterprise Plus at $30 per seat totals $3,600 and adds hosted S/MIME. A dedicated gateway service at $10 per seat totals $1,200 with the BAA included in the base plan, sitting on top of the existing Business Standard Google plan. The practice picks the gateway to avoid the tier upgrade cost.

Hosted Encryption Services Handle the Recipient Portal

Hosted encryption trades certificate management for a portal step at the recipient end. Microsoft Purview Message Encryption, Google Workspace Confidential Mode, and many third-party vendors follow this pattern.

The sender clicks Encrypt in the mail client. The service routes the message body to its own storage and sends the recipient a notification email with a link. The recipient signs in with an existing account or enters a one-time passcode to read the message.

Vendor gateways from Fortinet, Cisco, Trustifi, Datamotion, and others all follow the same portal pattern with different admin interfaces and reporting.

The recipient friction depends on the vendor. Some services allow one-click reading through a signed URL. Others require full account creation. Test each with a real recipient before committing.

Related guide: email encryption service compares vendor options in depth.

email encryption in article illustration two

Encryption Techniques and Algorithms in Use Today

The math behind email encryption uses proven algorithms defined in published standards.

  • AES-256 handles symmetric encryption of the message body itself. It appears in every current standard.
  • RSA-2048 or elliptic curve algorithms handle the key exchange that carries the symmetric key to the recipient.
  • SHA-256 or SHA-384 handles integrity hashing so recipients can detect tampering.
  • TLS 1.2 with strong cipher suites, or TLS 1.3 without weak fallback, handles transport between servers.
  • Message authentication codes bind sender identity to the message so recipients can verify origin.

Buyers rarely choose algorithms directly. Every modern platform defaults to combinations aligned with NIST guidance. See the NIST cryptographic guidance publications for the current recommended parameters.

Platform-by-Platform Encryption Options

Each mail platform ships different encryption features at different price tiers.

Microsoft 365 Business Premium and higher include Purview Message Encryption behind the Encrypt button. Business Basic and Business Standard do not.

Google Workspace Enterprise Plus and Education Plus include hosted S/MIME. Business Standard and Business Plus include Confidential Mode but not hosted S/MIME.

Apple Mail supports S/MIME natively on macOS and iOS provided the user installs a certificate through Keychain or MDM configuration profile.

Yahoo, AOL, and older ISP webmail platforms do not offer S/MIME or hosted encryption. Users on those platforms rely on TLS transport plus optional PGP through browser extensions.

Match the plan tier to the required feature before rolling out an encryption program.

๐Ÿ’กPro Tip: Layer content encryption on top of TLS, never in place of it

TLS transport is the required baseline that most modern providers negotiate automatically between mail servers. Buyers who focus only on TLS leave content readable at the recipient mail provider, in server logs, and in backup snapshots. HIPAA and PCI treat that exposure as non-compliant for regulated content. Deploy S/MIME or a hosted portal service on top of TLS so the body stays encrypted end to end. NIST cryptographic guidance treats layered encryption as the required baseline for regulated data.

HIPAA Compliance Requires More Than Encryption

Encryption satisfies one HIPAA Security Rule addressable specification. Full compliance requires several additional safeguards.

The covered entity signs a business associate agreement with the email provider. Microsoft and Google both offer BAAs on eligible plans. The HHS Security Rule guidance lists every safeguard.

Administrative safeguards include workforce training on PHI handling, sanction policies for violations, and periodic risk assessments. Physical safeguards include facility access controls on the workstations that send email.

Technical safeguards beyond encryption include unique user identification, automatic logoff on idle sessions, and audit controls that record message access.

Practices that clip on encryption software without addressing the surrounding safeguards are not compliant. Encryption is one piece of a larger program.

Cost Comparison Across Encryption Approaches

Price often decides the buying question more than features. A ten-person practice compares real annual numbers.

Approach Per user per month Annual cost (10 users)
Microsoft 365 Business Premium (Purview) 22 USD 2,640 USD
Google Workspace Enterprise Plus (hosted S/MIME) 30 USD 3,600 USD
Public CA S/MIME certificates (annual) 2 to 5 USD (amortized) 240 to 600 USD plus mail plan
Dedicated encrypted email service with BAA 5 to 15 USD 600 to 1,800 USD

Numbers exclude staff training, audit review time, and the recipient-side support calls that portal-based encryption generates. Practices measuring hidden costs often find dedicated services cheaper end to end.

How to Choose the Right Encryption Approach

The decision comes down to three questions about the sending organization.

First, does the organization already run Microsoft 365 Business Premium or Google Workspace Enterprise Plus? If yes, native S/MIME or Purview cover the encryption need with no additional software.

Second, does the recipient list change frequently, as with a healthcare practice adding new patients weekly? If yes, hosted encryption or a dedicated service avoids the S/MIME public-key exchange step.

Third, is the recipient experience business-critical? If patients or referring physicians will abandon messages that require a portal sign-in, a dedicated service like Mailhippo delivers encrypted email that opens in one click without a portal.

Practices running healthcare marketing sites pair encrypted email with a compliant patient-facing web presence. See healthcare website security features for the site-side controls.

Related guides: email encryption software, secure email encryption service, and encryption for email techniques.

Frequently Asked Questions

What does email encryption actually do? +

Email encryption transforms the message body and attachments into unreadable ciphertext during transit and, depending on the method, at rest inside the recipient mailbox. Only the intended recipient with the matching key or credentials can convert the ciphertext back to readable content. Encryption protects against interception on public networks, unauthorized access at intermediate mail servers, and exposure inside a compromised recipient inbox. It does not protect against phishing, malware on endpoint devices, or attacks against the sender or recipient authentication.

What are the main email encryption standards? +

The two dominant end-to-end standards are S/MIME and OpenPGP. S/MIME uses X.509 certificates issued by trusted certificate authorities and works natively in Outlook, Apple Mail, and Google Workspace Enterprise Plus. OpenPGP uses key pairs generated locally without a central authority and works through client extensions like GPG Suite, Gpg4win, and Mailvelope. TLS 1.2 or 1.3 handles transport encryption between mail servers under RFC 8446. Most business encryption stacks combine TLS with S/MIME or a hosted portal service.

Is email encryption required by HIPAA? +

HIPAA does not name encryption as a strict requirement. The Security Rule designates encryption as an addressable specification, which means the covered entity must implement it or document a reasonable alternative that achieves equivalent protection. OCR guidance and breach settlements consistently treat unencrypted PHI transmission as a compliance failure. In practice, healthcare organizations encrypt PHI email or restrict PHI to encrypted channels like patient portals. Unencrypted email carrying PHI is one of the most common findings in OCR breach investigations.

What is the difference between email encryption software and a service? +

Encryption software installs on the mail client or gateway and handles the cryptographic operations locally. Examples include Gpg4win, GPG Suite, and enterprise gateway appliances from Fortinet or Cisco. An encryption service runs in the cloud and integrates with existing Gmail or Outlook accounts through connectors, SMTP relay, or add-ons. Services handle key management, portal delivery, and BAA administration on behalf of the customer. Small and mid-sized organizations favor services for the reduced operational load.

Can email encryption be bypassed? +

Yes, under specific conditions. If an attacker compromises the sender or recipient device, they can capture plaintext before encryption or after decryption. Phishing attacks that steal mail credentials bypass encryption by giving the attacker legitimate access to the inbox. Weak recipient portal passcodes can be guessed or intercepted through SIM-swap attacks. Encryption defends against interception in transit and provider-side access, but a full security posture also requires multi-factor authentication, endpoint protection, phishing training, and incident response procedures.

How do I know if my email was actually encrypted? +

In Outlook, an encrypted sent message shows a padlock icon in the message header inside the Sent Items folder, and the message properties confirm Rights Management protection. In Gmail with S/MIME, the compose window displays a green padlock next to the recipient before sending. In Confidential Mode, the sent message header shows the expiration date and access restrictions. Recipient-side confirmation appears as either a padlock icon in the received message or a portal link that requires sign-in.

Does email encryption slow down message delivery? +

End-to-end encryption adds negligible time to message delivery. S/MIME processing takes milliseconds on modern devices. TLS handshakes add a few hundred milliseconds during the server-to-server connection setup. Portal-based encryption slows recipient access, since the recipient must click a link and sign in before reading. That step adds seconds to minutes depending on network speed and authentication method. Sender workflow speed is essentially unaffected on any modern platform.

S/MIME Email Encryption Explained for Business and Healthcare

s mime email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • S/MIME uses X.509 certs from a trusted CA. Both sides must exchange public keys before a first send.
  • Signing proves sender identity. Encryption scrambles the body. Two separate steps in the client.
  • Lost private keys make every prior encrypted message unreadable. Back the PKCS 12 file to a vault.
  • S/MIME meets HIPAA transit rules only when both sides hold certs. Pair with a portal for patients.
  • Microsoft 365 and Google Workspace Enterprise run S/MIME natively. Apple Mail reads the keychain.

S/MIME email encryption is one of the two dominant standards for message-level email security. It uses X.509 certificates issued by a trusted certificate authority to sign and encrypt mail directly in Outlook, Apple Mail, and Google Workspace Gmail.

This guide covers how S/MIME works, where it fits in a business or healthcare workflow, and where it fails in practice. It also shows when a portal-based encrypted email service is the better operational choice.

S/MIME is documented in IETF RFC 8551. It has been in wide use since the late 1990s. The standard is stable, but real-world adoption depends on how each mail client handles certificates.

S/MIME Uses X.509 Certificates for Sign and Encrypt

Every S/MIME user holds a keypair. The public key sits inside an X.509 certificate issued by a certificate authority. The private key stays on the user device.

Signing works like this. The sender client computes a hash of the message and encrypts that hash with the sender private key. The recipient client decrypts the signature with the sender public key and verifies the hash matches the received message.

Encryption works the reverse way. The sender client encrypts the message body with the recipient public key. Only the recipient private key can decrypt the body.

Signing proves identity. Encryption protects content. A message can be signed only, encrypted only, or both. Most business setups sign every outbound message and encrypt only when the content warrants the extra step.

How S/MIME Email Encryption Works End to End

The sender writes a message and clicks encrypt. The mail client looks up the recipient certificate in its address book. If the certificate is not present, encryption fails and the client prompts for a public key.

Once the recipient certificate is available, the client generates a random symmetric session key. It encrypts the message body with that session key. It then encrypts the session key with the recipient public key.

Both the encrypted session key and the encrypted body are packaged into a MIME container and sent. The mail servers see only an encrypted blob. They cannot inspect content, run keyword rules, or scan for malware inside the encrypted portion.

The recipient client decrypts the session key with the recipient private key. It then decrypts the body with the session key. This hybrid approach uses public key cryptography only for the small session key, which is much faster than encrypting the whole body asymmetrically.

s mime email encryption in article illustration one

Certificate Acquisition and Installation Are the First Hurdle

A user needs a valid S/MIME certificate before they can send or receive encrypted mail. Certificates come from public CAs, corporate PKI systems, or free personal issuers.

Public CA options include Sectigo, DigiCert, GlobalSign, and Actalis. Prices range from free personal certificates to $200 per user per year for higher assurance levels. The email address in the certificate must match the address the user sends from.

Corporate deployments use Active Directory Certificate Services on Windows Server or a hosted PKI service. Certificates issue automatically to domain-joined machines through group policy. This is the workflow at hospitals and large insurance carriers.

Installation involves importing the PKCS 12 file into the mail client certificate store. The private key must be marked non-exportable in enterprise deployments to prevent theft. Backup happens through key escrow held by IT.

Outlook Supports S/MIME on Microsoft 365 Business Standard and Above

Outlook on Windows, Mac, and Outlook on the web all support S/MIME. The user installs a certificate, opens Options, and selects Trust Center, then Email Security.

Under Encrypted email, the user picks a certificate for signing and a certificate for encryption. These are often the same certificate. The user chooses whether to sign or encrypt outgoing messages by default.

Once configured, a new lock icon and signature icon appear in the compose window. The user toggles them per message. Address book entries for recipients cache public certificates as they arrive on signed messages.

Microsoft published detailed S/MIME configuration guidance for Exchange Online and Outlook. Admins deploying S/MIME across a tenant should follow that guidance rather than a per-user manual install path.

Example

A cardiology group and a partner imaging center exchange 40 patient referrals a week. Both run Microsoft 365 Business Standard with Outlook. Each provider buys a Sectigo personal S/MIME certificate for $60 a year, installs it through Trust Center under Email Security, and sends a signed introductory message to the counterparts. Public keys populate the address book automatically. From that point, every referral goes out encrypted with one click of the encrypt icon in the compose ribbon. Patient records reach the imaging center encrypted at rest inside each recipient mailbox.

Gmail Supports Hosted S/MIME on Enterprise and Education Tiers

Google Workspace supports S/MIME on Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus. Personal Gmail and Business Starter, Standard, and Plus do not support S/MIME.

The admin uploads root and intermediate CA certificates in the Google Admin console. They then enable S/MIME for the organizational unit. Individual users upload their personal certificate through Gmail settings under Accounts.

Once uploaded, a lock icon appears next to the recipient field in the Gmail compose window. Green means an encrypted message is possible because the recipient certificate is on file. Gray means encryption is not available for that recipient.

Google documents the setup at the Google Workspace admin help center. Practices considering the Enterprise upgrade for S/MIME should weigh the per-user cost difference against a gateway alternative that works on Business Standard and Plus.

s mime email encryption in article illustration two

S/MIME and HIPAA Compliance Have Real Alignment

HIPAA requires the covered entity to implement technical safeguards for PHI in transit and at rest. S/MIME provides encryption at the message level, which covers both transit and storage on the recipient side.

A signed BAA with the mail provider handles the business associate relationship. Microsoft 365 and Google Workspace on Business Standard and above both offer a BAA. The CA that issues S/MIME certificates is usually not a business associate because it never handles PHI content.

Where S/MIME clears HIPAA is peer-to-peer clinical email between certificate-holding parties. Where it fails is patient-facing mail, because patients do not hold certificates. Practices sending PHI to patients need a portal service or a secure messaging platform. See the general framing on healthcare website security features for context on how email fits inside the wider stack.

Documentation matters. HIPAA auditors want to see certificate lifecycle records, key backup procedures, and workforce training on encryption use. A policy document that describes when to sign and when to encrypt is required for a defensible S/MIME program.

Common S/MIME Failure Modes and Their Fixes

Certificate expiration is the top cause of S/MIME failures. Certificates typically renew every one to three years. A missed renewal breaks all signing and encryption on the day of expiry.

Address mismatch is the second most common problem. If the certificate email address does not exactly match the sender From address, the recipient client shows a security warning and sometimes blocks the message. Aliases and shared mailboxes trigger this often.

Common S/MIME failure modes include:

  • Expired sender or recipient certificate
  • Missing intermediate CA in the recipient trust store
  • Sender From address does not match certificate email
  • Recipient never exchanged a signed message, so no public key is cached
  • Private key lost during mailbox migration or device replacement
  • Mobile client without certificate provisioning receives content as an unopenable attachment

Related linked topic: email encryption software for a broader look at tools that address these failure modes automatically.

๐Ÿ’กPro Tip: Back up the S/MIME private key before you use it

The single most common S/MIME failure is a lost private key during a device replacement or mailbox migration. Every message previously encrypted to that key becomes unreadable with no recovery path. Export the private key from the certificate store to a PKCS 12 file, store it in an encrypted vault or hardware token, and record the location in a policy document. Corporate deployments use key escrow through an internal PKI so IT can restore access when a user leaves.

S/MIME Versus PGP for Business Use

S/MIME and PGP solve the same problem with different trust models. S/MIME uses centralized certificate authorities. PGP uses a web of trust where users sign each other public keys.

For business use, S/MIME wins on native client support. Outlook, Apple Mail, and enterprise Gmail all handle S/MIME without plugins. PGP requires a plugin like GPG Suite for Apple Mail or Mailvelope for Gmail.

PGP wins on cost and independence. There is no CA to pay, and no gatekeeper to trust. That makes PGP popular with journalists and open source projects but rare in regulated business workflows where auditability is required.

Related context: email encryption as a broader category, and email encryption service for hosted options that hide the S/MIME versus PGP choice behind a portal.

S/MIME Comparison With Other Encryption Methods

The table below sets S/MIME against the other common methods a business considers.

Method Trust Model Native Client Support Recipient Setup Required Fit for HIPAA
S/MIME X.509 CA Outlook, Apple Mail, Gmail Enterprise Certificate install Peer to peer only
PGP Web of trust Plugins in most clients Keyring install Rare in healthcare
TLS only Server certificate All modern clients None In transit only
Portal gateway Vendor account Any browser Password or one-time code Patient and peer both work

Most healthcare practices end up with a mix. S/MIME for peer clinics that hold certificates and a portal for patients and one-off external contacts. See related coverage in secure email encryption service and encryption for email.

When to Use S/MIME and When to Use a Gateway

Use S/MIME when the organization already runs on Microsoft 365 Business Standard or higher, or Google Workspace Enterprise, and the recipient set is stable and technical. Peer clinics, insurance carriers, and referring specialists fit this pattern.

Use a gateway when recipients are variable, include patients, or refuse to install certificates. Portal-based services handle any recipient with any browser. The tradeoff is the extra click on the recipient side.

Mailhippo is a portal gateway that sits on top of Gmail or Outlook, includes a BAA in the base plan, and requires no per-user certificate management. It complements an S/MIME deployment rather than replacing it. Peer traffic can still run over S/MIME. Patient traffic runs through the gateway.

Practices building a compliant public-facing site alongside their email strategy often pair encryption planning with HIPAA-conscious website design so intake, contact, and email flows all stay inside the same compliance boundary.

Frequently Asked Questions

What does S/MIME stand for? +

S/MIME stands for Secure/Multipurpose Internet Mail Extensions. It is an IETF standard defined in RFC 8551 that specifies how X.509 public key certificates sign and encrypt MIME email content. The standard has been in wide use since the late 1990s and is supported by every major mail client on desktop and mobile. S/MIME is separate from PGP, which uses a web of trust model rather than certificate authorities. The two standards are not interoperable at the protocol level.

How does S/MIME email encryption differ from TLS? +

TLS encrypts the network connection between two mail servers. Once the message reaches the recipient mail server, TLS ends and the plaintext sits on that server. S/MIME encrypts the message body itself. The encrypted content survives across every server hop and stays encrypted at rest in the recipient mailbox until decrypted with the recipient private key. TLS is server to server. S/MIME is user to user. Both can run at the same time in a defense-in-depth setup.

Is S/MIME email encryption free? +

The S/MIME standard is free. Certificates are sometimes free from a personal CA like Actalis or a corporate CA a company operates itself. Commercial S/MIME certificates from public CAs cost between $20 and $200 per user per year. Enterprise plans on Microsoft 365 include the option to issue internal S/MIME certificates through Active Directory Certificate Services. Google Workspace on Enterprise tiers supports upload of externally issued S/MIME certificates. Cost adds up quickly for a growing team of external contacts.

Can I use S/MIME email encryption in Gmail? +

Yes on Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus. The admin uploads root and intermediate certificates and enables S/MIME in the Google Admin console. Individual users then upload their personal certificate through Gmail settings. Free personal Gmail accounts do not support S/MIME. Recipients on unsupported tiers see the encrypted MIME content as an attachment they cannot open. Setup instructions are documented on Google Workspace support pages under hosted S/MIME.

What happens if I lose my S/MIME private key? +

Every message previously encrypted to that key becomes unreadable. There is no recovery path unless the private key was backed up before it was lost. Corporate S/MIME deployments use a key escrow model where an internal PKI holds a copy of each private key so IT can restore access when a user leaves or a device is wiped. Personal S/MIME users must back up the private key to a hardware token or an encrypted vault. Losing the key is the single most common S/MIME failure mode.

Does S/MIME work on iPhone and Android? +

iPhone Mail supports S/MIME natively when a certificate is installed in the iOS keychain through a configuration profile or a manual PKCS 12 file. Android Gmail supports S/MIME when the account is a Google Workspace account with hosted S/MIME enabled, and the certificate is provisioned through the admin console. Third-party mail apps on Android like BlueMail and Nine also support S/MIME with per-app certificate import. Certificate installation on mobile is less user-friendly than on desktop, which slows adoption.

When should I use S/MIME versus a HIPAA email service? +

Use S/MIME when both sender and recipient are on managed mail platforms, hold certificates, and communicate repeatedly. A referring physician network or an insurance carrier are good fits. Use a HIPAA email service like Mailhippo when recipients vary, include patients, and cannot reasonably install certificates. Portal-based services deliver an encrypted link that any recipient can open in a browser. Many organizations run both. S/MIME for peer-to-peer and a gateway for one-off external recipients handles the full range of contact types.

Encryption and Email Security in a Layered Stack

encryption and email guide featured image

๐Ÿ”‘ Key Takeaways

  • The stack is filtering, DLP, outbound encryption, archiving, and identity. One layer alone has gaps.
  • Encryption failures leak content in transit. Filtering failures let phishing walk in the front door.
  • A VPN protects the sender network segment. Email encryption protects the body across mail servers.
  • HIPAA, SOX, FINRA, and GDPR require retention. Some archivers bundle encryption, others do not.
  • Every vendor touching PHI needs its own BAA. Consolidated platforms put filtering plus archive as 1.

Encryption is a checkbox item on most email security procurement forms. It sits next to inbound filtering, DLP, archiving, and identity controls. Buyers who focus on one checkbox at a time miss how the layers depend on each other.

This guide covers how encryption and email security fit together in a working stack. Where a healthcare team needs the outbound layer without integrating four vendors, a dedicated secure email service with a BAA in the base plan often solves the immediate compliance gap.

Read the sections in order. Each layer covers a different threat and a different auditor concern.

The Email Security Stack Has Five Layers

A complete email security posture combines five functional layers. Each addresses a different risk.

  • Inbound filtering removes phishing, malware, and business email compromise before delivery.
  • Identity controls including MFA and conditional access stop credential theft at the mailbox.
  • DLP scans outbound messages for sensitive content and enforces policy actions.
  • Outbound encryption protects message content in transit and at rest for regulated data.
  • Archiving preserves all inbound and outbound mail in tamper-evident storage for compliance.

Skipping any layer creates a gap. Filtering without encryption leaves outbound leakage. Encryption without filtering leaves the inbox exposed to the phishing that steals the credentials that bypass the encryption.

Buyers evaluating a single feature should confirm what covers the other four.

encryption and email in article illustration one

Encryption Handles Outbound Confidentiality

Email encryption operates on outbound messages. It transforms the body and attachments into ciphertext readable only by the intended recipient.

TLS handles server-to-server transport encryption. S/MIME or hosted portal services handle content encryption end to end. Both layers combine to protect messages from interception and unauthorized access.

Related guide: email encryption covers the methods and standards in depth. See also encryption for email and files.

Encryption does not protect against outbound errors. A workforce member emailing PHI to the wrong recipient still commits a HIPAA breach even when the message is encrypted correctly to that wrong address.

The DLP layer catches that case. Encryption alone does not.

Inbound Filtering Blocks Threats Before Delivery

Inbound filtering scans every incoming message against spam signatures, malware analysis, URL reputation, and behavioral indicators of business email compromise.

Microsoft Defender for Office 365 and Google Workspace Security Sandbox both bundle inbound filtering with their mail platforms. Third-party vendors like Proofpoint, Mimecast, and Barracuda offer specialized inbound protection.

Filtering catches most commodity threats. Sophisticated targeted attacks still get through occasionally. That is why the layer above it, identity controls, matters.

The CISA guidance on phishing and ransomware covers the current threat landscape that inbound filtering has to handle.

Healthcare senders face specific targeting because PHI has direct resale value. Filtering configuration for healthcare typically runs stricter than for general business.

Example

A twelve-provider multispecialty group builds a layered stack. Microsoft Defender for Office 365 handles inbound filtering under the Microsoft 365 E3 tier. Purview DLP rules match PHI patterns and auto-apply Encrypt-Only on outbound. A dedicated gateway service delivers encrypted mail to patients without a portal step. Mimecast archives every inbound and outbound message for the six-year HIPAA retention requirement. Entra ID enforces MFA plus conditional access on every mailbox. Four vendor BAAs live in the compliance folder, one per business associate.

DLP Enforces Policy on Sensitive Content

Data loss prevention scans outbound content for defined patterns and enforces automatic policy actions.

Common patterns include Social Security numbers, credit card numbers, medical record numbers, ICD-10 codes, and custom keyword lists specific to the organization.

Policy actions include block and notify the sender, quarantine for admin review, redirect to a manager, or apply encryption automatically. That last option closes the gap between manual encryption decisions and consistent compliance.

Microsoft Purview DLP and Google Workspace Data Loss Prevention both include predefined content types. Custom rules cover organization-specific patterns.

Test DLP rules against a monitored test mailbox before pushing to production. False positives on internal messages create friction that pushes users toward personal accounts.

encryption and email in article illustration two

VPNs Add a Network Layer That Overlaps Partially

A VPN encrypts the network path between a client device and the VPN provider. It matters when workforce members send email from public Wi-Fi or shared networks.

The VPN protects the traffic from the coffee shop to the VPN endpoint. From there, the traffic exits to the mail server as normal internet traffic protected by the mail platform TLS.

Once the message leaves the sender mail server and travels to the recipient mail server, the VPN provides no protection. The message needs TLS between the mail servers and content encryption for the body itself.

A VPN is not a substitute for email encryption. It protects the first mile only. HIPAA-regulated content still requires end-to-end encryption on the message itself.

Practices deploying VPNs should still deploy email encryption. The layers cover different segments of the message journey.

Archiving Preserves Compliance Evidence

Archiving captures every inbound and outbound message at the gateway and stores it in tamper-evident form for defined retention periods.

HIPAA calls for six-year retention of documentation supporting security policies, which includes evidence of PHI communications. SOX requires seven years of financial records. FINRA requires three years of broker communications with clients.

The archive protects against message tampering after delivery, which matters during litigation and audit. Users cannot delete archived copies from their mailbox to hide activity.

Some vendors bundle archiving with encryption in one product. Others sell them separately. Buyers should confirm which vendor covers each function to avoid gaps or duplicate contracts.

The archive itself must also be encrypted at rest. Vendors typically use AES-256 with keys managed by the customer or the vendor per contract.

๐Ÿ’กPro Tip: Deploy identity controls before adding more expensive encryption products

Compromised mailbox credentials bypass encryption and filtering entirely because the attacker holds legitimate access. Multi-factor authentication and conditional access are the cheapest layer with the highest breach-cost prevention. Enforce MFA on every workforce member with mailbox access through Microsoft Entra ID or Google Workspace identity. Add conditional access rules that restrict logins to known devices or geographies. This stops most business email compromise attacks before any encryption or filtering product has to work.

Identity Controls Guard the Mailbox Access Point

Encryption and filtering both fail when an attacker holds the legitimate mailbox credentials. Identity controls prevent that scenario.

Multi-factor authentication blocks most credential theft attacks. Conditional access rules restrict logins to known devices, networks, or geographies. Session timeout controls limit exposure when devices are left unattended.

Microsoft Entra ID and Google Workspace identity both include MFA and conditional access as core features. Enforce MFA for every workforce member with mailbox access.

Compromised mailbox credentials are the entry point for most business email compromise attacks. See the Microsoft business email compromise guidance for attack patterns and defenses.

Identity controls are cheap compared to the breach cost they prevent. Deploy them before adding more expensive encryption or filtering products.

HIPAA Requires the Full Stack for Covered Entities

HIPAA covered entities need every layer of the stack for the Security Rule and Privacy Rule requirements.

Encryption meets the transmission security safeguard. Inbound filtering supports the malicious software safeguard. DLP supports the administrative safeguard against workforce error. Archiving supports the six-year documentation retention requirement.

Each vendor that touches PHI signs a business associate agreement. Consolidated platforms simplify BAA management by putting encryption, filtering, and archiving under one contract. Specialized services require separate BAAs.

The HHS Security Rule guidance lists every safeguard the covered entity must implement.

Practices running patient-facing websites face parallel obligations. See healthcare website security features for the site-side controls that pair with the email stack.

Choosing Between Consolidated and Best-of-Breed Vendors

Buyers face a decision between one platform that covers every layer and multiple specialized vendors that each cover one layer well.

Consolidated platforms from Microsoft, Google, or major security vendors deliver encryption, filtering, DLP, and archiving through one console. Reporting is unified. One contract covers everything. Small practices favor this model for administrative simplicity.

Specialized vendors focus on one layer and often deliver a better recipient experience or specific compliance feature. Larger organizations mix a consolidated inbound filter with a specialized outbound encryption service like Mailhippo that delivers encrypted email without portal friction.

Related guides: email encryption solutions comparison, email encryption solutions for Outlook and Gmail, and HIPAA compliant texting and email.

Match the vendor mix to the operational team size. A one-person IT department cannot maintain four separate consoles. A dedicated security team can extract value from specialized products that a consolidated platform cannot match.

Neither approach is wrong. The wrong choice is buying encryption in isolation and ignoring the other four layers.

Frequently Asked Questions

How do encryption and email security work together? +

Encryption protects the content of individual messages during transit and at rest. Email security is the broader program that also filters inbound threats, prevents outbound data loss, archives messages for compliance, and controls mailbox access through authentication. Encryption alone cannot stop a phishing message from entering the inbox or catch a workforce member emailing PHI to the wrong recipient. Email security alone cannot prevent an outsider from reading intercepted messages if the content is unencrypted. Both layers are required for a complete posture.

Does a VPN encrypt email? +

A VPN encrypts the network connection between the client device and the VPN provider. If the mail client uses TLS to reach the mail server, the VPN adds an outer encryption layer during that first leg. Once the message leaves the VPN endpoint and travels to the recipient mail server, the VPN provides no protection. The message itself still needs TLS transport encryption and, for regulated content, S/MIME or hosted portal encryption to protect the body between mail servers and at rest.

What is the difference between email encryption and email filtering? +

Encryption transforms outgoing message content into ciphertext so only the recipient can read it. Filtering analyzes incoming messages for spam, phishing, malware, and business email compromise indicators before delivery. They operate on opposite directions of the mail flow and address different threats. Encryption defends confidentiality on the outbound side. Filtering defends the inbox on the inbound side. HIPAA and PCI compliance require both, plus additional controls like DLP, archiving, and access management.

Do I need archiving if I already have email encryption? +

Yes, if regulations require retained records of communications. HIPAA calls for six-year retention of documentation supporting security policies. SOX and FINRA require multi-year retention of email evidence. GDPR requires the ability to produce specific messages on request. Encryption protects the content but does not preserve it after the mailbox owner deletes the message. Archiving captures every message at the gateway and stores it in tamper-evident form. Some vendors bundle encryption and archiving in one product, and others sell them separately.

How do encryption and DLP interact? +

Data loss prevention scans outbound messages for sensitive content patterns like Social Security numbers, credit card numbers, medical record numbers, and custom keywords. When DLP detects a match, it can block the message, quarantine it for review, or apply automatic encryption. That last option is the most common integration. A workforce member who forgets to click Encrypt on a message containing PHI triggers the DLP rule, which encrypts the message server-side before delivery. This removes the compliance risk of relying on manual encryption decisions.

What compliance frameworks require email encryption? +

HIPAA treats encryption of PHI in transit as an addressable specification and treats unencrypted PHI transmission as a compliance failure in practice. PCI DSS requires encryption of cardholder data when transmitted over public networks. GLBA requires financial institutions to protect customer information in transit. GDPR requires appropriate technical measures for personal data, and encryption is treated as evidence of due diligence. State laws like California CCPA and New York SHIELD Act also incentivize encryption through breach notification safe harbors that exclude encrypted data.

Should encryption and email security come from the same vendor? +

The tradeoff is between integration and specialization. Consolidated platforms from Microsoft, Google, or major security vendors handle encryption, filtering, and archiving under one console with unified reporting and one contract. Specialized vendors focus on one layer and often deliver a better recipient experience or specific compliance feature. Small practices favor consolidated platforms for administrative simplicity. Larger organizations often mix a consolidated inbound filter with a specialized outbound encryption service that pairs better with their workforce workflow.

Encrypted Email Guide for Business and HIPAA Workflows

encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Encrypted email spans three layers: TLS in transit, S/MIME or PGP end to end, and portal delivery.
  • TLS 1.2 or 1.3 protects the wire between servers, but plaintext still sits readable at rest on both.
  • S/MIME and PGP need pre-exchanged keys, which breaks a first send to any patient on personal Gmail.
  • Portal encryption reaches any browser recipient, but replies stall outside the sender inbox thread.
  • HIPAA needs a signed BAA plus training and Security Rule safeguards, not just working encryption.

Encrypted email protects message content from anyone who is not the intended recipient. The term covers three separate technical layers, and they solve different problems. Getting the layer right is what separates a defensible deployment from a false sense of security.

This guide walks through each layer, the tools that implement it, and where each one fits a business or healthcare workflow. It closes with a practical view on when to combine layers and when a portal-based encrypted email service is the right choice.

The reader should come out with enough context to decide which encryption model matches the recipients they email most often and what the budget implications are.

Encrypted Email Covers Three Distinct Layers

The first layer is TLS in transit. It encrypts the network connection between two mail servers. The message body travels through a tunnel that a passive network snoop cannot read.

The second layer is end-to-end encryption at the message level. S/MIME and PGP encrypt the body with the recipient public key. The mail server sees only ciphertext.

The third layer is portal-based delivery. The sender uploads the message to a hosted portal. The recipient authenticates and reads it in a browser. The mail itself never leaves the portal.

Each layer defends against a different threat. TLS covers passive interception. End-to-end covers a compromised or subpoenaed provider. Portal covers recipients who cannot install client-side keys.

TLS Is the Baseline for All Modern Mail Providers

Gmail, Outlook, iCloud, and most business mail providers negotiate TLS 1.2 or 1.3 by default. The two servers exchange certificates, agree on a cipher, and encrypt the connection.

TLS ends when the message arrives at the recipient server. The mail sits at rest on that server in a form the provider can decrypt. A subpoena, a rogue admin, or a provider compromise exposes plaintext.

TLS also fails when the receiving server does not support it. Older on-premise Exchange systems still exist in the wild. Google publishes a delivery status for each domain the user emails, which can reveal these gaps.

MTA-STS and DANE are add-ons that force TLS on the sending side. NIST covers the technical baseline in Special Publication 800-177 Trustworthy Email. Every modern deployment should have MTA-STS enabled at a minimum.

encrypted email in article illustration one

End-to-End Encryption Uses Keys the Provider Cannot See

S/MIME and PGP are the two dominant end-to-end standards. Both work by encrypting the message body with the recipient public key on the sender client before the message leaves the device.

S/MIME uses X.509 certificates from a certificate authority. It is native in Outlook, Apple Mail, and Google Workspace Enterprise. Setup requires a certificate for each user.

PGP uses a web of trust model where users sign each other public keys. It runs on plugins in most mail clients. Setup requires a keypair and public key exchange with every contact.

Both models fail when the recipient has no client-side setup. A referring physician on personal Gmail without S/MIME cannot receive an S/MIME encrypted message. Related linked topic: should I consider encrypted email using ProtonMail as one example.

Portal-Based Encrypted Email Works With Any Recipient

Portal delivery is the practical choice when recipients are variable, include patients, or refuse to install certificates. The sender writes the message in a normal mail client or a web portal.

The service uploads the message to a hosted portal. The recipient receives a notification with a link. They click the link, authenticate with a passcode or SSO, and read the message in a browser.

Microsoft Purview Message Encryption uses this model. Google Workspace confidential mode uses a similar model. Third-party services like Mailhippo use the same model with a HIPAA-focused BAA in the base plan.

Portal delivery works with any recipient on any device. The tradeoff is friction. Replies happen in the portal, not the recipient normal inbox. Threading breaks for downstream record keeping.

Example

A mid-size clinic with a stable set of peer providers layers all three encryption models. TLS runs by default between Microsoft 365 mail servers and their peer clinic servers. S/MIME certificates issued from an internal PKI cover peer clinical mail between six known referring physicians. A portal gateway handles patient billing statements and one-off external contacts who cannot install certificates. DLP rules in Exchange Online auto-encrypt any message containing an MRN pattern. Audit logs retain for the six-year HIPAA administrative requirement.

HIPAA Requires More Than Encryption Alone

HIPAA compliance for email requires three things. A signed Business Associate Agreement with the mail provider. Technical safeguards under the Security Rule. Workforce training on encryption use.

Encryption is one technical safeguard. Access controls, audit logging, session timeouts, and secure key management are others. The HHS Security Rule spells out the full list.

A signed BAA is what makes the mail provider a business associate under 45 CFR 164.502(e). Without it, sending PHI through any encrypted service is still a HIPAA violation regardless of encryption strength.

Gmail on Google Workspace Business Standard and above and Outlook on Microsoft 365 Business Standard and above both offer BAAs. Free personal accounts do not. See related healthcare security context for how email fits inside the broader stack.

encrypted email in article illustration two

Common Encrypted Email Deployment Patterns

Small practices with a single mail provider usually run TLS plus a portal gateway. This covers passive interception and external recipient delivery in one setup.

Mid-size clinics with a stable set of peer providers add S/MIME on top for the peer traffic. TLS is baseline, S/MIME handles peer clinical mail, portal handles patients and one-off external contacts.

Larger hospitals with internal PKI use S/MIME across the entire clinical workforce. They still add a portal for patient communication. The two models coexist and are chosen per recipient by the mail client or by a policy rule.

Common encrypted email deployment components include:

  • TLS baseline with MTA-STS enforced on outbound
  • SPF, DKIM, and DMARC configured on the sending domain
  • S/MIME certificates issued to clinical users for peer traffic
  • Portal service for patient and external recipient traffic
  • DLP rules that auto-encrypt messages containing SSN, MRN, or PHI patterns
  • Audit logs retained per HIPAA six-year requirement

Free Encrypted Email Options and Their Limits

Free encrypted email exists but comes with real limits. Personal ProtonMail and Tutanota accounts offer zero-access encryption at rest and portal-based delivery for external recipients.

The catch is no BAA. Free tiers do not qualify for HIPAA use regardless of encryption strength. Storage caps and daily message limits also fail business use quickly.

Free personal S/MIME certificates from Actalis and similar issuers give real end-to-end encryption but require manual install and renewal. Time cost is often higher than a paid service.

For a solo user with occasional secure needs, free options are workable. For a practice with regulatory obligations, paid tiers with BAAs are the only defensible path. Related: free encrypted email for a fuller comparison.

๐Ÿ’กPro Tip: Enable MTA-STS before deploying any content encryption

TLS is the required baseline but fails silently when the receiving server does not support it or downgrades the connection. MTA-STS forces TLS on outbound mail and blocks delivery when the receiving side cannot negotiate a secure session. NIST Special Publication 800-177 covers the technical baseline. Deploy MTA-STS at the DNS layer before adding S/MIME or portal encryption, otherwise the transit layer stays exposed to downgrade attacks that content encryption cannot fix.

Encrypted Email Feature Comparison

The table below compares the main encrypted email models on the dimensions that matter most for a business buyer.

Model Encryption Level Recipient Setup HIPAA Fit Best For
TLS only Transit None Baseline only General business mail
S/MIME End-to-end Certificate install Peer traffic Clinic-to-clinic
PGP End-to-end Keyring install Rare in healthcare Technical users
Portal gateway End-to-end at rest Passcode or SSO All recipients Patient and external mail
Zero-access mailbox End-to-end at rest Account creation With BAA on paid tier Privacy-focused solo users

Encrypted Email Troubleshooting Basics

Delivery failures are the most common encrypted email problem. TLS failures show up as messages sitting in the outbound queue or arriving in plain form when the receiving server does not support TLS.

S/MIME failures usually trace to certificate expiration, address mismatch, or a missing intermediate CA. The recipient client shows a specific error that names the failing check.

Portal delivery failures often trace to the recipient marking the notification as spam. Adding the sender portal domain to a safe-sender list at the recipient side fixes this. See related linked topic: how to troubleshoot encrypted email.

Deliverability upstream matters too. A domain without SPF, DKIM, and DMARC lands portal notifications in spam even when the portal itself works. The Gmail sender guidelines apply to portal notification email the same way they apply to normal outbound mail.

Choosing an Encrypted Email Setup for Your Practice

The right choice depends on three questions. Who are you emailing most often. Are they technical enough to hold a certificate. Do you already run on Microsoft 365 or Google Workspace.

For a practice that emails patients daily and peer clinics occasionally, a portal gateway is the higher-value setup. Patients never install anything. Peer clinics can still receive the portal notification and open it in a browser.

For a practice that emails peer clinics daily and rarely emails patients, S/MIME across the peer network with a portal fallback for patients is the higher-value setup. Peer traffic runs at inbox speed with no extra clicks.

Mailhippo operates as a portal gateway on top of Gmail or Outlook, includes a BAA in the base plan, and requires no per-user certificate management. It fits practices that need patient-safe encryption without moving off their existing mail provider. Practices building a compliant public site alongside their email strategy can pair this with healthcare marketing support so intake, contact, and email flows stay inside the same compliance boundary.

Frequently Asked Questions

What is encrypted email? +

Encrypted email is any email where the message content is scrambled so only intended parties can read it. The term covers three separate layers. TLS encrypts the network connection between mail servers. S/MIME and PGP encrypt the message body at the client level. Portal services encrypt the stored content behind a login. Each layer defends against a different threat. Most business deployments use TLS as a baseline and add either message-level or portal-based encryption depending on how technical the recipients are.

Is Gmail encrypted email? +

Gmail uses TLS between mail servers when the other side supports it, and it encrypts stored mail at rest on Google servers with keys Google controls. Gmail is not end-to-end encrypted by default. Google can read stored mail because Google holds the keys. Google Workspace Enterprise and Education tiers add hosted S/MIME support, which adds true end-to-end encryption when both sides hold certificates. Confidential mode adds a passcode and expiration but does not add end-to-end encryption. See related coverage in how is email encrypted.

Is encrypted email HIPAA compliant? +

Encrypted email can meet HIPAA if the covered entity signs a Business Associate Agreement with the mail provider, configures technical safeguards under the Security Rule, and trains staff on encryption use. Encryption alone does not equal compliance. The BAA covers the legal relationship. The configuration covers the technical safeguards. Training covers workforce use. A free personal Gmail or Outlook account cannot meet HIPAA even with strong encryption because no BAA is available on those tiers.

What is the difference between encrypted email and secure email? +

Secure email is a broader term that covers encryption plus anti-phishing, anti-malware, DLP, and archiving. Encrypted email refers specifically to the encryption layer. A secure email service usually bundles multiple protections including encryption. A HIPAA-compliant secure email service adds a BAA and audit logging on top. For most business buyers, secure email is the product category and encrypted email is one required feature inside it.

Can I send encrypted email to any recipient? +

Not without setup on both sides for message-level encryption. S/MIME and PGP require both sender and recipient to hold keys or certificates. Portal-based encryption works with any recipient because the encryption stays on the sender-hosted portal and the recipient only needs a browser and a passcode. For practices that send PHI to patients, portal delivery is the only workable model. For peer clinical mail between known providers, S/MIME is often more efficient after the initial setup.

What is TLS encrypted email? +

TLS encrypted email uses Transport Layer Security to protect the network connection between two mail servers. When Gmail sends a message to Outlook, both servers negotiate a TLS session and the message body travels through an encrypted tunnel. TLS ends when the message arrives at the recipient server. The message sits at rest on that server in a form the provider can decrypt. TLS is the baseline for modern mail delivery but does not qualify as end-to-end encryption for regulated data.

Does encrypted email cost extra? +

TLS is free and built into every modern mail provider. S/MIME certificates cost $0 to $200 per user per year depending on issuer and assurance level. PGP is free but requires plugins. Portal-based services like Mailhippo charge a per-user monthly fee, usually less than $10 per user. Microsoft Purview Message Encryption is included in Microsoft 365 Business Premium and above. Total encrypted email cost depends more on which model the practice needs than on any single tool.

How to Choose an Email Encryption Solution That Fits Your Business

email encryption solution guide featured image

๐Ÿ”‘ Key Takeaways

  • An encryption solution has three jobs: protect the body, verify the sender, and log every event.
  • Small teams on Gmail or M365 win with a hosted service at $5 to $15 per user per month.
  • MSPs need a multi-tenant console; wholesale pricing plus co-branded portals drive the margin.
  • Advisors juggle GLBA, SEC 17a-4, and FINRA; the archive must ingest encrypted mail cleanly.
  • Enterprise buyers weigh native Purview or S/MIME against a gateway for cross-platform coverage.

Every organization that sends email containing sensitive data eventually needs an encryption solution. The question is not whether to encrypt, but which solution fits the actual mailflow, the regulatory framework, and the recipient audience.

Small practices sending patient mail have different needs than a 5000-user enterprise sending contracts. Financial advisors have different rules than defense contractors. A HIPAA-covered service such as encrypted email covers small healthcare practices well. A CMMC-covered gateway covers a defense contractor.

This guide walks through the buyer decision by audience. Small business, MSPs, financial advisors, defense contractors, and enterprise buyers each get a section with the specific rules they need to meet and the solution shapes that fit.

The three jobs an email encryption solution actually does

The first job is protecting the message and any attachments in transit and at rest. TLS covers the connection between mail servers. End-to-end encryption or portal-based delivery covers the message content itself.

The second job is verifying the sender identity so the recipient can trust the message. S/MIME and DKIM both do this at different layers. Signing prevents impersonation attacks and provides non-repudiation for legal purposes.

The third job is producing audit logs the organization can use to prove compliance. Send events, delivery events, open events, and download events all need to be logged for the retention period the applicable regulation requires.

Most buyers focus on the first job and underestimate the second and third. A solution that encrypts strongly but does not log opens will fail a real audit because the auditor cannot confirm that the recipient actually received the message.

The mechanics of each job are covered in the technical guide on encryption for email, which walks through the algorithms and the protocols in detail.

Small business buyers optimize for setup speed and staff friction

Small businesses under 25 users typically already run Gmail or Microsoft 365 on a lower tier. The encryption question is whether to upgrade the license, add a native encryption add-on, or layer a third-party service on top.

The license upgrade path adds cost across every mailbox even if only a subset actually needs encryption. Microsoft 365 Business Premium runs about triple the cost of Business Standard.

The add-on path, such as Azure Information Protection Premium P1, gives per-user encryption without the full Business Premium bundle. It also requires the IT team to configure the tenant, which is often outside the skill set of a five-person practice.

The third-party service path layers on top of the existing mailbox. Common pricing runs $5 to $15 per user per month with a signed BAA included. Setup takes an afternoon with no tenant configuration required.

For a healthcare practice specifically, the buyer decision also touches the surrounding website. Guidance on security features for healthcare websites covers the portal, form handling, and file upload side of the workflow that complements the encrypted email side.

email encryption solution in article illustration one

MSPs optimize for multi-tenant control and margin

Managed service providers selling encryption to multiple clients need a control plane that manages multiple tenants from a single admin console. Provisioning a new client, adjusting policy, and producing a quarterly report all need to be single-console operations.

Wholesale pricing with per-user billing lets the MSP set retail pricing that covers support and margin. Vendors that publish MSP-specific pricing typically also offer a partner portal for user provisioning and client-level reporting.

Compliance mix matters for the vendor choice. An MSP with mostly healthcare clients wants HIPAA-first support. An MSP with mostly financial clients wants GLBA and SEC 17a-4 support. An MSP with defense contractor clients needs FIPS 140-3 validated crypto.

Co-branded portal delivery is a nice-to-have that many MSPs value because the recipient experience carries the MSP client brand rather than the encryption vendor brand. Not every vendor supports co-branding, so this needs to be confirmed upfront.

The MSP also needs the vendor to sign a business associate agreement or its equivalent as a subcontractor, so the compliance chain flows correctly from the covered entity through the MSP to the encryption vendor.

Financial advisors face SEC, FINRA, GLBA, and state privacy law

Financial advisors sending statements, account changes, and estate planning documents need an encryption solution that satisfies four different rule sets at once.

SEC Rule 17a-4 requires broker-dealers to retain electronic communication for six years in a non-erasable, non-rewritable format. The encryption solution must integrate with the retention archive so encrypted messages appear alongside plain-text messages.

FINRA Regulatory Notice 22-10 clarified that firms must supervise electronic communication regardless of the encryption method. The supervision includes an archive, keyword monitoring, and periodic sampling.

GLBA and the state privacy laws that layered on top, including California CCPA and the New York SHIELD Act, require reasonable security practices for consumer financial data. Encryption of transmitted account information satisfies the transmission side of the rule.

The vendor selection needs to confirm compatibility with the compliance archive the firm already uses. Common archives include Global Relay, Smarsh, and Mimecast Compliance. Encrypted messages need to feed into the archive in a searchable format.

Example

An MSP with 40 client tenants averaging 15 seats each shortlists three encryption vendors. The wholesale rate lands at $4 per seat per month, and the MSP prices retail at $9. Across 600 seats the recurring wholesale cost is $2,400 per month, retail revenue reaches $5,400, and the margin covers a half-time technician handling recipient portal support tickets. The MSP picks the vendor with the strongest multi-tenant admin console because provisioning a new client takes 20 minutes instead of two hours across three separate portals.

Defense contractors need FIPS-validated crypto for CMMC

Defense contractors handling controlled unclassified information under DFARS 252.204-7012 must meet CMMC 2.0 requirements. Level 2 assessments apply to any contractor handling CUI.

The relevant CMMC control, SC.L2-3.13.11, requires FIPS-validated cryptography when used to protect the confidentiality of CUI. The validation must be documented on the NIST CMVP list at the time of use.

Microsoft Purview Message Encryption on the GCC High tenant meets the requirement. Preveil and specific gateway products also qualify. Standard commercial encryption vendors need a specific FIPS validation certificate to be considered.

The NIST CMVP lists the validated modules. Buyers should confirm the specific module and version number the vendor uses matches an active certificate on the list.

Level 3 assessments apply to contractors handling higher-value CUI and add controls including advanced persistent threat detection. Level 3 typically requires a dedicated CMMC-focused solution rather than a general-purpose encryption gateway.

email encryption solution in article illustration two

Enterprise buyers choose between native and gateway architectures

Enterprise buyers with more than 500 mailboxes usually already run Microsoft 365 E3 or E5, Google Workspace Enterprise Plus, or a mixed environment. The encryption question is whether to use the native platform features or add a third-party gateway.

Microsoft Purview Message Encryption is included in E3 and E5 and integrates with the tenant compliance dashboard, mail flow rules, and Azure Rights Management. It handles the common Outlook and Outlook on the web cases well.

Google Workspace hosted S/MIME on Enterprise Plus covers Google-native encryption for Gmail. Client-side encryption with a customer-managed key is available on the same tier for organizations that want the key material outside Google infrastructure.

Third-party gateways add cross-platform coverage, more flexible policy control, and enforcement without user interaction. Common enterprise gateway vendors include Proofpoint, Mimecast Encryption, and Cisco Secure Email.

The mixed-platform case usually goes to a gateway because the same policy needs to apply to mail leaving Microsoft 365, Google Workspace, and any legacy on-premises mail server. Native features solve only their own platform.

Recipient experience decides adoption more than encryption strength

The most secure encryption solution fails if the recipient cannot open the message. Every buyer should run a round-trip test with a real external recipient before signing a contract.

Portal-based delivery works well for one-off recipients and patient mail because the recipient does not need any prior setup. A link opens in the browser, a passcode arrives at the recipient inbox, and the message is readable.

S/MIME delivery works well between organizations that have exchanged certificates in advance. It fails when the recipient does not have a certificate or when the certificate has expired.

PGP delivery works well between technical users who both run PGP-aware mail clients. It rarely works with patients, retail clients, or non-technical recipients because setup is too high.

The best-fit recipient experience depends on the audience. A healthcare practice usually picks portal delivery. A defense contractor usually picks S/MIME between contract parties. A financial advisor usually picks portal delivery for retail clients and S/MIME for wholesale counterparts.

๐Ÿ’กPro Tip: Pilot with real external recipients before signing

Vendor demos never expose the recipient friction that matters most. Run a two-week pilot before signing a contract. Send test messages to Gmail, Outlook.com, Yahoo Mail, and a corporate Outlook. Confirm the portal login works on iOS Safari and Android Chrome. Open a real support ticket during and outside business hours to test response time. Verify the audit log shows every field the applicable regulation requires. Real workflow tests reveal issues that documentation and sales-team responsiveness hide.

Total cost of ownership includes licenses, admin time, and support

The sticker price on the encryption service is only part of the total cost of ownership. License upgrades, admin time to configure policy, and support calls when recipients cannot open messages all add up.

For a small practice, the third-party layer typically wins on TCO because it avoids the Microsoft 365 Business Premium upgrade across every mailbox. The service price of $10 per user per month is less than the $10 per month license delta on 20 mailboxes.

For an enterprise already on E3 or E5, native Purview is free at the license level but adds admin time to configure mail flow rules, monitor delivery, and handle the recipient support tickets that follow policy changes.

Support cost scales with recipient volume. A portal-based service that handles the recipient authentication step centrally usually reduces the practice help desk load compared to an S/MIME deployment that pushes certificate management to the recipient side.

For a five-year total cost estimate, count license fees, one-time deployment work, ongoing admin, and support tickets. Most vendors publish enough detail to build the estimate.

Common vendor shortlists by buyer profile

Small healthcare practice on Gmail or Microsoft 365: Mailhippo, LuxSci, and NeoCertified all offer HIPAA-covered service with a BAA in the base plan.

MSP with mixed client base: Sherweb, Trustifi, and Mailhippo Partner offer multi-tenant control planes with wholesale pricing.

Financial advisor with SEC 17a-4 requirement: Smarsh, Global Relay, and Mimecast Compliance all bundle encryption with the required archive. Standalone encryption vendors need to be paired with a separate archive.

Defense contractor at CMMC Level 2: Microsoft GCC High tenant with Purview, Preveil, and specific FIPS-validated gateway products qualify. General commercial vendors do not automatically qualify.

Enterprise mixed platform: Proofpoint, Mimecast Encryption, and Cisco Secure Email all handle cross-platform enforcement. Native Purview or Workspace S/MIME can also work if the mailflow is single-platform.

How to run a short evaluation before signing

Every vendor evaluation should include a two-week pilot with a subset of users. The pilot answers the questions that vendor demos cannot answer.

Test with real external recipients on Gmail, Outlook.com, Yahoo Mail, and a corporate Outlook. Recipient experience is the most common failure mode and is not visible in a demo.

Test the audit log by sending a batch of messages, opening some as the recipient, and running the report. Confirm the log shows the fields that the applicable regulation requires.

Test the policy enforcement by sending a message that should trigger a rule and confirming the rule fired. Do the same with a message that should not trigger the rule.

Test the support responsiveness by opening a real ticket during business hours and again outside business hours. Response time and resolution quality on real tickets predicts the long-run experience better than sales-team responsiveness.

Frequently Asked Questions

What features should I look for in an email encryption solution? +

Six features cover most buyer needs. Encryption in transit and at rest, a signed business associate agreement or a compliance certification appropriate for the regulatory framework, a recipient experience that does not require the recipient to install software, audit logs of message send and open events, integration with the existing mail platform, and policy control so encryption can be enforced by rule rather than user click. For regulated industries, retention and archival features also matter.

What is the best email encryption solution for small businesses? +

For a small business under 25 users on Gmail or Microsoft 365, a hosted encryption service that includes a BAA in the base plan is usually the fastest fit. The service layers on top of the existing mailbox, encrypts every outbound message, and delivers a portal link to external recipients. Pricing typically runs $5 to $15 per user per month. Native Microsoft Purview requires a Business Premium license on every mailbox, and Google Workspace hosted S/MIME requires the top-tier Enterprise Plus license, both of which cost more.

What is the best email encryption solution for MSPs? +

MSPs need a multi-tenant control plane that manages multiple client tenants from a single admin console. Look for wholesale pricing with per-user billing, a partner portal for user provisioning and reporting, and support for client-specific policy templates. Common MSP-focused encryption vendors include Sherweb, Trustifi, and Mailhippo Partner. The right pick depends on which mail platforms the MSP clients use most, how many clients need HIPAA versus GLBA versus CMMC coverage, and whether the MSP wants co-branded portal delivery.

How does Microsoft email encryption work? +

Microsoft 365 Business Premium, Apps for Enterprise, and the E3 and E5 tiers include Microsoft Purview Message Encryption. Users click the Encrypt button in the Options ribbon in new Outlook or Outlook on the web. External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode. Purview supports mail flow rules that trigger encryption based on the sender, recipient, or content pattern. The BAA is available through the Service Trust Portal for tenants that need HIPAA coverage.

What is a CMMC email encryption solution? +

CMMC, the Cybersecurity Maturity Model Certification, applies to defense contractors handling controlled unclassified information. CMMC 2.0 Level 2 requires FIPS 140-2 or 140-3 validated cryptography for CUI in transit and at rest. Solutions that qualify use FIPS-validated crypto modules and support the specific labeling and handling controls that CMMC requires. Microsoft Purview with the GCC High tenant, Preveil, and specific gateway products meet the requirement. Standard commercial encryption solutions do not automatically satisfy CMMC and need a specific FIPS validation review.

How does Google email encryption work? +

Google Workspace offers three encryption features. Confidential mode is available on every account and applies expiration and forwarding controls but not cryptographic encryption. Hosted S/MIME is available on Enterprise Plus, Education Standard, and Education Plus and encrypts the message body with an S/MIME certificate managed in the Google Admin console. Client-side encryption is available on Enterprise Plus with a customer-managed key from an external key service. The BAA is available on eligible paid Workspace plans through the Google Admin console.