Encrypt an Email in Gmail Outlook and Beyond With Real Compliance

encrypt an email guide featured image

๐Ÿ”‘ Key Takeaways

  • Every mail platform encrypts differently; personal Gmail and Outlook.com have no native option.
  • Microsoft 365 Business Premium exposes an Encrypt button that triggers Purview at the server.
  • Gmail Confidential Mode restricts forwarding but auditors reject it as real body encryption.
  • S/MIME and PGP require the recipient to hold a matching key, which caps their real reach.
  • Compliance needs a signed BAA, retained logs, and policy encryption, not per-message clicks.

To encrypt an email means scrambling the message body and attachments so only the intended recipient can read them. The steps vary by mail platform and by how strong the encryption needs to be.

This guide walks through the practical methods in order of increasing security, covers the cost of each, and explains where each fits. For practices sending patient information, dedicated encrypted email services are usually the shortest path.

Skip to the section that matches your mail platform if you already know which one you use. Otherwise, read from the top to compare.

The five ways to encrypt an email you might encounter

Encryption for email comes in five practical forms. Each targets a different scenario, and knowing the differences prevents wasted setup effort.

  • TLS between mail servers, on by default across Gmail, Outlook.com, and Microsoft 365.
  • Confidential Mode in Gmail, which restricts actions but does not encrypt the body.
  • Microsoft Purview Message Encryption in Outlook, triggered by the Encrypt button.
  • S/MIME and PGP end-to-end encryption, using certificates or key pairs.
  • Gateway-based encryption services that route mail through a compliant server.

TLS is baseline. Confidential Mode is not real encryption. Purview and S/MIME are the Microsoft- and Google-native strong options. Gateways are the third-party option that works on any account.

Related coverage on the same territory is in to encrypt an email and can I encrypt an email.

How to encrypt an email in Outlook using the Encrypt button

Microsoft 365 Business Premium and Enterprise plans include Purview Message Encryption. The user experience is a single button in the compose window.

  • Open Outlook and start a new message.
  • On the desktop app, click Options in the ribbon, then Encrypt.
  • On Outlook web, click the three-dot menu in the compose window, then Encrypt.
  • Choose an encryption policy from the dropdown, such as Encrypt Only or Do Not Forward.
  • Compose and send the message as normal.

Internal recipients on the same tenant read the message directly in Outlook. External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode.

The Microsoft Purview Message Encryption documentation covers the policy options and setup steps in more depth. Sibling coverage in how do you encrypt an email outlook covers the same flow from a different angle.

encrypt an email in article illustration one

How to encrypt an email in Gmail with hosted S/MIME

Gmail on Google Workspace Enterprise Plus supports hosted S/MIME, which encrypts messages end-to-end using certificates. It is the only Google-native option that meets healthcare compliance.

The admin enables S/MIME encryption for outgoing email in the Google Admin console. Each user uploads a personal certificate through their Gmail settings.

Once configured, composing a message shows a lock icon next to the recipient field. If the recipient’s certificate is available, the icon shows green and the message will encrypt automatically.

Recipients without a certificate fall back to standard TLS delivery. That fallback is why S/MIME alone is not sufficient for a full compliance program.

The Google Workspace S/MIME setup guide covers the certificate policies. For the Outlook variant of the same standard, see encrypting an email outlook.

How the main platforms compare on cost and compliance

The right platform depends on the existing subscription, the compliance requirement, and the recipient’s technical skill. A side-by-side view helps narrow the choice.

Method Monthly cost per user Meets HIPAA Recipient friction Setup effort
Outlook Encrypt button (M365 Business Premium) Around $22 Yes, with BAA Low, portal fallback Low
Google Workspace Enterprise Plus S/MIME Around $30 plus certificate cost Yes, with BAA High, needs recipient certificate High
PGP via Mailvelope on any plan Free, plus mail plan cost Case by case documentation Very high, needs PGP client Medium
Gateway service on any plan $5 to $15 Yes, BAA in base plan Low, portal fallback Low, DNS record

For a solo practice, the gateway path costs the least and meets compliance out of the box. For a Microsoft 365 tenant already at Business Premium, the Encrypt button is already paid for and adds nothing more. Google Workspace Enterprise Plus is the most expensive path per user.

Example

A solo dermatologist on Google Workspace Business Standard needs to send a pre-op consultation summary to a patient using yahoo.com. Confidential Mode is available but Yahoo does not honor the SMS gate, and Confidential Mode fails the HIPAA encryption test regardless. Upgrading to Workspace Enterprise Plus for hosted S/MIME would cost about $30 per user plus certificate management. The dermatologist adds a $10-per-mailbox gateway service through a DNS change instead, signs the BAA, and continues composing in Gmail while every outbound message routes through automatic encryption.

Encrypting an email containing PHI

Protected health information carries specific HIPAA obligations. Encrypting an email that contains PHI is one part of a larger compliance stack.

The mail vendor needs to sign a Business Associate Agreement. The encryption needs to meet TLS 1.2 or higher for transmission and AES-256 or similar for at-rest storage.

Every send and open needs to appear in a retained audit log. Workforce training under the Security Rule needs to cover which channels are approved for PHI.

A single Encrypt button click on Outlook or a lock icon in Gmail satisfies the encryption piece. It does not satisfy the BAA, the audit log, or the training piece by itself.

Gateway services designed for healthcare cover all three technical pieces automatically. Sibling coverage in encrypt an email containing PHI covers the PHI-specific angle.

Encrypting an email through a gateway service

Gateway services encrypt outbound mail at the server, which removes the user decision. The setup is a DNS change rather than a client configuration.

  • Sign up with the vendor and receive an SPF record and DKIM key.
  • Add both records to the DNS zone for the practice domain.
  • Wait for DNS propagation, usually within a few hours.
  • Send a test message and verify it routes through the vendor’s server.
  • Sign the Business Associate Agreement or Data Processing Agreement provided by the vendor.

Once configured, every outbound message from the mailbox routes through the vendor’s gateway. The gateway applies the encryption policy before releasing the message.

End users see no change. Staff continue composing in Gmail or Outlook, and the encryption happens invisibly. Mailhippo is one example of that model.

The HIPAA Journal breakdown of compliant email covers the vendor-selection criteria in more depth.

encrypt an email in article illustration two

Encrypting an email with a PGP browser extension

PGP through a browser extension works on any mail account, including personal Gmail and Outlook.com. It is the strongest end-to-end option and the most flexible for individuals.

Install Mailvelope from the Chrome or Firefox extension store. The extension generates a PGP key pair on first run and stores the private key locally in the browser.

Share the public key with correspondents through a keyserver or a signed message. Both sides need each other’s public keys before encryption works.

Composing in Gmail then shows a Mailvelope button. Clicking it opens a secure editor inside the browser. The message is encrypted locally before being pasted into the Gmail compose window.

The tradeoff is friction. Every recipient needs a PGP client, which excludes patients and most business correspondents. PGP fits technical audiences and individual privacy scenarios rather than mainstream healthcare.

Encrypting attachments separately from the message body

Sometimes only the attachment carries sensitive data. Password-protecting the attachment lets the email travel through any provider.

  • Compress the file with 7-Zip, WinRAR, or Windows built-in compression, and enable AES-256 encryption.
  • Set a strong password of 12 characters or more.
  • Attach the encrypted archive to the email.
  • Share the password over a phone call, SMS, or in-person conversation.

The mail server does not see the file contents, so the file travels through Gmail or Outlook as opaque data. The recipient extracts the archive with the shared password.

This method is not HIPAA compliant on its own because it produces no audit trail and the password channel is often insecure. It fits one-off file transfers between organizations without a shared encryption service.

๐Ÿ’กPro Tip: Default-encrypt at the gateway, not per message

Relying on staff to click Encrypt on the right messages fails predictably during busy hours. A single missed click on a message containing PHI counts as a HIPAA violation. Route every outbound message through a gateway that encrypts by policy at the server. The user experience does not change, the audit log captures every send, and the failure mode where someone forgets the button disappears entirely.

Verifying an outbound message actually went out encrypted

An encrypted send is only useful if the encryption held. Both Gmail and Outlook provide ways to verify.

In Gmail, open the sent message and click the three-dot menu, then Show Original. The header displays the TLS status of the delivering connection.

In Outlook desktop, right-click the message and choose Message Options. The header lines show Received records with TLS version details.

For Purview or S/MIME messages, the sent view shows a lock or shield icon in the header. Clicking the icon shows the encryption policy applied.

If none of those indicators appear, the message either traveled without encryption or fell back to a lower tier than expected. Sibling coverage in what happens when you encrypt an email outlook covers the outbound side.

When to encrypt every message versus specific messages

User-driven encryption depends on the user deciding correctly each time. Compliance frameworks treat that decision as a weakness because a single missed message counts as a violation.

The alternative is policy-based encryption at the gateway. Every outbound message routes through the encryption layer, regardless of whether the user clicked a button.

Policy-based encryption uses rules to decide what to protect. Rules can trigger on keywords, recipient domain, sender department, or data classification labels. The user does not need to know the rule was applied.

For healthcare practices, policy-based encryption on every outbound message is the safer default. It removes the failure mode where a staff member forgets to click Encrypt on a specific message.

The right method for your workflow

Choosing the right method comes down to the mail platform, the compliance requirement, and the recipient list.

Microsoft 365 Business Premium tenants can use the Encrypt button in Outlook. The BAA is in place if the tenant is configured correctly, and the recipient side is handled through the portal.

Google Workspace tenants on Enterprise Plus can use hosted S/MIME. Lower tiers need a gateway service or a browser extension.

Practices on any mail plan needing compliance in a solo or small clinic setting default to a gateway service. The cost is the lowest, the setup is the shortest, and the audit trail is built in.

Practices reviewing email decisions alongside the broader patient outreach can pair the choice with a look at healthcare digital marketing services to align intake, messaging, and encryption under a single vendor stack. For the mailbox itself, Mailhippo secure email service covers the loop end to end.

Frequently Asked Questions

What is the simplest way to encrypt an email? +

On Microsoft 365 Business Premium or higher, click the Encrypt button in the Outlook Options ribbon. That is the shortest path. On Google Workspace Enterprise Plus, hosted S/MIME encrypts automatically once your certificate is installed. On any other plan, install a browser extension like Mailvelope for PGP or sign up for a gateway service that adds encryption through a DNS change. The gateway approach is the simplest across the board because it works regardless of the platform and does not require the recipient to have any special setup.

Do I need to encrypt every email I send? +

No. TLS encryption between mail servers is on by default for Gmail, Outlook.com, and Microsoft 365, which handles routine messages. You only need message-level encryption for content that includes protected health information, financial account data, personal identifiers of EU residents, or Controlled Unclassified Information. If the message would cause a compliance obligation on exposure, encrypt it. If it would not, TLS is enough. That said, gateway services often encrypt everything by default because deciding message by message is where most breaches happen.

Does encrypting an email hide it from my mail provider? +

Only if you use end-to-end encryption. TLS encryption protects the message on the wire between mail servers, but the provider stores the message decrypted on its own servers and can read it. Microsoft Purview and gateway services encrypt at the server, which prevents casual access but still gives the provider decryption capability. S/MIME and PGP encrypt at the sender’s device with the recipient’s public key, so the provider never holds the decryption key. That is the only model that hides the message from the provider.

Can I encrypt an email to someone who does not use encryption? +

Yes, if you use a gateway service or Microsoft Purview Message Encryption. Both handle recipient-side decryption automatically through a portal link and a one-time passcode. The recipient needs no certificates, keys, or account. If you use S/MIME or PGP without a portal fallback, the recipient must already have a matching certificate or key. That is why S/MIME and PGP are practical inside organizations and impractical for reaching patients or one-off external contacts.

What happens when I encrypt an email in Outlook? +

The message body and attachments are encrypted on the Microsoft server before delivery. Internal recipients on the same tenant read the message directly in Outlook because the encryption keys travel inside the tenant. External recipients receive a notification email with a Read the message button. Clicking the button opens outlook.office.com, where the recipient signs in with Microsoft, Google, or a one-time passcode. Once signed in, the message body appears in the browser. The Reply button in the portal sends secure replies back through the same channel.

Is it possible to encrypt an email with a specific subject line included? +

Usually not. Most encryption methods, including S/MIME, PGP, and Microsoft Purview Message Encryption, encrypt only the message body and attachments. The subject line stays in plain text because mail servers use it for routing, filtering, and threading. Sensitive information should therefore stay out of the subject line even when the message body is encrypted. Some experimental protocols encrypt the subject as well, but interoperability with mainstream mail clients drops sharply when they do, so mainstream services do not implement it.

How do I encrypt an email containing PHI on a small practice budget? +

The cost-effective path is a gateway-based compliant email service, which typically runs $5 to $15 per mailbox per month and includes the Business Associate Agreement in the base plan. A solo practitioner or small clinic can operate compliantly at that price point. The alternatives cost more. Google Workspace Enterprise Plus runs around $30 per user for hosted S/MIME. Microsoft 365 Business Premium runs about $22 per user. Both require certificate management or admin configuration on top. The gateway approach avoids both.

How Do You Encrypt an Email in Outlook, Gmail, and Office 365

how do you encrypt an email guide featured image

๐Ÿ”‘ Key Takeaways

  • Modern Outlook uses Purview from the Encrypt ribbon. Outlook 2013 and older still route via S/MIME.
  • Personal Gmail has only Confidential Mode. Workspace Enterprise adds hosted S/MIME for true E2E.
  • Attachments inherit message encryption, or lock the file first with Acrobat, Word, or 7-Zip AES-256.
  • Office 365 Encrypt needs Business Standard or higher plus Azure Rights Management on the tenant.
  • A gateway skips per-user certs, works from Gmail or Outlook, and ships a BAA in the base plan.

Encrypting an email is a different set of steps in every mail client. Outlook has a button. Gmail has two paths that look similar but work differently. Outlook 2013 uses an older S/MIME workflow. Attachment encryption is its own separate topic.

This guide covers each of them in order. It also flags the HIPAA implications for practices sending PHI. For a cross-client path that works uniformly, a gateway service delivers encrypted email to any recipient without version dependencies.

Every section stands on its own with the menu paths named directly. Skip to the client and version that matches your setup.

Encrypt an Email in Modern Outlook on Microsoft 365

Modern Outlook on Business Standard and above adds an Encrypt button to the compose window. The service is Microsoft Purview Message Encryption.

Open Outlook. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown.

Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.

Business Basic tier and free personal Outlook.com do not have the Encrypt button. Related linked topic: how do you encrypt emails for a broader coverage of alternatives.

Encrypt an Email in Outlook 2013 With S/MIME

Outlook 2013 supports S/MIME natively but has no Purview Encrypt button. The workflow uses the Trust Center and a client-installed certificate.

Install an S/MIME certificate in the Windows personal certificate store. Open Outlook. Go to File, Options, Trust Center, Trust Center Settings, Email Security.

Under Encrypted email, click Settings. Pick your signing certificate and your encryption certificate. Choose whether to sign or encrypt by default. Click OK.

To encrypt a single message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key. This workflow also applies to Outlook 2016, 2019, and Outlook LTSC 2021 when S/MIME is the chosen path.

how do you encrypt an email in article illustration one

Encrypt an Email in Gmail With Confidential Mode

Gmail confidential mode is available on all Google Workspace tiers and personal Gmail. Click the lock and clock icon at the bottom of the compose window.

Set an expiration date from the dropdown. Choose whether to require a passcode. Passcode by SMS is the higher-security option. Click Save.

Write the message and click Send. The recipient receives a link. They open it in a browser, enter the passcode if required, and read the message in a hosted view.

Confidential mode is not end-to-end encryption. Google holds the keys. The mode prevents forwarding, copying, and printing. It does not seal the content against the provider. For HIPAA-scoped mail, confidential mode alone is not sufficient.

Encrypt an Email in Gmail With Hosted S/MIME

Hosted S/MIME is the Gmail path to true end-to-end encryption. It requires Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.

The admin uploads root and intermediate CA certificates in the Google Admin console under Apps, Google Workspace, Gmail, User Settings, then S/MIME. Enable S/MIME for the organizational unit.

Each user uploads their personal certificate through Gmail settings under Accounts. Once configured, a lock icon appears next to the recipient field. Green means encryption is possible.

Recipients on personal Gmail, Business Standard, or Business Plus cannot receive hosted S/MIME messages. The encrypted content arrives as an unopenable attachment. See Google Workspace admin help for the current tier list.

Example

A physical therapy clinic on Microsoft 365 Business Premium builds an automatic DLP rule in the Purview compliance portal. The rule matches the US HIPAA template and triggers when outbound messages contain MRN patterns or SSN patterns. Action: apply Do Not Forward automatically. A new hire forgets to click Encrypt when replying to an insurance verifier and pastes a partial MRN into the body. The DLP rule fires server-side, encrypts the message, and creates an audit log entry the compliance officer reviews weekly.

Encrypt an Email Attachment for Extra Protection

The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. This is sufficient for most cases.

For extra protection, encrypt the file itself before attaching. This adds a second layer that survives even if the message encryption fails or the recipient forwards the message to an unencrypted inbox.

Common attachment encryption tools:

  • Adobe Acrobat for PDF password protection with AES-256
  • Microsoft Word, Excel, PowerPoint via File, Info, Protect Document, Encrypt with Password
  • 7-Zip for archive password protection with AES-256
  • Apple Preview for basic PDF password protection on macOS

Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password. Related linked topic: encrypt an email.

how do you encrypt an email in article illustration two

Encrypt an Email in Office 365 With Automatic DLP Rules

Office 365 supports automatic encryption through Data Loss Prevention rules on Business Premium and Enterprise tiers. This removes the human step of clicking Encrypt.

The admin opens the Microsoft Purview compliance portal. Under Data Loss Prevention, create a new policy. Choose a template for U.S. Health Insurance Act (HIPAA) or a custom policy with SSN, MRN, or ICD patterns.

Configure the action. Apply Do Not Forward, Encrypt-Only, or a custom rights template when a match is found. The policy can also block the send or require justification.

Automatic DLP encryption reduces the risk of staff forgetting to click Encrypt on a sensitive message. It also creates audit trail evidence that the covered entity applied technical safeguards under the HHS Security Rule.

Encrypt an Email With PGP Using FlowCrypt

FlowCrypt is a browser extension that adds PGP support to Gmail. It works on personal Gmail and any Google Workspace tier.

Install the extension from the Chrome or Firefox web store. Create a keypair when prompted. Back up the private key to a hardware token or an encrypted vault.

Send a secure message from the FlowCrypt compose window inside Gmail. The extension encrypts the body with the recipient public key if it is in the FlowCrypt cache. If not, the extension prompts for the recipient key or sends through the FlowCrypt password-protected fallback.

PGP is not native to any major business mail workflow. FlowCrypt fills that gap for teams that want end-to-end encryption without moving to Google Workspace Enterprise. It is not commonly used in regulated healthcare settings.

๐Ÿ’กPro Tip: Automate PHI encryption through DLP rules, never rely on manual clicks

Staff forget to click Encrypt on sensitive messages, especially during busy scheduling windows or shift handoffs. A single missed click is a HIPAA breach. Configure DLP rules in the Microsoft Purview compliance portal or Google Workspace Data Loss Prevention to match SSN, MRN, ICD-10, and custom keyword patterns. Apply Encrypt or Do Not Forward automatically when a match is found. This removes the human factor from compliance and creates audit trail evidence during OCR investigations.

Encrypted Email Options Compared

The table below compares the main paths a business considers.

Method Client Support Recipient Setup End-to-End HIPAA Fit
Outlook Encrypt (Purview) M365 Business Standard+ Passcode or SSO No, portal Yes with BAA
Outlook S/MIME Outlook 2013+ Certificate install Yes Peer traffic
Gmail confidential mode All Workspace Passcode No Not sufficient alone
Gmail hosted S/MIME Workspace Enterprise+ Certificate install Yes Yes
FlowCrypt PGP Gmail via extension PGP key exchange Yes Rare in healthcare
Gateway (Mailhippo) Any provider Passcode Portal-based Yes with base plan BAA

HIPAA Notes on Encrypting Email in Practice

Encryption is one technical safeguard among many. HIPAA requires access controls, audit logging, session timeouts, workforce training, and a signed BAA with each business associate.

Automatic DLP triggers reduce the risk of missed manual encryption. Portal delivery removes the recipient-side certificate requirement. Both are practical for a real HIPAA workflow.

Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. Document policies and train staff. See related healthcare security features context.

Retention matters. Encrypted mail counts as PHI storage. Retention policies must match state medical board rules and the six-year HIPAA administrative retention requirement.

When a Gateway Is the Better Fit

Managing S/MIME certificates across a small team is meaningful operational work. Certificate expiration, mobile provisioning, and cross-platform trust chains all take time.

A gateway service removes the certificate step. The sender writes in the normal client. A trigger word or plugin button triggers encryption. The recipient reads in a browser.

Mailhippo works this way on top of Gmail or Outlook. It includes a BAA in the base plan. It works uniformly on desktop and mobile without version dependencies. See related how to encrypt an email for the broader walkthrough. Practices building a compliant public-facing site can pair this with HIPAA-conscious website design so intake, contact, and email flows stay inside the same compliance boundary.

Frequently Asked Questions

How do you encrypt an email in Outlook? +

On Microsoft 365 Business Standard and above, open a new message and click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The recipient receives a link and authenticates with Microsoft, Google, or a one-time passcode. On older Outlook versions with S/MIME, install a certificate through the Trust Center under Email Security, then click the encrypt icon in the compose window before sending. The two paths produce different recipient experiences.

How do you encrypt an email in Gmail? +

Click the lock and clock icon at the bottom of the compose window for confidential mode. Set expiration and passcode. Write and Send. This is not end-to-end encryption. For true end-to-end on Google Workspace Enterprise, the admin configures hosted S/MIME and each user uploads a personal certificate. A lock icon then appears next to the recipient field. Green means encryption is possible. For personal Gmail, install a plugin like FlowCrypt to add PGP support. Confidential mode alone is not HIPAA-appropriate.

How do you encrypt an email attachment? +

The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. For separate protection, encrypt the file before attaching. Open the PDF in Adobe Acrobat, choose Protect, set a password. Open the docx in Word, choose File, Info, Protect Document, Encrypt with Password. For archives, use 7-Zip with AES-256. Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password.

How do you encrypt an email in Office 365? +

Open Outlook on desktop, mobile, or the web. Start a new message. Click Options in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The Encrypt button is available on Business Standard, Business Premium, Enterprise E3, Enterprise E5, and Government plans. Admins configure encryption templates in the Microsoft Purview compliance portal. Automatic encryption through DLP rules is available on Business Premium and Enterprise plans, which triggers Encrypt when messages match sensitive data patterns like SSN or MRN.

How do you encrypt an email in Outlook 2013? +

Outlook 2013 supports S/MIME but not Microsoft Purview Message Encryption. Install an S/MIME certificate in Windows through the personal certificate store. Open Outlook, go to File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings, pick your certificate, and choose to sign or encrypt by default. To encrypt a specific message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key.

How do you use encrypted email in daily workflow? +

Set a policy. Encrypt any message containing PHI, PII, or financial data. Use S/MIME for peer recipients who hold certificates. Use portal encryption or Outlook Encrypt for external recipients on any provider. Verify recipient email address before sending. Confirm identity by phone before releasing any attachment password. Log the send in the practice communication system if required by policy. Train staff on the trigger words that identify sensitive content and the correct encryption path for each recipient type.

Can you encrypt an email to a recipient without setup on their side? +

Yes, with portal-based encryption. Outlook Encrypt, Gmail confidential mode, and third-party gateways all use a portal model where the recipient receives a link, authenticates with a passcode or SSO, and reads the message in a browser. The recipient needs only a modern browser and the passcode. S/MIME and PGP require setup on both sides because the recipient client must decrypt with a private key it holds. Portal delivery is the model to use when the recipient set is variable or non-technical.

How to Encrypt Email Across Common Clients and Compliance Cases

encrypt email guide featured image

๐Ÿ”‘ Key Takeaways

  • Encrypt email splits four ways: TLS transport, S/MIME, PGP keys, or portal-based delivery.
  • TLS drops to plaintext if the receiving server fails to negotiate, so it fails as a standalone.
  • S/MIME and PGP encrypt the message content but need certificates or keys installed on both sides.
  • Portal services skip recipient setup and fit patient mail because zero install runs on their end.
  • HIPAA needs a signed BAA plus encryption in transit and at rest, not just any single method.

Encrypt email covers four different technical methods that each solve a different problem. Transport Layer Security handles the connection layer. S/MIME and PGP handle the message content. Portal-based services handle the recipient experience for external contacts.

This guide covers how to encrypt email across the major clients and use cases. Each method has a specific fit. Match the tool to the sensitivity of the content and the recipient environment.

The right choice depends on plan level, staff count, and how often external recipients change. Read each section for the fit and decide based on the actual send flow.

TLS Is the Baseline Encryption Every Modern Mail Server Uses

Transport Layer Security protects the connection between two mail servers. When one server sends to another, both negotiate a TLS handshake and encrypt the traffic in flight. Any observer on the network path sees only ciphertext.

TLS is on by default in Gmail, Outlook, Apple Mail, Yahoo, and every other major provider. Users do not turn it on. Administrators do not configure it per message. It happens automatically when both servers support it.

The catch is opportunistic fallback. If the receiving server does not support TLS, the sending server delivers the message in plaintext by default. No warning, no error. The sender sees a padlock in the client and assumes encryption, but the message reached the recipient over an unencrypted link.

For regulated content, the fallback rules out TLS as a standalone protection. The NIST SP 800-45 guide on email security recommends verified end-to-end encryption for sensitive email, not opportunistic TLS.

S/MIME Encrypts Message Content in Outlook and Apple Mail

S/MIME uses X.509 certificates to encrypt the message content itself. Once encrypted, only the recipient with the matching private key can read the message. The mail provider stores ciphertext and cannot decrypt.

Outlook supports S/MIME on all plans that include the desktop apps. Apple Mail supports S/MIME natively on macOS and iOS. Gmail supports S/MIME on Workspace Enterprise Plus, Education Standard, and Education Plus.

Setup requires a certificate for the sender and a certificate for the recipient. Certificates come from a trusted authority like DigiCert, Sectigo, or IdenTrust. Public keys attach to signed messages, so correspondents build up a keyring by receiving signed mail from each other.

S/MIME works well between internal users and formal partner organizations with matching PKI. It does not work well for one-off external contacts because most personal accounts do not have S/MIME set up.

encrypt email in article illustration one

PGP Uses an Open-Source Key Model

PGP is the open-source alternative to S/MIME. It does the same job with a different key management model. Users generate a public and private key pair, share the public key with correspondents, and encrypt messages with the recipient public key.

Thunderbird has built-in PGP support. Mailvelope provides a browser plugin for Gmail. GPG Suite covers Apple Mail on macOS. Outlook needs a third-party add-in like Gpg4win.

PGP has stronger cryptographic flexibility than S/MIME but a steeper learning curve. Key generation, keyserver management, and web-of-trust verification all fall to the user. Recipients unfamiliar with the process will not decrypt a PGP message without help.

PGP fits technical users and organizations where security-conscious sender and recipient both know the tooling. It does not fit patient-facing healthcare communication because most patients cannot manage PGP keys.

Portal Services Handle the External Recipient Case

Portal-based encrypted email services solve the friction problem that S/MIME and PGP create for external recipients. The sender writes the message in the normal client. The service encrypts the message and delivers a notification email with a click-to-open link.

The recipient clicks the link, verifies with a one-time passcode or a portal password, and reads the message in a browser. No key management, no certificate exchange, no software install for the recipient.

This is the model most healthcare practices adopt for patient-facing PHI. It works for patients, external providers, and vendors on any mail platform. The recipient does not need to configure anything on their end.

The tradeoff is that the message content lives on the vendor server. Vendor selection matters because that server becomes part of the compliance boundary. Portal services with a signed BAA and audit logging fit HIPAA. Consumer messaging apps generally do not.

Example

A three-provider chiropractic office wants encrypted email for referrals. The office manager tests opportunistic TLS to a regional insurer, but the insurer server drops TLS on receipt and delivers cleartext. The manager then tests S/MIME, but the insurer contact has no certificate. Finally the manager routes the message through a portal-based HIPAA service. The insurer clicks the notification, enters a one-time passcode, and reads the referral in 45 seconds. The office standardizes on the portal path for external referrals.

Encrypting Attachments Follows the Whole-Message Method

Attachments encrypt through the same method as the message body when using Purview, S/MIME, PGP, or a portal service. The sender does not need to encrypt attachments separately. The whole message envelope carries the encryption to the recipient.

Practices that need a separate attachment method have three options:

  • Save the file as a password-protected PDF and share the password through a different channel
  • Place the file in an encrypted ZIP archive using 7-Zip or WinZip with AES-256
  • Use a HIPAA-compliant file transfer service for very large files that exceed mail size limits

The whole-message method is easier for recipients and less error-prone than juggling separate passwords. Password-protected PDFs and ZIP files also fail when the sender emails the password in the same conversation, which happens frequently.

Once a recipient decrypts and downloads an attachment, the local copy is no longer covered by the sender-side encryption. HIPAA rules on the local file remain in force. That is a downstream concern for the recipient environment.

encrypt email in article illustration two

HIPAA Requires More Than the Encrypt Button

HIPAA compliance for email transmission requires four things: a signed business associate agreement with the mail platform, verified encryption in transit and at rest, access logs for six years, and workforce training on when to send PHI over email.

The Encrypt button alone does not cover all four. It covers the transmission layer. The BAA, the logging, and the training all fall to the covered entity to configure and maintain.

Microsoft 365 and Google Workspace both include HIPAA-eligible configurations with signed BAAs. Administrators accept the BAA in the admin center. The BAA applies to the tenant from that point forward. The covered entity handles the rest.

Dedicated HIPAA email services like Mailhippo include the BAA in the base plan without requiring plan upgrades on the underlying mail platform. This matches practices that need HIPAA-safe email but do not want to reconfigure the whole tenant.

Mobile Clients Support the Same Methods

Encrypt email on mobile works through the same methods as desktop. Outlook mobile supports Microsoft Purview Encrypt-Only and Do Not Forward through the same Encrypt option in the compose menu. Recipients open messages in the browser tab or in the Outlook mobile app.

Apple Mail on iOS supports S/MIME natively. Certificates install through a Configuration Profile pushed by mobile device management. The Encrypt icon appears in the compose window once the certificate is available.

Gmail mobile supports Confidential Mode through the standard compose interface. Portal-based encrypted email services provide mobile apps or work through the mobile browser. Mailhippo, Proofpoint, and other vendors all support mobile recipient flows.

The mobile recipient experience matters for patient-facing mail. Many patients read email on a phone. The service should present a clean mobile view of the decrypted message with tap-friendly buttons.

๐Ÿ’กPro Tip: Match the encryption method to the recipient population

Portal services fit patients and one-off external contacts because zero setup is required on the recipient end. S/MIME fits internal staff or partner organizations with managed PKI where certificates already exist. PGP fits technical users only. TLS fits general business mail with no regulated content. Picking the wrong method for the recipient population is the fastest way to tank open rates and force staff back to unencrypted workarounds.

Cost Varies From Free to Enterprise Tier

Encrypted email cost ranges widely. TLS is free and included in every mail platform. Gmail Confidential Mode is free with any Gmail account. S/MIME certificates cost fifty to several hundred dollars per user per year depending on the authority and support level.

Microsoft Purview Message Encryption requires Business Premium at around twenty-two dollars per user per month, up from Business Basic at six dollars. That is a plan-wide upgrade, not a per-message cost. Dedicated HIPAA services typically run five to twenty dollars per user per month depending on plan tier.

Practices on Business Basic or Business Standard often find a dedicated HIPAA service costs less than upgrading every seat to Business Premium. The math depends on how many seats need to encrypt versus how many just handle general mail.

Compare total cost of ownership, not just per-seat rate. Setup time, training, and ongoing configuration also count. A simpler service with a higher per-seat rate can cost less overall.

The Recipient Experience Determines Adoption

The single largest factor in encrypted email adoption is the recipient experience. Every step the recipient has to take lowers the open rate on regulated messages. Every extra sign-in or password reset lowers it further.

The rough order from easiest to hardest recipient experience is:

  • TLS message that arrives inline with no extra step
  • Portal service with a one-click link and one-time passcode
  • Portal service with account registration and password
  • S/MIME message that requires certificate pre-install
  • PGP message that requires key pair generation

Practices should match the method to the recipient population. Patient-facing mail needs the simplest recipient path. Internal mail between staff can use a more complex path because the setup is done once during onboarding.

Measure the open rate on encrypted messages. If the rate drops significantly compared to regular mail, the recipient path is too long. Switch to a shorter path.

Mailhippo Handles the HIPAA Case With One-Click Recipient

Mailhippo secure email service works with existing Gmail or Outlook accounts and includes a signed BAA in the base plan. There are no PGP keys, no S/MIME certificates, and no license upgrades on the underlying mail platform.

The sender writes the message in a browser interface or through an add-in. Mailhippo encrypts the content and delivers a notification email to the recipient. The recipient clicks the link, enters a one-time passcode delivered to the same email address, and reads the message.

This is the shortest recipient path among common HIPAA options. Patients on any mail platform can open the message on desktop or mobile. Attachments open inline. Replies encrypt automatically back to the sender.

The broader compliance stack includes healthcare website security features, patient portal configuration, and internal access controls. Encrypted email is one layer. The full stack covers the practice end to end.

Frequently Asked Questions

How do I encrypt an email in Outlook? +

Open a new message in Outlook. Click Options in the ribbon, click Encrypt, and pick Encrypt-Only or Do Not Forward. Write the message and click Send. Microsoft Purview handles the encryption and delivery. External recipients receive a notification email with a Read the message button that opens the content in a browser tab. They sign in with a Microsoft or Google account or request a one-time passcode. The Encrypt button requires Microsoft 365 Business Premium or higher.

How do I encrypt an email in Gmail? +

Gmail Confidential Mode is the built-in encryption option. Click the padlock and clock icon in the compose window, set an expiration date, and optionally require SMS verification. Confidential Mode blocks forward, copy, download, and print. It is not end-to-end encrypted and does not meet HIPAA requirements on its own. For HIPAA, use Google Workspace with a signed BAA plus Google Workspace client-side encryption, or route messages through a dedicated HIPAA email service that includes the BAA in the base plan.

How do I encrypt an email attachment? +

The simplest method is to encrypt the whole message using Microsoft Purview, S/MIME, PGP, or a portal-based service. All four methods encrypt the message body and attachments together. To encrypt an attachment separately, save it as a password-protected PDF, or place it in an encrypted ZIP file using 7-Zip or WinZip with AES-256. Share the password through a separate channel. The whole-message method is easier for recipients and less error-prone than the separate password method.

What is the difference between S/MIME and PGP? +

S/MIME uses X.509 certificates issued by trusted certificate authorities. The user pays for a certificate, installs it in the mail client, and encrypts using recipient certificates. PGP uses an open-source key pair generated by the user. Public keys share on keyservers or through direct exchange. Both methods encrypt at the message level. S/MIME integrates with Outlook, Apple Mail, and Gmail Enterprise. PGP integrates with Thunderbird, Mailvelope, and GPG Suite. S/MIME is more common in corporate settings. PGP is more common among technical users.

Is TLS enough to encrypt email for HIPAA? +

No, TLS alone does not satisfy the HIPAA transmission security standard reliably. TLS is opportunistic. If the receiving mail server does not support TLS, the sending server delivers in plaintext without any warning. The sender assumes encryption but the message reaches the recipient over an unencrypted connection. HIPAA requires verified encryption for PHI transmission. Use a message-level method like Microsoft Purview, S/MIME, or a portal-based service that enforces encryption on every send with no plaintext fallback.

Can I encrypt email to any recipient? +

Yes, if you use the right method. TLS reaches any recipient but drops to plaintext if the receiving server does not support TLS. S/MIME and PGP only work if the recipient has a matching certificate or key. Portal-based services work for any recipient because the message decrypts in a browser after a one-time verification. Practices sending to patients and external contacts on mixed platforms usually choose a portal-based method for the widest compatibility.

Do encrypted emails stay encrypted after the recipient opens them? +

It depends on the method. S/MIME and PGP messages stay as encrypted ciphertext in the mail client and decrypt on demand each time the recipient views them. Portal-based services keep the message encrypted on the server and decrypt in the browser for viewing. Microsoft Purview messages stay encrypted at rest. Once a recipient downloads an attachment or copies content out of the encrypted view, the local copy is no longer covered by the sender-side encryption.