Encrypting an Email Explained From Setup to Recipient View

encrypting an email guide featured image

๐Ÿ”‘ Key Takeaways

  • Encryption turns the message body and attachments into ciphertext only the reader can decrypt.
  • Business Premium unlocks the Outlook Encrypt button; lower tiers need a bump or a HIPAA service.
  • Gmail client-side encryption requires Workspace Enterprise Plus and a customer-managed key service.
  • Attachments encrypt with the body across S/MIME, PGP, Purview, and Google client-side encryption.
  • Encryption alone fails HIPAA without a signed BAA, access logs, staff training, and response plan.

Encrypting an email converts the message body and attachments into ciphertext that only an authorized recipient can read. The sending client, the mail server, or both handle the encryption depending on the method used.

This guide covers the current methods for encrypting an email across Outlook, Gmail, and HIPAA-focused services. It explains the setup, the sender steps, the recipient experience, and when a dedicated encrypted email service is a simpler fit.

Encryption is one layer in a broader security posture. The right method depends on plan level, recipient environment, and compliance requirements. Read each section to match the method to the use case.

Encryption Standards Fall Into Three Main Categories

Email encryption uses three main models: transport-level encryption, message-level encryption, and portal-based encryption. Each model protects a different segment of the delivery path.

Transport-level encryption uses TLS between the sending and receiving mail servers. TLS is the baseline. It protects the message during network transmission but leaves the content in cleartext on the mail servers at each end.

Message-level encryption uses S/MIME or PGP to encrypt the message body and attachments before they leave the sending client. Only the recipient key can decrypt the message. The mail servers see ciphertext.

Portal-based encryption stores the encrypted message on a server and delivers a link to the recipient. Microsoft Purview Message Encryption and most HIPAA email services use this model. The recipient authenticates and reads the message in a browser session.

Microsoft Purview Message Encryption Covers Most Outlook Users

Microsoft Purview Message Encryption is the default encryption path for Outlook users on Microsoft 365 Business Premium and higher. The sender clicks Options, then Encrypt, in the ribbon of a new message. Purview handles the encryption and delivery on the server side.

Two options appear: Encrypt-Only and Do Not Forward. Encrypt-Only encrypts the content and lets the recipient reply, forward, and print. Do Not Forward encrypts the content and blocks forward, print, and download.

External recipients on Gmail, Yahoo, or another provider receive a notification email with a Read the message button. The button opens outlook.office365.com in a browser. The recipient signs in with a Microsoft or Google account or requests a one-time passcode.

Detailed sender steps are in the Microsoft support guide for encrypted messages in Outlook. The setup on the tenant side is minimal if Azure Rights Management is already active.

encrypting an email in article illustration one

Gmail Users Rely on Confidential Mode or Client-Side Encryption

Gmail offers two encryption features. Confidential mode is available on every Gmail account, including personal Gmail and every Workspace plan. Client-side encryption is available only on Workspace Enterprise Plus and Education Plus.

Confidential mode sets an expiration date and disables forward, copy, print, and download. It does not encrypt the message body in a way that meets HIPAA transmission requirements on its own. Google can still access the content on its servers.

Client-side encryption encrypts the message content in the browser before it reaches Google servers. The encryption keys are managed by the customer through an external key service. Google cannot decrypt the message.

Standard Workspace plans that need encryption for HIPAA use a gateway or a dedicated HIPAA email service. The Gmail interface stays the same. The encryption happens at the outbound gateway or at the service layer.

S/MIME Provides End-to-End Encryption With Certificates

S/MIME is a message-level encryption standard supported by Outlook, Apple Mail, and most enterprise mail clients. It uses X.509 certificates issued by a trusted certificate authority such as DigiCert, Sectigo, or IdenTrust.

The sender installs a personal certificate in the mail client. The recipient must also have an S/MIME certificate available. Outlook stores recipient certificates from signed messages the user has previously received.

Once certificates are in place, the sender clicks Encrypt on a new message. The mail client uses the recipient public key to encrypt the content. The recipient decrypts with the private key stored in the recipient client.

S/MIME provides true end-to-end encryption because no server between the sender and recipient can decrypt the message. The trade-off is certificate management. Practices with dozens of external recipients need a workflow for exchanging certificates before the first encrypted message can go out.

Example

A behavioral health group of eight clinicians switches from personal Gmail to Google Workspace Business Standard for HIPAA coverage. The admin accepts the BAA in the console, but discovers client-side encryption requires Enterprise Plus at roughly $30 per user. Instead of upgrading all eight seats at $240 per month, the group adds a HIPAA email service at $10 per clinician for $80 per month. The service handles PHI mail with encryption plus BAA, and Workspace Business Standard handles everything else.

PGP Handles Encryption Between Technical Users

PGP, sometimes called OpenPGP or GPG, is a second message-level encryption standard. It relies on a web of trust rather than a centralized certificate authority. Users generate a key pair and publish the public key to a key server or exchange it directly.

PGP is common in security research, legal work, and technical communities where both parties are comfortable managing keys. Mainstream Outlook and Gmail do not include PGP out of the box. Third-party plugins add support.

The strengths of PGP are strong cryptography and no dependence on a central authority. The weaknesses are key management overhead and a recipient experience that assumes technical familiarity. A patient receiving a PGP message will not know how to decrypt it.

Healthcare practices sending PHI to patients almost never use PGP because the recipient experience is unrealistic. PGP fits internal or business-to-business scenarios where both sides run the same tooling.

TLS Alone Does Not Meet HIPAA Transmission Requirements

TLS encrypts the connection between mail servers. It is the baseline for any modern mail transmission. TLS 1.2 and TLS 1.3 are the current versions in use, according to NIST SP 800-52 Rev. 2.

Opportunistic TLS is the common default. If the receiving server supports TLS, the connection uses TLS. If the receiving server does not support TLS, the connection falls back to cleartext. A sender using opportunistic TLS cannot guarantee the message stayed encrypted end to end.

Forced TLS requires the receiving server to support TLS or the message does not go out. Forced TLS is safer but harder to configure across a large recipient list. Most Outlook and Gmail tenants use opportunistic TLS by default.

HHS guidance treats TLS as acceptable for transmission but recommends message-level encryption for high-risk PHI. See the HHS Security Rule guidance for the current position. Practices should assume TLS alone is not sufficient.

encrypting an email in article illustration two

Sensitivity Labels Automate Encryption at Scale

Sensitivity Labels in Microsoft 365 apply encryption automatically based on content classification. Administrators define labels in the Microsoft Purview compliance portal and set rules that trigger a label when the message contains specific patterns.

Patterns can include medical record numbers, Social Security numbers, credit card numbers, or custom regular expressions for practice-specific fields. A matching pattern applies the label and the encryption policy in one step.

The sender does not have to remember to click Encrypt. The system enforces encryption based on content. This removes human error from the encryption decision on routine mail.

Deployment requires Microsoft 365 E3 or E5 licensing and configuration of Purview Information Protection. Sensitivity Labels fit large practices and health systems that already run Microsoft 365 at the enterprise tier.

Attachments Are Encrypted Along With the Message Body

Every current message encryption method encrypts attachments as part of the message. S/MIME, PGP, Microsoft Purview, and Google client-side encryption all treat attachments and the body as a single encrypted unit.

The recipient sees one verification step. After the sign-in or key decryption, both the body and the attachments become readable. Do Not Forward rights in Microsoft Purview show attachments in the portal preview and block download.

Attachment size limits apply before encryption is added. Outlook and Gmail cap standard attachments at 20 to 25 megabytes. Very large files exceed the limit and get rejected before encryption is even attempted.

Practices sending large imaging files, video, or full record sets should use a HIPAA-compliant file transfer service instead of email attachments. The email carries the link. The file transfer service handles the payload.

Encryption Alone Does Not Equal HIPAA Compliance

HIPAA compliance includes administrative, physical, and technical safeguards. Encryption is one of the technical safeguards. The covered entity is responsible for the full set.

The covered entity needs a signed business associate agreement with the email provider, access logging, workforce training, an incident response plan, and configuration that enforces encryption on PHI. Microsoft 365 and Google Workspace include a BAA as part of the standard business terms.

Practices that outsource the full mail security posture use a HIPAA email service that includes the BAA, encryption, access logs, and audit trails in a single plan. Mailhippo is one option for practices that want a HIPAA-compliant secure email service that works with an existing Gmail or Outlook account without switching providers.

The choice between running encryption inside Microsoft 365 or Google Workspace and using a dedicated service comes down to IT capacity, license cost across all seats, and the sensitivity of the mail volume.

๐Ÿ’กPro Tip: Test the recipient view before rolling out to staff

The sender view is not the recipient view. Send a test encrypted message to your own personal Gmail, Yahoo, and a corporate Outlook address. Walk through each opening path start to finish. If any path takes more than a minute or requires an account, patients will drop off. Front-desk staff who have not seen the recipient view cannot answer basic questions on the phone, and open rates on patient PHI mail crash within the first week.

Practical Setup Checklist for a First-Time Sender

A first-time sender can get an encrypted message out today by picking one path and running through the setup. The choice depends on the mail platform already in use.

  • Confirm the license level of the Microsoft 365 or Google Workspace tenant.
  • Verify that a business associate agreement is in place with the mail provider if PHI is involved.
  • Enable the Encrypt button in Outlook or client-side encryption in Gmail if the license supports it.
  • Test with an external recipient on a different mail platform to see the actual recipient view.
  • Document the sender steps for staff who will send encrypted mail on a routine basis.

The test send matters. The sender view is not the recipient view. A practice sending encrypted PHI to a patient should see the exact browser experience the patient will see before sending real mail.

Practices building the wider HIPAA posture around the encryption method also need to cover the website, intake forms, and patient portals. See the guide on healthcare website security features for the site-side controls that pair with encrypted email.

Common Errors When Encrypting an Email

Several errors show up in the first weeks of a new encrypted email workflow. Most trace back to license mismatch, recipient environment, or a missing configuration step on the tenant.

  • The Encrypt button does not appear in Outlook because the license is Business Basic or Business Standard.
  • The recipient does not receive the notification because a corporate spam filter blocks the outlook.office365.com sender.
  • The S/MIME send fails because the recipient certificate is not in the Outlook contact record.
  • The one-time passcode does not arrive because the recipient inbox filters bulk mail into a folder the recipient does not check.
  • Attachments exceed the 25 megabyte limit and get rejected before encryption is applied.

Each of these errors has a fix. Licensing is a purchase or a switch to a service that bundles encryption. Recipient filters can be addressed by asking the recipient to allow the sender domain. Certificates can be exchanged through a first signed message.

Related reading covers practical steps for common platforms: to encrypt an email, encrypting email in Outlook, email encrypting workflows, and what does encrypting an email do in outlook. Each guide breaks down the sender view for a specific tool.

When a Dedicated Encrypted Email Service Fits Better

A dedicated encrypted email service fits practices that need HIPAA compliance without adding license overhead or IT complexity. The service handles the encryption, the BAA, the access logs, and the recipient portal.

The sender writes mail in the same Gmail or Outlook interface. Outbound mail routes through the service gateway. The recipient gets a portal link or a native decrypt depending on the service configuration.

Mailhippo is a HIPAA-compliant secure email service that works with existing Gmail and Outlook accounts. The BAA is included in the base plan. Encryption applies to every outbound message. Recipients open messages with one click, without creating a Microsoft or Google account.

Practices building the wider healthcare digital presence often pair encrypted email with a compliant site, intake, and portal setup. A healthcare marketing agency can coordinate the site and communication layer around the encryption service already in place.

Frequently Asked Questions

What is encrypting an email? +

Encrypting an email is the process of converting the message body and attachments into ciphertext so that only an authorized recipient with the correct key can read the content. The encryption can happen at the sending client, at the sending mail server, or at both points. Modern methods include S/MIME, PGP, Microsoft Purview Message Encryption, Google Workspace client-side encryption, and gateway-based encryption used by HIPAA email services. Each method protects the same fundamental thing: the confidentiality of the message contents in transit and at rest.

Does encrypting an email make it secure? +

Encryption protects the message contents from interception and unauthorized reading. It does not protect against a compromised sender account, a compromised recipient account, or social engineering that tricks either party into sharing credentials. Encryption is one control in a layered security model. Practices sending PHI need encryption plus multi-factor authentication, access logging, phishing training, and endpoint protection. Encryption also does not protect a message that a legitimate recipient forwards to an unauthorized party, unless rights management is applied on top of the encryption.

Does encrypting an email encrypt attachments? +

Yes. S/MIME, PGP, Microsoft Purview Message Encryption, and Google Workspace client-side encryption all encrypt attachments along with the message body. The recipient sees a single verification step for both. Do Not Forward rights in Microsoft Purview block download of attachments and display them only in the portal preview. Attachment size limits still apply. Practices sending very large files containing PHI should use a HIPAA-compliant file transfer service instead of email attachments, because the mail server may reject files that exceed the platform limit before encryption is applied.

How do I encrypt an email in Outlook? +

Open a new message in Outlook. Click Options in the ribbon. Click Encrypt and pick Encrypt-Only or Do Not Forward. Encrypt-Only lets the recipient reply, forward, and print. Do Not Forward blocks forward, print, and download. Write the message, add recipients, and click Send. Microsoft Purview handles the delivery. Internal Microsoft 365 recipients see the message inline. External recipients receive a notification with a Read the message button that opens the encrypted content in a browser tab on outlook.office365.com.

How do I encrypt an email in Gmail? +

Gmail on Google Workspace Enterprise Plus and Education Plus supports client-side encryption. The admin enables it in the Google Admin console under Security, Access and data control, Client-side encryption. Users see a lock icon in the compose window that toggles encryption on. Standard Gmail and Workspace Business plans do not have this feature. Those accounts can use confidential mode, which sets an expiration and disables forwarding, or route encrypted mail through a HIPAA email service that works with the existing Gmail account.

What are the benefits of encrypting an email? +

Encryption blocks interception of message contents in transit, protects the content at rest on mail servers, and reduces the impact of a mail server breach because the stolen data is ciphertext. For regulated industries, encryption is a required control under HIPAA, HITECH, GLBA, and similar frameworks. For any business, encryption reduces the risk of an accidental data disclosure when a message is sent to the wrong address or forwarded outside the organization. Recipients also gain confidence that the sender has invested in secure communication.

Is TLS encryption enough for HIPAA compliance? +

TLS encrypts the connection between mail servers but does not encrypt the message at rest inside the recipient inbox. TLS also depends on both sending and receiving servers supporting the same version and cipher suite. Opportunistic TLS falls back to cleartext if the receiving server does not support TLS. The HHS guidance on encryption treats TLS as one acceptable safeguard for transmission but recommends message-level encryption for high-risk PHI. Practices should assume TLS alone is not sufficient and layer message-level encryption on top for regulated content.

How Can I Encrypt My Emails in Gmail, Outlook, and Office 365

how can i encrypt my emails guide featured image

๐Ÿ”‘ Key Takeaways

  • Email encryption stacks in three layers: TLS in transit, portal-based, and full end-to-end.
  • Personal Gmail has zero real encryption; Confidential Mode fails HIPAA, CMMC, and GDPR checks.
  • Outlook’s Encrypt button on Business Premium runs Purview and reaches any recipient via portal.
  • S/MIME suits business rollouts; PGP suits individuals; both stall on recipients without keys.
  • Compliance needs a BAA, retained logs, and a documented standard, not a per-message click.

The question “how can I encrypt my emails” has different answers depending on which mail provider is in front of you. Gmail, Outlook, and Microsoft 365 each expose different controls, and personal accounts on all three offer less than their business counterparts.

This guide walks through the encryption paths available in each platform, explains where S/MIME and PGP fit, and covers the compliance layer for practices that need audit trails. For practices sending patient information, dedicated encrypted email services are usually the shortest path.

Each section below covers the steps for a specific platform or method. Skip to the section that matches your setup.

Three layers of email encryption you need to understand first

Email encryption is not one thing. It operates at three layers, and each solves a different problem.

The first layer is TLS between mail servers. It protects the message on the wire from one server to the next. Gmail, Outlook.com, and Microsoft 365 all enforce TLS 1.2 or 1.3 by default when the receiving server supports it.

The second layer is message-level encryption. The mail provider encrypts the message body on its own servers and delivers it to external recipients through a portal or a signed session. Microsoft Purview Message Encryption and Google Workspace hosted S/MIME operate at this layer.

The third layer is end-to-end encryption. The message body is encrypted on the sender’s device and stays encrypted until the recipient decrypts it. S/MIME with client-held certificates and PGP both operate at this layer.

Most business scenarios stop at the second layer. The third layer adds friction that only pays off when the message content is unusually sensitive or the recipient’s mail server cannot be trusted with plain text.

How to encrypt emails in Gmail with a Workspace account

Gmail on Google Workspace Enterprise Plus supports hosted S/MIME. The admin enables it in the Google Admin console under Apps, Google Workspace, Gmail, User settings.

Once enabled, users upload their S/MIME certificate through Gmail settings. Compose messages then show a lock icon next to the recipient field, indicating that the message will send encrypted.

Encryption only applies when the recipient also holds a certificate. For recipients without one, Gmail falls back to standard TLS delivery. That fallback is the reason S/MIME alone is not sufficient for a healthcare workflow.

The Google Workspace S/MIME setup guide walks through the certificate upload and enforcement policies. Confidential Mode is not a substitute for S/MIME and does not satisfy HIPAA.

Practices on lower Workspace tiers do not have hosted S/MIME. Those accounts need a third-party gateway or a dedicated compliant email service.

how can i encrypt my emails in article illustration one

How to encrypt emails in Outlook with a Microsoft 365 plan

Outlook on Microsoft 365 Business Premium, E3, and E5 exposes an Encrypt button in the compose window. It sits in the Options ribbon on the desktop app and in the three-dot menu on Outlook web.

Clicking Encrypt triggers Purview Message Encryption. The user picks an encryption policy such as Encrypt Only or Do Not Forward. The message travels encrypted, and external recipients receive a portal link with sign-in options.

The Microsoft Purview Message Encryption documentation details the policy options and the recipient experience. Setup usually completes in the admin center within an hour if Azure Rights Management is already active on the tenant.

Business Basic and Business Standard do not include the Encrypt button. Practices on those plans either upgrade or add a dedicated encryption layer. Sibling coverage for the Outlook-specific path is in can I encrypt emails in Outlook.

For a broader walkthrough of Gmail-side encryption steps, see how can I encrypt an email.

Setting up S/MIME on a desktop Outlook client

Desktop Outlook supports S/MIME natively. The user needs a certificate issued to their email address, installed in the Windows certificate store or on a smart card.

  • Obtain an S/MIME certificate from a trusted certificate authority. Commercial certificates cost $20 to $60 per year.
  • Import the certificate into the Windows certificate store under Personal, Certificates.
  • In Outlook, open File, Options, Trust Center, Trust Center Settings, Email Security.
  • Under Encrypted email, click Settings and select the imported certificate.
  • Optionally enable Encrypt contents and attachments for outgoing messages to make encryption the default.

Once configured, the compose window shows a lock icon when the recipient’s certificate is available. If the recipient has never sent a signed message, Outlook cannot encrypt to them until their certificate is exchanged.

The exchange step is the operational tax of S/MIME. It works well inside a practice where every mailbox has a certificate. It falls apart with external partners and patients who do not.

Example

A five-provider family medicine clinic runs on Google Workspace Business Standard at $12 per user per month. Staff want to send referral summaries to a cardiologist on Outlook. Business Standard does not include hosted S/MIME. Upgrading five seats to Enterprise Plus at $30 each would cost $150 per month. Instead, the practice adds a gateway service at $10 per mailbox that layers on top of Workspace, keeps Gmail as the compose interface, and includes the BAA and audit trail for $50 per month total.

Using PGP with Thunderbird or Mailvelope

PGP encryption uses a public-private key pair that the user generates and controls. It works with any email account, including personal Gmail and Outlook.com, but requires a compatible client on both ends.

Thunderbird has built-in PGP support since version 78. The user generates a key pair in Account Settings, End-to-End Encryption. The public key is shared with correspondents through a keyserver, direct exchange, or embedded in outgoing signatures.

Mailvelope is a browser extension that adds PGP support to Gmail and other web-based clients. It handles key generation and message encryption directly in the browser without the mail provider seeing plain text.

PGP is the preferred method for individual users, journalists, and technical audiences who prioritize key control. It is rarely the right method for a healthcare practice because patients and referring providers will not install a PGP client.

For a client-facing walkthrough of PGP versus gateway encryption, the sibling article how do my clients encrypt email covers the tradeoffs.

Encrypting attachments without encrypting the message

Sometimes the message body is fine to send in plain text and only the attachment carries sensitive data. Password-protecting the attachment lets the email travel through any provider.

  • Compress the file using 7-Zip, WinRAR, or Windows built-in compression with AES-256 encryption enabled.
  • Set a strong password of 12 characters or more with mixed case, numbers, and symbols.
  • Attach the encrypted archive to the email as normal.
  • Share the password over a separate channel, such as a phone call, SMS, or in-person conversation.

This method is common for one-off file transfers between organizations that have no shared encryption infrastructure. It is not compliant on its own for HIPAA because it does not produce an audit trail and the password channel is often insecure.

Practices exchanging patient files frequently should route those exchanges through a compliant email service instead. The sibling piece on how to encrypt my sent emails covers the outbound side in more depth.

how can i encrypt my emails in article illustration two

Government and military email encryption requirements

Army and other DoD email accounts require encryption through the DoD Common Access Card or Personal Identity Verification card. The CAC holds the S/MIME certificate that Outlook and OWA use to encrypt outbound mail.

Signed drivers for the CAC reader and the ActivClient middleware need to be installed on the endpoint. Once installed, Outlook detects the certificate and enables Sign and Encrypt buttons in the compose ribbon.

Encrypting from a home computer to a .mil address requires the sender’s CAC and the recipient’s published certificate. The DoD Global Address List holds those certificates for internal-to-internal traffic.

Contractors handling Controlled Unclassified Information under CMMC use a similar S/MIME model or a compliant email gateway. The NIST SP 800-171 Rev. 2 guidance covers the required controls for those workloads.

Compliance-driven encryption for HIPAA, CMMC, and GDPR

User-driven encryption on a per-message basis rarely satisfies a compliance framework. The framework requires a documented standard, retained audit trails, and a signed agreement with the vendor handling the data.

HIPAA requires a Business Associate Agreement with the email vendor. CMMC requires FIPS 140-2 validated cryptographic modules for CUI. GDPR requires a Data Processing Agreement covering personal data of EU residents.

A gateway-based compliant service handles all three by applying encryption at the mail server, retaining logs, and providing the signed agreement in the base plan. That removes the burden of a user deciding whether a specific message qualifies.

Practices that also send bulk patient communications should coordinate with a healthcare marketing agency so that outreach and compliance sit on the same infrastructure.

The HIPAA Journal breakdown of compliant email is the authoritative external reference for the healthcare side.

๐Ÿ’กPro Tip: Pick the framework before you pick the technology

Framework first, technology second. HIPAA, CMMC, and GDPR each demand different documentation and cryptographic standards. Write down which framework applies, which data types you send, and how you will prove encryption during an audit. Only then compare S/MIME, Purview, or gateway services against those requirements. Buying the tool first almost always produces a mismatch that surfaces six months later.

Verifying that a message was actually encrypted

An encrypted send is only useful if the encryption held. Every major mail client provides a way to verify.

In Gmail, open the message, click the three-dot menu, and select Show Original. The header displays the TLS status of the delivering connection.

In Outlook desktop, right-click the message and choose Message Options. The header shows Received lines with TLS version details.

For end-to-end encryption, the client shows a lock icon or shield in the message header. S/MIME messages in Outlook show a blue ribbon. Encrypted messages in Gmail show a green lock.

If none of those indicators appear, the message either traveled without encryption or the encryption fell back to a lower tier than the sender expected. That is worth catching before the next send rather than after an audit.

When a dedicated compliant email service saves setup time

The setup steps above cover the manual paths available in Gmail, Outlook, and Microsoft 365. Each works for individual users comfortable managing certificates or keys per contact.

A dedicated compliant email service replaces the manual path with an automatic one. The practice connects its existing mailbox, adds a DNS record, and every outbound message is encrypted at the gateway. No per-contact certificate exchange is required.

Mailhippo is one example of that model. It works with existing Gmail and Microsoft 365 accounts, includes the Business Associate Agreement in the base plan, and delivers messages directly to recipient inboxes without a portal login for standard scenarios.

For the underlying encryption model comparison, the sibling article how to encrypt email covers the technical layer in more depth. For the recipient-side experience, how can you encrypt an email walks through what the reader sees.

Choosing the right method for your workflow

The right encryption method depends on volume, sensitivity, and recipient technical skill.

Individuals sending occasional sensitive messages to technical peers can use PGP through Thunderbird or Mailvelope. The setup pays off because the recipient list is small and every recipient has the tools.

Small businesses on Microsoft 365 Business Premium can use the Encrypt button. It handles the recipient experience through the portal and needs no per-user certificate.

Healthcare practices, law firms, and financial services with compliance obligations need a gateway-based service. It removes the user decision and produces the audit trail auditors ask for.

Practices reviewing the broader digital footprint alongside the email decision can also review their healthcare website security features so the same standards apply across email, forms, and portals.

Frequently Asked Questions

Can I encrypt an email in regular Gmail without upgrading my plan? +

Not with real encryption. Personal @gmail.com accounts do not offer S/MIME or Purview-style message encryption. Confidential Mode adds an expiration date and disables forwarding on some clients, but the message body is not encrypted in a way that satisfies HIPAA or CMMC. Options are to upgrade to Google Workspace Enterprise Plus for hosted S/MIME, install a browser extension that adds PGP support on both sides of the conversation, or route the mailbox through a dedicated encryption gateway that handles the encryption automatically.

What does the Encrypt button in Outlook actually do? +

On Microsoft 365 Business Premium and Enterprise plans, the Encrypt button triggers Purview Message Encryption. The message is encrypted at the Microsoft server and delivered to external recipients through a portal link. Internal recipients on the same tenant read the message directly in Outlook because the encryption keys travel inside the tenant. The button appears in the Options ribbon on desktop Outlook and in the three-dot menu on Outlook web. It does not appear on personal @outlook.com accounts.

Do I need to buy an S/MIME certificate for every employee? +

One per employee, yes, if you route encryption through S/MIME. Certificates are issued per email address by a trusted certificate authority and typically cost $20 to $60 per year at the business tier. Some Microsoft 365 Enterprise plans include managed certificates. The larger operational cost is the certificate exchange with external recipients, because both sides need each other’s public certificate before encryption works. That exchange is the reason many practices choose a gateway-based service instead of S/MIME.

Can I encrypt an attachment without encrypting the email itself? +

Yes, and it is a common workaround. Zip the file with a password using 7-Zip or the built-in Windows compression tool, then share the password over a separate channel like a phone call or SMS. The email carrying the encrypted zip stays unencrypted, so it can travel through any provider. The tradeoff is friction for the recipient, who has to install a compatible unzip tool and manage the password. Encrypting the message itself is simpler once the practice has a compliant service in place.

How does encryption work with a mobile Gmail or Outlook app? +

Gmail on mobile inherits the encryption settings of the underlying account. A Workspace mailbox with hosted S/MIME sends encrypted messages from the mobile app once the certificate is installed on the device. Outlook on iOS and Android supports the Encrypt button for Microsoft 365 Business Premium and Enterprise users. Personal accounts on both apps have no encryption controls. A gateway-based compliant email service handles encryption at the server, so the mobile experience is identical to a regular send.

Does encrypting an email hide the subject line? +

Usually not. Most encryption methods, including S/MIME, PGP, and Microsoft Purview Message Encryption, encrypt the message body and attachments but leave the subject line in plain text. That is because mail servers use the subject for routing, filtering, and threading. Sensitive information should therefore stay out of the subject line even when the message body is encrypted. Some end-to-end services encrypt the subject as well, but interoperability with standard clients drops sharply when they do.

How do I verify that a specific email was actually encrypted in transit? +

On Gmail, open the message and click the three-dot menu, then View Original. The header shows the TLS status of the connection that delivered the message. On Outlook, right-click the message and select Message Options or View Source. Look for the Received header lines and check for TLS 1.2 or 1.3 versions. For end-to-end encrypted messages, the client shows a lock or shield icon in the message header. If neither the header nor the icon confirms encryption, the message traveled unprotected.

How to Encrypt Emails in Gmail With Confidence Mode S/MIME and Add-ons

how to encrypt emails in gmail guide featured image

๐Ÿ”‘ Key Takeaways

  • Personal Gmail has no real encryption; Confidential Mode fails HIPAA since Google reads the body.
  • Hosted S/MIME needs Workspace Enterprise Plus at $30 per seat plus a per-user cert every year.
  • Confidential Mode blocks Gmail-to-Gmail forwarding but leaves the body fully readable to Google.
  • PGP add-ons like Mailvelope encrypt in the browser but fail on mobile and need keys on both sides.
  • Gateway services layer on any Gmail plan through DNS, include the BAA, and cost $5-$15 per mailbox.

Gmail exposes different encryption controls depending on the account plan. Personal @gmail.com accounts have almost nothing. Google Workspace tenants have Confidential Mode on every plan and hosted S/MIME on Enterprise Plus.

The right method depends on what the sender needs to protect and who the recipient is. This guide walks through each option in order of increasing security. For compliance workflows, dedicated encrypted email services that layer on top of Gmail are usually the shortest path.

Each section covers steps and limitations. Skip to the section that matches your Gmail plan and your compliance requirement.

What Gmail encryption options actually exist

Gmail supports four different encryption paths, and each targets a different scenario. Knowing the differences prevents wasted effort on a method that does not meet the actual requirement.

  • TLS between mail servers, enabled by default on every Gmail account.
  • Confidential Mode, available on every Gmail account but not real encryption.
  • Hosted S/MIME, available only on Google Workspace Enterprise Plus.
  • Third-party PGP add-ons like Mailvelope, available on any account.
  • Gateway-based encryption services, available on any account through DNS routing.

TLS is baseline. Confidential Mode is a restriction feature, not encryption. Hosted S/MIME is the strongest Google-native option. Add-ons and gateways are the third-party options that work on any plan.

The sibling article how to encrypt email covers the same paths in a provider-neutral way for comparison.

How to use Gmail Confidential Mode

Confidential Mode is the option most Gmail users find first. It is available on every plan and appears as a lock icon in the compose window.

Click the lock icon at the bottom of the compose window. A dialog opens with two settings. Set an expiration date from one day to five years, and choose whether the recipient needs an SMS code to open the message.

Send the message as normal. Gmail-to-Gmail recipients see the message with forward, copy, and download disabled. Non-Gmail recipients receive a link to view the message on Google’s servers.

Confidential Mode reduces accidental forwarding on well-behaved clients. It does not encrypt the message body, and Google can still read the content. HIPAA, CMMC, and GDPR auditors do not accept it as encryption.

Use Confidential Mode for casual privacy on messages that do not carry regulated data. Anything else needs a stronger option.

how to encrypt emails in gmail in article illustration one

Setting up hosted S/MIME on Google Workspace Enterprise Plus

Hosted S/MIME is the only Google-native option that meets healthcare compliance. It requires Enterprise Plus, admin configuration, and a per-user certificate from a trusted certificate authority.

  • Sign in to the Google Admin console with a super admin account.
  • Go to Apps, Google Workspace, Gmail, User settings.
  • Select the organizational unit and enable S/MIME encryption for outgoing email.
  • Each user uploads their personal S/MIME certificate in Gmail settings under Accounts and Import, then S/MIME settings.
  • Compose a test message to a colleague with an installed certificate to verify the lock icon appears.

Once configured, Gmail shows a green lock icon next to recipients whose certificates are known and encrypts automatically. Recipients without certificates fall back to standard TLS delivery, which is why S/MIME alone is rarely enough for a full compliance program.

The Google Workspace S/MIME setup documentation covers the certificate policies and enforcement options. For the Outlook side of the same standard, see how to encrypt a response email in Outlook.

Adding PGP encryption through Mailvelope

Mailvelope is a browser extension that adds PGP support to Gmail without requiring any Google plan upgrade. It works with personal Gmail accounts and any Workspace tier.

Install Mailvelope from the Chrome or Firefox extension store. On first run, the extension generates a PGP key pair in the browser and stores the private key locally.

Share the public key with correspondents through a keyserver, a direct exchange, or as an attachment on a signed message. Both sides need each other’s public keys before encryption works.

Composing in Gmail then shows a Mailvelope button. Clicking it opens a secure editor window inside the browser. The message is encrypted locally before being pasted into the Gmail compose window, so Google never sees plain text.

PGP fits technical audiences. It does not fit patients or referring providers who will not install a PGP client. For healthcare, gateway-based services are more practical.

Example

A four-person mental health practice on Google Workspace Business Starter at $6 per user per month wants HIPAA-compliant encrypted email for session summaries. Upgrading four seats to Enterprise Plus at $30 each would raise the monthly bill by $96 just for encryption. Instead, the practice signs up for a gateway service at $10 per mailbox, adds one DNS record, and keeps Gmail as the compose interface. Total added cost is $40 per month, BAA included, no certificate management, no plan upgrade.

How encryption methods on Gmail compare across scenarios

The right method depends on the plan, the recipient, and the compliance requirement. A side-by-side view helps narrow the choice.

Method Works on personal Gmail Meets HIPAA Recipient friction Setup effort
TLS baseline Yes No, alone None None
Confidential Mode Yes No Low None
Hosted S/MIME No, Workspace Enterprise Plus only Yes High, needs recipient certificate High, admin plus per user
PGP via Mailvelope Yes Sometimes, depends on documentation Very high, needs PGP client Medium
Gateway service Yes, through Workspace routing Yes Low, portal fallback Low, DNS record

Confidential Mode fits casual privacy. Hosted S/MIME fits large Workspace tenants that already pay for Enterprise Plus. Gateway services fit everyone else, especially small healthcare practices.

The sibling article how to encrypt an email in Outlook 365 covers the same comparison from the Microsoft side.

Encrypting Gmail attachments without changing the message

Sometimes only the attachment carries sensitive data and the message body is fine to send in plain text. Password-protecting the attachment is a common workaround.

  • Compress the file using 7-Zip, WinRAR, or Windows built-in compression with AES-256 encryption enabled.
  • Set a strong password of 12 characters or more with mixed case, numbers, and symbols.
  • Attach the encrypted archive to the Gmail message.
  • Share the password over a phone call, SMS, or in-person conversation.

Gmail does not scan the contents of an encrypted archive, so the file travels through Google’s servers as opaque data. The recipient extracts the archive with the shared password.

This method is not HIPAA compliant on its own. It produces no audit trail, and the password channel is often insecure. It fits one-off file transfers between organizations without a shared encryption service. Related coverage in how to encrypt a PDF in emails covers the same territory.

how to encrypt emails in gmail in article illustration two

Routing Gmail through a gateway service

Gateway services encrypt outbound Gmail messages by routing mail through their own servers before delivery. Setup takes minutes and does not require a Workspace upgrade.

The practice signs up with the vendor and receives an SPF record and often a DKIM key. The domain administrator adds both to the DNS zone.

Outbound mail from Gmail then routes through the vendor’s gateway, which applies encryption before releasing the message. Recipients read the message either in their normal inbox with TLS enforcement or through a portal fallback if their server does not support the encryption standard.

End users see no change in Gmail. Staff compose and send from the same interface, and the encryption happens invisibly at the server. Vendors like Mailhippo follow this pattern and include the Business Associate Agreement in the base plan.

Related coverage in encrypted emails in Outlook shows the same model applied to the Microsoft side.

Verifying that a Gmail message went out encrypted

An encrypted send is only useful if the encryption held. Gmail provides two ways to verify.

Open the sent message and click the three-dot menu at the top right. Select Show Original. The header at the top of the resulting page displays the TLS status of the delivering connection under Received lines.

For hosted S/MIME messages, Gmail shows a green lock icon in the message header. Clicking the icon opens a panel with the certificate details of the encryption.

If the TLS field shows nothing or the lock icon is missing, the message either traveled without encryption or fell back to a lower tier. That is worth catching before the next send. Sibling coverage in how to view encrypted emails walks through the recipient-side verification.

๐Ÿ’กPro Tip: Never treat Confidential Mode as HIPAA encryption

Confidential Mode looks like encryption because the lock icon appears in the compose window, but Google still stores the message body in plain readable form. Auditors reject it as a HIPAA safeguard, and Google's BAA does not extend coverage to Confidential Mode content the same way it covers standard Gmail. If you handle PHI on Gmail, use hosted S/MIME, a gateway service, or a compliant secure email product.

Encrypting the same account across desktop and mobile

Encryption behavior varies by device. A method that works in the desktop browser may not work in the mobile Gmail app, which changes the compose experience for anyone who sends on the go.

Confidential Mode works on both desktop and mobile Gmail. The lock icon appears in the mobile compose window the same way it does on desktop.

Hosted S/MIME works on the mobile Gmail app if the certificate is installed on the device. iOS and Android both support S/MIME certificates in the system keychain.

PGP browser extensions do not work on mobile. Messages composed on the mobile app travel through Gmail unencrypted unless a gateway service handles the encryption at the server.

Gateway services work identically on desktop and mobile because the encryption happens at the server regardless of the client. That consistency is the reason healthcare practices default to gateway services rather than client-side methods.

Compliance-driven encryption on a Gmail account

HIPAA, CMMC, and GDPR each require documented safeguards and audit trails that go beyond message-level encryption. A Gmail user meeting those frameworks needs more than a lock icon in the compose window.

HIPAA requires a signed Business Associate Agreement with the mail provider. Google offers a BAA on Workspace with specific settings enabled by the admin. Personal Gmail accounts have no BAA option.

CMMC requires FIPS 140-2 validated cryptographic modules for Controlled Unclassified Information. That standard rules out most consumer-grade browser extensions.

Gateway services designed for healthcare include the BAA, use FIPS-validated encryption, and produce the audit logs auditors ask for. The HHS sample BAA provisions are the reference for what the agreement should contain.

Practices coordinating email compliance with patient outreach can review their healthcare marketing agency engagement to keep both aligned.

Choosing the right method for your Gmail workflow

The right choice depends on the account plan, the recipient list, and the compliance requirement.

Personal users sending occasional sensitive messages can use Confidential Mode for basic access restriction or a PGP extension for real end-to-end encryption to technical peers.

Small businesses on Workspace Business Standard or below need either an upgrade to Enterprise Plus or a gateway service. The gateway is almost always cheaper and works with the existing plan.

Healthcare practices with HIPAA obligations need either Workspace Enterprise Plus with hosted S/MIME plus a signed BAA or a dedicated gateway service that includes the BAA in the base plan. Gateway services are the shorter path for most solo and small clinics.

Practices reviewing email decisions alongside their broader digital footprint can pair the choice with a look at their healthcare website security features to align intake forms and portal links with the same compliance standards as the mailbox.

Frequently Asked Questions

Can I encrypt a Gmail message without upgrading my account? +

Not with real encryption. Personal @gmail.com accounts do not include S/MIME, Purview-style message encryption, or any other message-level control that meets HIPAA. Confidential Mode is available but does not encrypt the message body. The three real options are upgrading to Google Workspace Enterprise Plus for hosted S/MIME, installing a PGP browser extension like Mailvelope that encrypts inside the browser before Google sees the message, or routing the account through a dedicated encryption gateway that adds encryption at the DNS layer.

How is Confidential Mode different from actual encryption? +

Confidential Mode restricts the actions a recipient can take on a message. It prevents forwarding, copying, and downloading on Gmail clients, and it can add an expiration date. It does not encrypt the message body. Google can still read the content, and non-Gmail recipients receive a link to view the message on Google’s servers rather than the message itself. HIPAA and CMMC do not accept Confidential Mode as an encryption control. Practices sending patient information need actual encryption, not access restriction.

What does hosted S/MIME cost on Google Workspace? +

Hosted S/MIME is included only on Google Workspace Enterprise Plus, which typically runs $30 per user per month. The certificates themselves are issued by a trusted certificate authority and cost $20 to $60 per user per year on top of the Workspace subscription. That per-user cost is why many practices considering S/MIME on Google end up choosing a dedicated encryption gateway service instead. The gateway typically costs $5 to $15 per mailbox and works with any Workspace or personal Gmail plan.

Do PGP browser extensions work with mobile Gmail apps? +

Not directly. Mailvelope and similar PGP extensions run inside the desktop browser and encrypt messages before they leave the Gmail web interface. The mobile Gmail app does not load the extension, so messages composed on mobile travel unencrypted. Users who need mobile PGP either use a dedicated mobile mail client with built-in PGP support or restrict encrypted composition to desktop. This limitation is another reason gateway-based services fit healthcare workflows better, since the encryption happens at the server regardless of device.

Can I encrypt Gmail attachments separately from the message body? +

Yes. Compress the file using 7-Zip, WinRAR, or Windows built-in compression with AES-256 encryption enabled. Set a strong password of 12 characters or more, attach the encrypted archive to the Gmail message, and share the password over a separate channel like a phone call. This method works around Gmail’s lack of native encryption for the attachment itself. It is not HIPAA compliant on its own because it produces no audit trail, but it is a common workaround for one-off file transfers between organizations.

Does hosted S/MIME work when sending from Gmail to Outlook? +

Yes, if the Outlook recipient also has an S/MIME certificate installed. S/MIME is an open standard, and Gmail with hosted S/MIME can encrypt to any recipient whose certificate it can retrieve. The Outlook side needs the certificate in its Windows certificate store to decrypt. If the Outlook recipient does not have a certificate, Gmail falls back to standard TLS delivery, and the message travels encrypted between servers but not end-to-end. This is why compliance workflows usually require a gateway-based service that does not depend on the recipient’s setup.

How do I verify a Gmail message actually went out encrypted? +

Open the sent message in Gmail, click the three-dot menu, and select Show Original. The header at the top displays the TLS status of the delivering connection under Received lines. For hosted S/MIME messages, Gmail shows a green lock icon in the sent view, and clicking the icon displays the encryption details including the certificate that signed the message. If the header shows no TLS or the icon is missing, the message either traveled unprotected or the encryption fell back to a lower tier than expected.

How to Open Encrypted Email in Gmail Step by Step

how to open encrypted email in gmail guide featured image

๐Ÿ”‘ Key Takeaways

  • Gmail sees four wrappers: Purview, Proofpoint, Zix, and S/MIME, and each opens differently.
  • Portal messages need sign-in via Google, the sender platform, or a one-time inbox passcode.
  • S/MIME works only on Google Workspace with hosted S/MIME and a matching user certificate.
  • TLS-only mail lands as normal text; Show Original headers reveal whether TLS 1.3 was used.
  • Missing passcodes usually sit in spam; never paste a code into a mismatched portal domain.

Gmail users see encrypted mail in four common formats: Microsoft Purview, Proofpoint, Zix, and S/MIME. Each one opens a different way. Confusing them causes the recipient to give up on the message.

This guide walks the exact steps to open each type inside Gmail, plus the password and certificate issues that block delivery. For teams tired of portal friction on both sides, a dedicated encrypted email service handles the delivery in one click.

Start by identifying the wrapper. The Gmail message will say Read the message, View Encrypted Message, or Secure Message. That label tells the recipient which platform sent it.

Identify the Encryption Wrapper Before Clicking

The first step is knowing what arrived. Encrypted mail in Gmail is almost always a wrapper message with a button or link. The visible body does not contain the sensitive content.

Microsoft Purview Message Encryption arrives with a Read the message button and the phrase encrypted message from a Microsoft 365 sender. The wrapper is branded with the sender organization.

Proofpoint Encryption arrives with a Click here link that points to securereader.proofpoint.com or a custom subdomain like securemail.senderdomain.com. The subject often includes the marker Secure Message.

Zix Secure Email arrives with a similar Click here link that points to a domain under zixport.com or a custom subdomain. S/MIME arrives with an smime.p7m attachment and no visible readable body.

Open a Microsoft Purview Message in Gmail

Purview is the encryption most Outlook and Microsoft 365 senders use when they click the Encrypt button. Gmail recipients open it through a portal.

Open the wrapper email and click Read the message. A browser tab opens on the Microsoft encrypted message viewer. The viewer offers two options: Sign in with Google or Sign in with a one time passcode.

Sign in with Google is the fastest path. Click it, sign into the same Gmail account that received the mail, and the message renders inside the portal. The portal supports reply and forward when the sender allowed those actions.

If Sign in with Google fails, request a one time passcode. Microsoft sends the code to the same Gmail inbox. Paste the code into the viewer and the message opens. See Google Support on encrypted mail for Gmail side detail.

how to open encrypted email in gmail in article illustration one

Open a Proofpoint Encrypted Email in Gmail

Proofpoint Encryption uses a portal called Proofpoint Encryption Reader. First time recipients register a Proofpoint account tied to the Gmail address.

Click the Click here link in the wrapper message. The Proofpoint Encryption Reader loads in a browser tab. If this is the first time, a registration form asks for a password and security questions. Complete it and confirm the email.

Returning users sign in with the Gmail address and the Proofpoint password. The message renders inside the portal. Attachments download as separate files, and reply is available from the portal itself.

Store the Proofpoint password in a password manager. Proofpoint accounts do not federate with Google Sign In, so a lost password requires the Forgot Password link, which delivers a reset link back to the Gmail inbox.

Open a Zix Encrypted Email in Gmail

Zix Secure Email uses a similar portal model. The Gmail wrapper contains a Message from and a link to the Zix portal.

Click the link. The Zix portal loads and asks for the Gmail address and a password. First time recipients complete a short registration. The password is separate from any Google or Microsoft credentials.

Once signed in, the message renders inside the Zix portal. Reply, forward, and attachment download are supported when the sender allowed them. Some senders configure Zix to send the encrypted content as an encrypted PDF attachment instead of a portal link.

If Zix delivered an encrypted PDF, open the attachment in a PDF reader and enter the password the sender shared separately. The password is usually delivered by phone or a prior secure channel.

Example

A patient at a Gmail address receives a wrapper email from her cardiologist labeled Secure Message with a link to securereader.proofpoint.com. She clicks the link, sees a Proofpoint registration form because it is her first encrypted message from the practice, sets a password, and confirms through a link sent to the same Gmail inbox. The portal then renders her ECG summary and a follow-up recommendation. She saves the Proofpoint credentials in her password manager because the practice will send future results through the same portal, which does not federate with Google Sign In.

Open an S/MIME Encrypted Email in Gmail

S/MIME is a certificate based standard that requires matching keys on both sides. Gmail supports S/MIME only through Google Workspace with hosted S/MIME enabled by the administrator.

When an S/MIME message arrives at a properly configured Google Workspace account, Gmail decrypts the message inline. The body renders normally, and a padlock icon indicates the encryption status. No portal is involved.

Personal Gmail addresses at gmail.com do not support S/MIME. The message arrives with an smime.p7m attachment and no readable body. Ask the sender to resend using Purview Message Encryption or a dedicated secure email service.

Google Workspace administrators enable hosted S/MIME under Apps, Google Workspace, Gmail, User Settings, S/MIME. Upload user certificates for each mailbox that needs to decrypt inbound S/MIME.

Compare the Four Wrappers Side by Side

Recognizing the wrapper is half the work. The table below maps the visible signal in Gmail to the platform and the action the recipient takes.

Wrapper Visible signal in Gmail Action to open Password model
Microsoft Purview Read the message button Sign in with Google or passcode Google account or one time passcode
Proofpoint Encryption Click here link to Proofpoint domain Register or sign in on portal Proofpoint account password
Zix Secure Email Secure Message subject with portal link Register or sign in on portal Zix account password
S/MIME smime.p7m attachment, no body Decrypt inline with certificate Certificate on Google Workspace

Portal wrappers work with any Gmail address. S/MIME only works on Google Workspace with hosted S/MIME configured by the administrator.

how to open encrypted email in gmail in article illustration two

Handle the Common Password Failures

Password prompts are the most common friction point. A few predictable failures cover almost every case.

  • One time passcode never arrives. Check the Gmail spam folder. Microsoft and Proofpoint codes sometimes trip Gmail filters. Whitelist the sender portal domain.
  • Proofpoint or Zix password forgotten. Use the Forgot Password link on the portal. The reset email lands in the same Gmail inbox.
  • Portal says account not registered. First time recipients complete a short registration on Proofpoint and Zix. Fill in the required fields and confirm through the email link.
  • Sign in with Google fails on Microsoft portal. The recipient signed into a different Google account in the browser. Sign out of other accounts or use a private window.
  • Password field appears on an unfamiliar domain. Verify the domain matches microsoft.com, proofpoint.com, or zix.com before entering credentials. Phishing kits mimic these portals.

Understand What TLS Only Means

Some senders use only TLS. The Gmail message looks normal, with regular text and no wrapper. There is nothing to open.

To confirm the sender used TLS, click the three dot menu on the message and select Show original. The Received headers list the encryption cipher used on each hop. A line with TLSv1.3 or TLSv1.2 confirms the connection was encrypted.

TLS alone is not enough for regulated mail. It protects the connection between mail servers but leaves the message readable at rest in the Gmail inbox. Anyone with access to the mailbox reads it.

Healthcare and legal senders should use message level encryption on top of TLS. The National Institute of Standards and Technology publishes guidance on email security at NIST SP 800-177r1, which covers the standard controls.

๐Ÿ’กPro Tip: Verify the portal domain before entering credentials

Phishing kits mimic Microsoft, Proofpoint, and Zix portals convincingly. Before typing a password or pasting a one-time passcode, check the browser address bar for microsoft.com, proofpoint.com, or zixport.com plus the sender known subdomain. A password field on any other domain is likely a credential trap. If unsure, contact the sender through a separate channel and confirm the portal URL matches what they issued.

Open Encrypted Email in Gmail on Mobile

Mobile Gmail on iOS and Android opens portal based encrypted mail the same way. Tap the Read the message or portal link and the phone browser loads the portal.

Microsoft Purview portals render well on mobile browsers. Sign in with Google, or paste a one time passcode. The message shows inline in the browser.

Proofpoint and Zix portals also render on mobile. Password entry is the main friction. Store credentials in a mobile password manager to speed up return visits.

S/MIME on mobile Gmail requires a Google Workspace account with hosted S/MIME. Personal Gmail on mobile shows the smime.p7m attachment with no way to decrypt. The sibling piece on how to open encrypted email on iphone covers the mobile flow on iOS in more depth.

When Encrypted Mail Bounces or Never Arrives

Encrypted mail sometimes never lands in Gmail. Two patterns cover most cases.

The first pattern is aggressive spam filtering. Portal wrapper messages from Microsoft, Proofpoint, and Zix look similar to phishing to some filters. Search the Gmail spam folder for the sender name or the portal domain. Whitelist the portal domain in Gmail filters.

The second pattern is TLS enforcement failure. When a sender requires forced TLS and Gmail negotiation fails temporarily, the message bounces at the sender side. The sender receives a delivery failure notice. Ask the sender to retry or to send from a mail flow rule that allows opportunistic TLS.

Related sibling guides on troubleshooting sit at how to troubleshoot encrypted email and the send side coverage at how to send encrypted email. The Redefine Web guide on healthcare website security features covers the broader safeguard set for practices that rely on secure email.

Pick a Simpler Path for Regular Encrypted Sends

The four wrapper types work, but recipients on the Gmail side hit friction on every send. Password registration, portal sign in, and expired sessions cost time on both sides.

A dedicated secure email service like Mailhippo delivers encrypted mail to any inbox with a one click open. The recipient does not register an account. The sender uses the existing Gmail or Outlook mailbox, and a BAA is included in the base plan for healthcare workflows.

The tradeoff is platform coverage. Portal based services from Microsoft, Proofpoint, and Zix carry deep enterprise integration. A dedicated service is faster to deploy for small teams and lower friction on the recipient side.

Frequently Asked Questions

Why do I get a Read Message button instead of the email itself? +

The sender applied encryption that wraps the message inside a portal. Gmail cannot render the encrypted body inline because it is not the intended encryption endpoint. The Read Message button opens the portal maintained by Microsoft, Proofpoint, Zix, or another provider. Click the button, sign in with the Gmail address that received the mail, and the message renders inside the portal. The wrapper text stays in Gmail as a receipt that the encrypted send happened.

How do I open an encrypted Outlook email in Gmail? +

Outlook senders on Microsoft 365 typically use Microsoft Purview Message Encryption. Gmail recipients receive a wrapper message with a Read the message button. Click it, then choose Sign in with Google. Google authenticates with the Gmail address, redirects back to the Microsoft portal, and renders the message. If the sign in fails, the sender can request a one time passcode delivery through the Encrypt Only policy. The passcode arrives at the same Gmail inbox and unlocks the portal.

How do I open a Proofpoint encrypted email in Gmail? +

Proofpoint sends a notification with a Click here link. The link opens the Proofpoint Encryption portal at securereader.proofpoint.com or the custom subdomain the sender configured. First time users register a Proofpoint Encryption account with the Gmail address and a password. Returning users sign in with the same account. The message renders inside the portal. Save the portal password in a manager because Proofpoint accounts do not federate with Google Sign In.

How do I open a Zix encrypted email in Gmail? +

Zix messages arrive with a subject that starts Secure Message and a link that opens the Zix portal at securemail.zixport.com or the sender custom subdomain. Click the link and sign in with the Gmail address plus a Zix password. New recipients complete a short registration with a password and security questions. The Zix portal renders the message and any attachments. Zix supports password reset by email to the same Gmail inbox when the password is lost.

How do I open an encrypted email without a password? +

Ask the sender to switch to a passcode delivery option. Microsoft Purview supports a one time passcode that arrives in the same Gmail inbox and unlocks the portal without a stored account. If the sender used S/MIME to a personal Gmail address, the recipient cannot open the message without a matching certificate on a Google Workspace account. In that case, ask the sender to resend with Purview Message Encryption or a service that supports passcode based delivery.

What does smime.p7m mean in a Gmail attachment? +

The attachment is the S/MIME encrypted payload. Gmail could not decrypt it because the account does not have a matching certificate or hosted S/MIME is not enabled. Personal Gmail accounts do not support S/MIME directly. Google Workspace accounts need an administrator to enable hosted S/MIME and upload user certificates before decryption works. Ask the sender to resend using a portal based option like Microsoft Purview Message Encryption or a dedicated secure email service that does not require certificate exchange.

Is TLS encryption enough for HIPAA compliant email sent to Gmail? +

Opportunistic TLS between mail servers protects the connection but leaves the message at rest in the recipient inbox. Google supports TLS 1.2 and TLS 1.3 on inbound mail. Under HIPAA, TLS alone is treated as a supporting control rather than a complete safeguard for protected health information. Covered entities usually add message level encryption on top of TLS, either through Microsoft Purview, S/MIME, or a dedicated secure email service that includes a business associate agreement.

Virtru Email Encryption Reviewed with Pricing and Setup Details

virtru email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • Virtru adds client-side encryption to Gmail and Outlook via extension in minutes, not weeks.
  • The proprietary TDF format supports revocation and expiration that S/MIME and PGP cannot match.
  • Pricing runs free personal, Pro at about $79 per user yearly, and custom Enterprise with DLP.
  • The Pro tier BAA covers Virtru servers but not the underlying Gmail or Outlook mailbox itself.
  • Reviews praise setup speed and post-send controls; recipient Secure Reader is the top friction.

Virtru email encryption is one of the most widely adopted client-side encryption products in the small and mid-market segment. The service plugs into Gmail and Outlook through a browser extension or add-in and encrypts messages on the sender’s device before they leave the mail client.

This guide covers how virtru email encryption works, what it costs, and where it fits. Sections address pricing tiers, HIPAA coverage, the proprietary Trusted Data Format, review sentiment, and honest deployment trade-offs.

The material is aimed at IT decision makers evaluating Virtru against alternatives. Every section reflects Virtru documentation, published pricing on the Virtru site, and aggregated review sentiment from Gartner Peer Insights, G2, and TrustRadius.

How Virtru Email Encryption Works

Virtru installs as a browser extension for Gmail and as an add-in for Outlook. Once installed, the compose window in either application displays a Virtru toggle above the message body.

Enabling the toggle before Send encrypts the outbound message using Virtru’s Trusted Data Format. The message body and attachments are wrapped in a TDF container that includes policy metadata and references to encryption keys held on Virtru servers.

The recipient receives an email with a Secure Reader link. Clicking the link opens the Virtru Secure Reader in a browser and displays the decrypted content. First-time recipients complete a short verification flow. Returning recipients read directly.

The sender can also enable post-send controls at the time of encryption: message expiration, disable forwarding, disable printing, watermarking, and read receipt visibility. Those controls are enforced by the Secure Reader when the recipient opens the message.

Virtru Email Encryption Pricing Tiers

Virtru publishes three pricing tiers on its site. The tiers scale from free personal use to enterprise deployments with custom pricing.

The free personal tier supports encrypted send and receive on personal Gmail accounts. Basic post-send controls are included. The tier does not include a BAA and is not suitable for HIPAA-covered content.

  • Free tier: personal Gmail encryption, basic controls, no BAA
  • Pro tier: approximately $79 per user annually, BAA included, full post-send controls
  • Enterprise tier: custom pricing, adds DLP, key management options, advanced integrations
  • Volume discounts: apply above ~100 seats on the Enterprise tier

The Pro tier at $79 per user per year sits above the Zixcorp base tier ($30 to $50) and roughly comparable to portal-based products such as Barracuda Email Gateway Defense at the small business scale. Enterprise negotiations often move on volume and add-on scope.

virtru email encryption in article illustration one

Downloading and Installing Virtru

Installation is one of the shorter paths in encrypted email deployment. The Virtru extension for Chrome installs from the Chrome Web Store in under a minute. Firefox and Edge extensions install through their respective add-on stores.

The Outlook add-in installs through Microsoft AppSource for Outlook 2016 and later, Outlook for Mac, and Outlook on the web. Enterprise administrators can deploy the add-in centrally through the Microsoft 365 admin center for all users at once.

After installation, the user signs in to Virtru with their existing Gmail or Microsoft 365 credentials through OAuth. That step links the mail account to the Virtru service. No new mailbox or address is created.

Total time from installation to sending the first encrypted message is typically under five minutes. That contrasts with the 30 to 90 day tuning cycle common for gateway policy products such as Zixcorp or Proofpoint.

The Trusted Data Format and Its Trade-Offs

Trusted Data Format (TDF) is Virtru’s proprietary encryption container. It wraps content in a package that includes both the ciphertext and policy metadata such as expiration dates, forwarding restrictions, and watermark instructions.

The design gives senders post-send controls that neither S/MIME nor PGP provide. A sender can revoke access to a message after delivery, change the expiration date, or add a watermark. Those features rely on the Secure Reader enforcing the policy at open time.

The trade-off is interoperability. TDF is not an open standard supported by native mail clients. Recipients read TDF messages through the Virtru Secure Reader, not through Outlook’s or Apple Mail’s S/MIME support. That dependency ties recipient access to Virtru infrastructure remaining operational.

Organizations that need standards-based encryption for interoperability with S/MIME or PGP users need a different tool. Our guide to S/MIME email encryption signature covers the standard-based approach.

Example

A boutique law firm with eight attorneys picks Virtru Pro at $79 per user annually for client communication involving privileged material. Setup finishes in under an hour on a Tuesday morning. Within two weeks, attorneys use post-send revocation four times to pull back messages sent to wrong recipients from autocomplete errors. Clients on Gmail open messages through the Secure Reader with a verification code on first read. The firm accepts the modest recipient friction because revocation and expiration controls justify the pricing above simpler portal options.

Virtru Email Encryption and HIPAA

Healthcare practices use Virtru on the Pro and Enterprise tiers to send HIPAA-covered PHI through Gmail or Outlook. The BAA covers Virtru’s services under HIPAA’s business associate rules.

The BAA scope includes Virtru servers, the Secure Reader portal, and the TDF encryption process. Practices should confirm the signed BAA is in force before routing PHI. HHS publishes sample provisions at the HHS BAA reference page.

The Virtru BAA does not extend to the underlying Gmail or Outlook mailbox. For full HIPAA coverage across the mail path, the practice needs Google Workspace on a BAA-eligible plan or Microsoft 365 on a business plan with a BAA. Free consumer Gmail does not qualify. Our companion piece on HIPAA compliant email Gmail covers the Workspace plan requirements.

Practices building broader HIPAA compliance often pair encrypted email with hardening on the web side. Our team at Redefine Web has published guidance on healthcare website security features.

virtru email encryption in article illustration two

Virtru Review Notes from Peer Sources

Aggregated reviews from Gartner Peer Insights, G2, and TrustRadius cluster around consistent themes. Positive scores focus on ease of setup, Gmail and Outlook integration quality, and the post-send controls.

The setup speed is a common highlight. Reviewers frequently note that a small practice can be sending encrypted email within an hour of purchasing. That contrasts with 30 to 90 day gateway deployments and drives adoption in the small business segment.

Negative scores focus on the proprietary TDF model, the recipient Secure Reader experience (which has improved but historically drew complaints), and pricing above budget-conscious small practices. Reviewers also occasionally cite the OAuth reauthentication cycle in Gmail as a friction point after Google credential rotation events.

Deliverability and the sender experience rarely draw complaints. The integration into the existing mail client keeps sender workflow essentially unchanged. That is a real strength compared to portal-based products where the sender must remember to route sensitive mail through a separate compose interface.

Post-Send Controls in Virtru

Post-send controls are one of the strongest Virtru differentiators. The sender can enforce policy on a message after it has already left the outbox by adjusting metadata stored on Virtru servers.

Message expiration lets the sender set a date after which the Secure Reader refuses to display the content. Useful for time-limited offers, contract negotiations, and clinical results with a documented review window.

Revocation lets the sender cut off access to a specific message even before expiration. Useful when a message was sent to the wrong recipient or when a situation changes after send.

Disable forwarding, disable printing, and watermarking add friction against internal or accidental redistribution. None of these controls are cryptographically enforceable in the strict sense, since a determined recipient can screenshot or transcribe. They act as policy signals and legal deterrents rather than technical guarantees.

๐Ÿ’กPro Tip: Verify post-send controls fit your actual workflow

Virtru's revocation, expiration, and disable-forwarding controls are its strongest differentiator. Before signing, list the last twenty sensitive messages the team sent and ask whether any of them would have benefited from those controls. A workflow of routine patient reminders rarely uses revocation. A workflow of contract negotiations, clinical results with review windows, or attorney-client documents uses them weekly. Match the tier to actual usage patterns, not to the theoretical value of features that sit unused.

The Recipient Experience with Virtru

Recipients of Virtru-encrypted messages receive a normal-looking email with a Secure Reader link. Clicking the link opens the Secure Reader in a browser tab and displays the decrypted content.

First-time recipients complete a short verification flow. Virtru typically sends a verification code to the recipient’s email address to confirm identity. That step reduces phishing risk but adds a small friction to the first read.

Returning recipients read directly through the Secure Reader with a shorter session flow. Recipients who receive frequent messages from the same sender often find the Secure Reader workflow acceptable. Recipients who receive occasional messages find the extra click and verification step noticeable.

For senders whose recipients want no portal or Secure Reader step at all, inbox-native services such as Mailhippo deliver decrypted content directly to the recipient’s regular inbox with a one-click experience.

Virtru Compared to Alternatives

Virtru competes with three categories of alternatives: gateway policy products (Zixcorp, Barracuda, Proofpoint), Microsoft-native encryption (Purview Message Encryption), and inbox-native services.

Against gateway policy products, Virtru wins on setup speed and loses on policy-based enforcement. A Virtru sender must remember to enable the toggle. A Zixcorp gateway scans every outbound message automatically. For high-volume regulated senders, that enforcement gap matters.

Against Microsoft Purview Message Encryption, Virtru offers more granular post-send controls and works with both Google Workspace and Microsoft 365. Purview is bundled with M365 E3 and E5 and works transparently between M365 tenants without additional cost for licensed users. Purview documentation lives at learn.microsoft.com purview ome.

Against inbox-native services, Virtru offers more post-send controls and a longer feature list. Inbox-native services offer a smoother recipient experience and often a lower price point. Our companion piece on email encryption service covers the category comparison.

When Virtru Fits and When It Does Not

Virtru fits small to mid-size teams that use Gmail or Outlook, need HIPAA-compliant email quickly, and value post-send controls such as revocation and expiration. Legal firms, healthcare practices, and financial advisors are common Virtru customers.

Virtru does not fit large enterprises with heavy regulated content flow that need policy-based automatic enforcement across thousands of users. The user-triggered toggle model depends on the sender remembering to encrypt, which introduces enforcement gaps at scale.

Virtru also fits less well for organizations that need cryptographic zero-knowledge encryption with recipient-held keys. TDF holds encryption keys on Virtru servers, so Virtru servers can decrypt if compelled by legal process. Organizations with true zero-knowledge requirements need S/MIME or PGP.

For a broader view, our companion articles on secure email encryption service and email encryption cover the category landscape and help match tool to workflow.

Frequently Asked Questions

What does Virtru email encryption cost? +

Virtru offers a free personal tier for individual users. The Pro tier for business users is priced around $79 per user annually and includes the BAA for HIPAA coverage. The Enterprise tier is custom-priced and adds data loss prevention, key management options, and integration features. Volume discounts apply at higher seat counts. Small practices under 10 seats pay approximately full list. Enterprises above 500 seats typically negotiate below list. Confirm current pricing on the Virtru site because published rates are updated periodically.

Is Virtru email encryption free for personal use? +

Yes. Virtru offers a free tier for personal Gmail users that supports encrypted send and receive with basic controls. The free tier does not include a BAA and is not suitable for HIPAA-covered PHI. It also lacks the DLP integrations and advanced management features of the Pro and Enterprise tiers. The free tier works well as an evaluation environment or for individual privacy-focused users who want client-side encryption on a personal Gmail account without paying for a business plan.

How does Virtru email encryption work in Gmail and Outlook? +

Virtru installs as a browser extension for Gmail (Chrome, Firefox, Edge) and as an Outlook add-in for Outlook desktop and Outlook web. Once installed, the compose window shows a Virtru toggle. Enabling the toggle encrypts the outbound message using Virtru’s Trusted Data Format. The recipient receives a normal-looking email with a Secure Reader link that opens the decrypted content in a browser. The sender can also enable post-send controls such as expiration, disable forwarding, and watermarking through the same interface.

What is the Virtru Trusted Data Format? +

Trusted Data Format (TDF) is Virtru’s proprietary encryption container. It wraps message content and attachments in a package that includes policy metadata and references to encryption keys held by Virtru servers. TDF supports features that S/MIME and PGP do not, such as post-send revocation, expiration, disable forwarding, and watermarking. The trade-off is that TDF is not an interoperable open standard. Recipients read TDF-wrapped content through Virtru’s Secure Reader rather than through their normal mail client’s native encryption support.

Does Virtru email encryption include a BAA for HIPAA? +

The Pro and Enterprise tiers include a Business Associate Agreement covering Virtru’s services under HIPAA. The free personal tier does not include a BAA and is not suitable for PHI. The BAA covers the Virtru servers, the Secure Reader portal, and the TDF encryption process. Healthcare organizations should confirm the signed BAA is in force before routing PHI. The BAA does not extend to the underlying Gmail or Outlook account, so the mail platform must also be on a BAA-eligible plan for full path coverage.

How does Virtru compare to Zixcorp email encryption? +

Virtru and Zixcorp target different segments. Virtru fits small to mid-size teams that want quick setup on existing Gmail or Outlook accounts. Zixcorp fits enterprises with heavy regulated content flow, mature IT teams, and a need for policy-based enforcement across large user populations. Pricing overlaps in the middle. Virtru at $79 per user is competitive with the Zix base tier at $30 to $50 per user, though Zix drops with volume. Our companion piece on Zixcorp email encryption covers Zix in detail.

Can Virtru email encryption prevent phishing? +

Virtru is an outbound encryption product. It does not scan inbound mail for phishing. Preventing phishing requires a separate inbound email security product such as those offered by Microsoft Defender for Office 365, Google Workspace advanced security, Barracuda Email Gateway Defense, or a dedicated anti-phishing service. Virtru complements those products by protecting outbound content but does not replace them. Practices should treat encryption and phishing defense as separate categories of protection and evaluate each independently.

How Do You Encrypt an Email in Outlook, Gmail, and Office 365

how do you encrypt an email guide featured image

๐Ÿ”‘ Key Takeaways

  • Modern Outlook uses Purview from the Encrypt ribbon. Outlook 2013 and older still route via S/MIME.
  • Personal Gmail has only Confidential Mode. Workspace Enterprise adds hosted S/MIME for true E2E.
  • Attachments inherit message encryption, or lock the file first with Acrobat, Word, or 7-Zip AES-256.
  • Office 365 Encrypt needs Business Standard or higher plus Azure Rights Management on the tenant.
  • A gateway skips per-user certs, works from Gmail or Outlook, and ships a BAA in the base plan.

Encrypting an email is a different set of steps in every mail client. Outlook has a button. Gmail has two paths that look similar but work differently. Outlook 2013 uses an older S/MIME workflow. Attachment encryption is its own separate topic.

This guide covers each of them in order. It also flags the HIPAA implications for practices sending PHI. For a cross-client path that works uniformly, a gateway service delivers encrypted email to any recipient without version dependencies.

Every section stands on its own with the menu paths named directly. Skip to the client and version that matches your setup.

Encrypt an Email in Modern Outlook on Microsoft 365

Modern Outlook on Business Standard and above adds an Encrypt button to the compose window. The service is Microsoft Purview Message Encryption.

Open Outlook. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown.

Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.

Business Basic tier and free personal Outlook.com do not have the Encrypt button. Related linked topic: how do you encrypt emails for a broader coverage of alternatives.

Encrypt an Email in Outlook 2013 With S/MIME

Outlook 2013 supports S/MIME natively but has no Purview Encrypt button. The workflow uses the Trust Center and a client-installed certificate.

Install an S/MIME certificate in the Windows personal certificate store. Open Outlook. Go to File, Options, Trust Center, Trust Center Settings, Email Security.

Under Encrypted email, click Settings. Pick your signing certificate and your encryption certificate. Choose whether to sign or encrypt by default. Click OK.

To encrypt a single message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key. This workflow also applies to Outlook 2016, 2019, and Outlook LTSC 2021 when S/MIME is the chosen path.

how do you encrypt an email in article illustration one

Encrypt an Email in Gmail With Confidential Mode

Gmail confidential mode is available on all Google Workspace tiers and personal Gmail. Click the lock and clock icon at the bottom of the compose window.

Set an expiration date from the dropdown. Choose whether to require a passcode. Passcode by SMS is the higher-security option. Click Save.

Write the message and click Send. The recipient receives a link. They open it in a browser, enter the passcode if required, and read the message in a hosted view.

Confidential mode is not end-to-end encryption. Google holds the keys. The mode prevents forwarding, copying, and printing. It does not seal the content against the provider. For HIPAA-scoped mail, confidential mode alone is not sufficient.

Encrypt an Email in Gmail With Hosted S/MIME

Hosted S/MIME is the Gmail path to true end-to-end encryption. It requires Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.

The admin uploads root and intermediate CA certificates in the Google Admin console under Apps, Google Workspace, Gmail, User Settings, then S/MIME. Enable S/MIME for the organizational unit.

Each user uploads their personal certificate through Gmail settings under Accounts. Once configured, a lock icon appears next to the recipient field. Green means encryption is possible.

Recipients on personal Gmail, Business Standard, or Business Plus cannot receive hosted S/MIME messages. The encrypted content arrives as an unopenable attachment. See Google Workspace admin help for the current tier list.

Example

A physical therapy clinic on Microsoft 365 Business Premium builds an automatic DLP rule in the Purview compliance portal. The rule matches the US HIPAA template and triggers when outbound messages contain MRN patterns or SSN patterns. Action: apply Do Not Forward automatically. A new hire forgets to click Encrypt when replying to an insurance verifier and pastes a partial MRN into the body. The DLP rule fires server-side, encrypts the message, and creates an audit log entry the compliance officer reviews weekly.

Encrypt an Email Attachment for Extra Protection

The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. This is sufficient for most cases.

For extra protection, encrypt the file itself before attaching. This adds a second layer that survives even if the message encryption fails or the recipient forwards the message to an unencrypted inbox.

Common attachment encryption tools:

  • Adobe Acrobat for PDF password protection with AES-256
  • Microsoft Word, Excel, PowerPoint via File, Info, Protect Document, Encrypt with Password
  • 7-Zip for archive password protection with AES-256
  • Apple Preview for basic PDF password protection on macOS

Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password. Related linked topic: encrypt an email.

how do you encrypt an email in article illustration two

Encrypt an Email in Office 365 With Automatic DLP Rules

Office 365 supports automatic encryption through Data Loss Prevention rules on Business Premium and Enterprise tiers. This removes the human step of clicking Encrypt.

The admin opens the Microsoft Purview compliance portal. Under Data Loss Prevention, create a new policy. Choose a template for U.S. Health Insurance Act (HIPAA) or a custom policy with SSN, MRN, or ICD patterns.

Configure the action. Apply Do Not Forward, Encrypt-Only, or a custom rights template when a match is found. The policy can also block the send or require justification.

Automatic DLP encryption reduces the risk of staff forgetting to click Encrypt on a sensitive message. It also creates audit trail evidence that the covered entity applied technical safeguards under the HHS Security Rule.

Encrypt an Email With PGP Using FlowCrypt

FlowCrypt is a browser extension that adds PGP support to Gmail. It works on personal Gmail and any Google Workspace tier.

Install the extension from the Chrome or Firefox web store. Create a keypair when prompted. Back up the private key to a hardware token or an encrypted vault.

Send a secure message from the FlowCrypt compose window inside Gmail. The extension encrypts the body with the recipient public key if it is in the FlowCrypt cache. If not, the extension prompts for the recipient key or sends through the FlowCrypt password-protected fallback.

PGP is not native to any major business mail workflow. FlowCrypt fills that gap for teams that want end-to-end encryption without moving to Google Workspace Enterprise. It is not commonly used in regulated healthcare settings.

๐Ÿ’กPro Tip: Automate PHI encryption through DLP rules, never rely on manual clicks

Staff forget to click Encrypt on sensitive messages, especially during busy scheduling windows or shift handoffs. A single missed click is a HIPAA breach. Configure DLP rules in the Microsoft Purview compliance portal or Google Workspace Data Loss Prevention to match SSN, MRN, ICD-10, and custom keyword patterns. Apply Encrypt or Do Not Forward automatically when a match is found. This removes the human factor from compliance and creates audit trail evidence during OCR investigations.

Encrypted Email Options Compared

The table below compares the main paths a business considers.

Method Client Support Recipient Setup End-to-End HIPAA Fit
Outlook Encrypt (Purview) M365 Business Standard+ Passcode or SSO No, portal Yes with BAA
Outlook S/MIME Outlook 2013+ Certificate install Yes Peer traffic
Gmail confidential mode All Workspace Passcode No Not sufficient alone
Gmail hosted S/MIME Workspace Enterprise+ Certificate install Yes Yes
FlowCrypt PGP Gmail via extension PGP key exchange Yes Rare in healthcare
Gateway (Mailhippo) Any provider Passcode Portal-based Yes with base plan BAA

HIPAA Notes on Encrypting Email in Practice

Encryption is one technical safeguard among many. HIPAA requires access controls, audit logging, session timeouts, workforce training, and a signed BAA with each business associate.

Automatic DLP triggers reduce the risk of missed manual encryption. Portal delivery removes the recipient-side certificate requirement. Both are practical for a real HIPAA workflow.

Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. Document policies and train staff. See related healthcare security features context.

Retention matters. Encrypted mail counts as PHI storage. Retention policies must match state medical board rules and the six-year HIPAA administrative retention requirement.

When a Gateway Is the Better Fit

Managing S/MIME certificates across a small team is meaningful operational work. Certificate expiration, mobile provisioning, and cross-platform trust chains all take time.

A gateway service removes the certificate step. The sender writes in the normal client. A trigger word or plugin button triggers encryption. The recipient reads in a browser.

Mailhippo works this way on top of Gmail or Outlook. It includes a BAA in the base plan. It works uniformly on desktop and mobile without version dependencies. See related how to encrypt an email for the broader walkthrough. Practices building a compliant public-facing site can pair this with HIPAA-conscious website design so intake, contact, and email flows stay inside the same compliance boundary.

Frequently Asked Questions

How do you encrypt an email in Outlook? +

On Microsoft 365 Business Standard and above, open a new message and click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The recipient receives a link and authenticates with Microsoft, Google, or a one-time passcode. On older Outlook versions with S/MIME, install a certificate through the Trust Center under Email Security, then click the encrypt icon in the compose window before sending. The two paths produce different recipient experiences.

How do you encrypt an email in Gmail? +

Click the lock and clock icon at the bottom of the compose window for confidential mode. Set expiration and passcode. Write and Send. This is not end-to-end encryption. For true end-to-end on Google Workspace Enterprise, the admin configures hosted S/MIME and each user uploads a personal certificate. A lock icon then appears next to the recipient field. Green means encryption is possible. For personal Gmail, install a plugin like FlowCrypt to add PGP support. Confidential mode alone is not HIPAA-appropriate.

How do you encrypt an email attachment? +

The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. For separate protection, encrypt the file before attaching. Open the PDF in Adobe Acrobat, choose Protect, set a password. Open the docx in Word, choose File, Info, Protect Document, Encrypt with Password. For archives, use 7-Zip with AES-256. Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password.

How do you encrypt an email in Office 365? +

Open Outlook on desktop, mobile, or the web. Start a new message. Click Options in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The Encrypt button is available on Business Standard, Business Premium, Enterprise E3, Enterprise E5, and Government plans. Admins configure encryption templates in the Microsoft Purview compliance portal. Automatic encryption through DLP rules is available on Business Premium and Enterprise plans, which triggers Encrypt when messages match sensitive data patterns like SSN or MRN.

How do you encrypt an email in Outlook 2013? +

Outlook 2013 supports S/MIME but not Microsoft Purview Message Encryption. Install an S/MIME certificate in Windows through the personal certificate store. Open Outlook, go to File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings, pick your certificate, and choose to sign or encrypt by default. To encrypt a specific message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key.

How do you use encrypted email in daily workflow? +

Set a policy. Encrypt any message containing PHI, PII, or financial data. Use S/MIME for peer recipients who hold certificates. Use portal encryption or Outlook Encrypt for external recipients on any provider. Verify recipient email address before sending. Confirm identity by phone before releasing any attachment password. Log the send in the practice communication system if required by policy. Train staff on the trigger words that identify sensitive content and the correct encryption path for each recipient type.

Can you encrypt an email to a recipient without setup on their side? +

Yes, with portal-based encryption. Outlook Encrypt, Gmail confidential mode, and third-party gateways all use a portal model where the recipient receives a link, authenticates with a passcode or SSO, and reads the message in a browser. The recipient needs only a modern browser and the passcode. S/MIME and PGP require setup on both sides because the recipient client must decrypt with a private key it holds. Portal delivery is the model to use when the recipient set is variable or non-technical.

How Do I Send an Encrypted Email in Outlook, Gmail, and Yahoo

how do i send an encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook on Microsoft 365 Business Standard uses the Encrypt button in Options ribbon via Purview.
  • Gmail has Confidential Mode (weak) and hosted S/MIME on Enterprise. Personal Gmail has no real E2E.
  • Yahoo has no native encryption and no BAA. Regulated senders must migrate off or wrap in a gateway.
  • Apple Mail on macOS and iOS reads S/MIME from the keychain and shows a lock icon in the compose bar.
  • Gateways sit on top of any provider, add a trigger word or button, and ship a BAA in the base plan.

Sending an encrypted email looks different in every mail client. The button is in a different place in Outlook, Gmail, Yahoo, and Apple Mail. Some clients offer true end-to-end encryption while others offer a portal-based feature that looks similar but works differently.

This guide walks through the exact steps for each major provider. It also flags the HIPAA implications for practices sending PHI. For a gateway option that works across all of them, Mailhippo offers encrypted email as a portal service with a BAA in the base plan.

Start with the client you already use. Every section stands on its own with the buttons and menu paths named directly.

Sending Encrypted Email in Outlook 365

Outlook on Microsoft 365 Business Standard and above has an Encrypt button in the compose window. It uses Microsoft Purview Message Encryption underneath.

Open a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown menu that appears.

Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.

Business Basic and free personal Outlook.com do not have the Encrypt button. Upgrading to Business Standard or higher unlocks it. Related linked topic: how do you encrypt an email in outlook for the setup on older versions.

Sending Encrypted Email in Gmail With Confidential Mode

Gmail confidential mode is available on personal Gmail and every paid Google Workspace tier. Open a new message. Click the lock and clock icon at the bottom of the compose window.

Set an expiration date. Choose whether to require a passcode. Click Save. Write the message and click Send. The recipient receives a link and reads the message in a hosted view.

Confidential mode is not end-to-end encryption. Google holds the keys. The mode adds an extra step for the recipient and prevents forwarding, but the content is not sealed against the provider.

For a HIPAA workflow, confidential mode alone is not sufficient even with a BAA. Practices sending PHI need either hosted S/MIME on the Enterprise tier or a third-party gateway. See Google confidential mode documentation for the current feature list.

how do i send an encrypted email in article illustration one

Sending Encrypted Email in Gmail With Hosted S/MIME

Hosted S/MIME is the Gmail path to true end-to-end encryption. It requires Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.

The admin uploads root and intermediate CA certificates in the Google Admin console. They enable S/MIME for the organizational unit. Each user then uploads their personal certificate through Gmail settings under Accounts.

Once configured, a lock icon appears next to the recipient field in the compose window. Green means encryption is possible because the recipient certificate is cached. Gray means the recipient certificate is missing.

Recipients on personal Gmail, Business Standard, or Business Plus cannot receive hosted S/MIME encrypted messages. The encrypted content arrives as an unopenable attachment. This is the main operational limit of S/MIME in a mixed environment.

Sending Encrypted Email in Yahoo Mail

Yahoo Mail has no native encrypted email feature. There is no Encrypt button, no confidential mode, and no hosted S/MIME. Yahoo Mail Plus adds ad-free browsing and more storage but no encryption.

To send encrypted email from a Yahoo address, the practical options are limited. Connect the Yahoo account to Thunderbird by IMAP. Install an S/MIME certificate in Thunderbird. Send encrypted mail from Thunderbird using the Yahoo address as the From address.

The other option is a gateway service that authenticates against the Yahoo account and sends portal-delivered encrypted mail on its behalf. This is a workaround, not a supported feature.

Yahoo does not offer a Business Associate Agreement. Yahoo is not appropriate for HIPAA use. Practices on Yahoo should migrate to Google Workspace, Microsoft 365, or a dedicated healthcare mail provider before starting a real encryption program.

Example

A solo dermatologist on personal Yahoo Mail wants to send lab results to a referring internist. Yahoo has no Encrypt button, no confidential mode, no BAA. The dermatologist tries the workaround of connecting Yahoo to Thunderbird by IMAP and installing an Actalis S/MIME certificate, but the internist does not have S/MIME either. The practical resolution is migrating off Yahoo to Google Workspace Business Standard and adding a gateway service. The dermatologist then sends lab results with one click from a normal Gmail compose window.

Sending Encrypted Email in Apple Mail

Apple Mail on macOS and iOS supports S/MIME natively. The user installs an S/MIME certificate in the system keychain. Mail detects the certificate automatically.

On macOS, install the certificate through Keychain Access by opening the PKCS 12 file. On iOS, install through a configuration profile or by tapping the .p12 file in Files or Mail. Trust the certificate in Settings.

Once installed, a lock icon appears in the compose window when the recipient certificate is available. Click the lock to encrypt. A signed message from a recipient adds their public key to the local keychain automatically.

Apple Mail also opens Outlook Encrypt messages and portal-delivered messages from third-party gateways. Cross-platform S/MIME between Apple Mail and Outlook works reliably when both sides use the same certificate authority.

how do i send an encrypted email in article illustration two

Sending Encrypted Email With a Gateway Service

A gateway service sits between the sender mail client and the recipient. The sender writes the message in the normal client. A trigger word in the subject or a plugin button triggers encryption.

The service uploads the message to a hosted portal. The recipient receives a notification with a link. They authenticate with a passcode or SSO and read the message in a browser.

Gateway services work with any mail provider. They add a BAA when the underlying mail provider does not offer one. Setup takes minutes for a single user and hours for a full team.

Related linked topics: how to send an encrypted email for a broader walkthrough and how do I send encrypted email for cross-provider notes.

HIPAA Requirements for Encrypted Email Sending

Sending PHI over email requires a signed Business Associate Agreement with the mail provider and technical safeguards under the Security Rule. Encryption alone does not equal compliance.

Microsoft 365 Business Standard and above and Google Workspace Business Standard and above both offer BAAs. Personal Outlook.com, personal Gmail, personal Yahoo, and personal iCloud do not.

The HHS Security Rule requires access controls, audit logging, session timeouts, and workforce training in addition to encryption. Documentation of policies is required for a defensible program.

Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. Related: security features for healthcare websites for how email fits inside the wider stack.

๐Ÿ’กPro Tip: Verify the recipient email address before every PHI send

Encryption protects content but does not correct a wrong address. Sending PHI to the wrong recipient is a HIPAA breach even when the message is perfectly encrypted. Confirm the recipient email through a separate channel before sending, especially for new contacts. Use address book contacts rather than typing addresses each time. Practices sending PHI attachments should also verify recipient identity by phone before releasing any password shared out of band with the encrypted file.

Encrypted Email Feature Comparison Across Providers

The table below summarizes what each major mail provider offers natively.

Provider Native Encryption Feature End-to-End BAA Available Free Tier Encrypted Send
Outlook 365 Business Standard+ Encrypt button, Purview No, portal-based Yes No
Gmail Workspace Business Confidential mode No Yes on Business Standard+ Confidential mode only
Gmail Workspace Enterprise Hosted S/MIME Yes Yes Not on personal
Yahoo Mail None native No No No
Apple Mail on iCloud+ Manual S/MIME Yes with certificate No Manual setup only
ProtonMail Business Password-protected portal Yes to Proton, portal to others Yes on Business Free tier has portal send

Common Sending Problems and Their Fixes

The Encrypt button is missing in Outlook. This happens on Business Basic or free personal Outlook.com. Upgrade to Business Standard or above, or use a gateway service.

The S/MIME lock icon is gray in Gmail. This means the recipient certificate is not cached. Ask the recipient to send you a signed message first. The certificate cache populates automatically from signed inbound mail.

The recipient cannot open the encrypted message. Common causes:

  • Recipient client does not support S/MIME (personal Gmail, Business Standard Workspace)
  • Notification email landed in spam
  • Recipient failed the passcode step
  • Certificate address mismatch on the sender side
  • Corporate firewall blocks the portal domain

Related linked topic: how do I open an encrypted email in outlook for recipient-side fixes.

Picking the Right Sending Path for Your Practice

Practices already on Microsoft 365 Business Standard or above should use the native Encrypt button for external mail. Setup is minutes. The BAA is already in place.

Practices on Google Workspace Business Standard should use confidential mode for casual privacy and add a gateway service for HIPAA-scoped mail. Upgrading to Enterprise for hosted S/MIME is often costlier than the gateway approach.

Practices on Yahoo, iCloud, or free personal accounts need to migrate to a business mail provider before starting a real encrypted email program. No workaround makes those tiers HIPAA-appropriate.

Mailhippo works as the gateway option across all of these providers. It sits alongside Gmail or Outlook, includes a BAA in the base plan, and requires no per-user certificate management. Practices building a compliant public site alongside their email program can pair this with HIPAA-conscious website design so the whole intake chain stays inside the same compliance boundary.

Frequently Asked Questions

How do I send an encrypted email in Outlook 365? +

Open a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown. Write the message and click Send. The external recipient receives a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser. The Encrypt button appears on Microsoft 365 Business Standard, Business Premium, E3, E5, and Government plans. Free personal Outlook.com and Business Basic tiers do not have this feature.

How do I send an encrypted email in Gmail? +

Two options exist. For confidential mode, open a new message, click the lock icon at the bottom, set expiration and passcode, then send. Confidential mode is not end-to-end encryption. For true S/MIME encryption, the account must be on Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus. The admin uploads CA certificates and enables S/MIME, then each user uploads their personal certificate. A lock icon then appears next to the recipient field when encryption is possible.

How do I send an encrypted email with Yahoo? +

Yahoo has no native encrypted email feature. To send encrypted mail from a Yahoo address, connect the Yahoo account to Thunderbird via IMAP and install an S/MIME certificate in Thunderbird. Or connect the Yahoo account to a gateway service that handles portal delivery. Yahoo does not offer a Business Associate Agreement and is not a HIPAA-appropriate mail provider even with a workaround in place. Yahoo Mail Plus does not add encryption features. Business users should move to a provider that offers a BAA.

How do I send an encrypted email in Outlook 2013? +

Outlook 2013 supports S/MIME natively but not Microsoft Purview Message Encryption. Install an S/MIME certificate in Windows through the personal certificate store. Open Outlook, go to File then Options then Trust Center then Trust Center Settings then Email Security. Under Encrypted email, click Settings and pick your certificate. Choose to sign or encrypt outgoing messages by default. To encrypt a specific message, click the Encrypt Message Contents and Attachments button in the compose ribbon before sending.

Can I send encrypted email without buying a service? +

Yes, with limits. Free options include manual S/MIME with a free personal certificate from Actalis in Outlook or Apple Mail, PGP with a plugin like FlowCrypt in Gmail, and a personal ProtonMail account for external portal delivery. All three require setup effort and none qualifies for HIPAA on the free tier. For regulated work, a paid service with a BAA is the only defensible path. For casual privacy, the free options work well after the initial setup.

Is Outlook confidential mode the same as encryption? +

Outlook does not use the term confidential mode. Gmail uses that term. In Outlook, the equivalent feature is Encrypt or Do Not Forward inside Microsoft Purview Message Encryption. Encrypt-Only prevents unauthorized reading. Do Not Forward adds restrictions against forwarding, copying, and printing. Both use portal-based delivery for external recipients. Neither is the same as S/MIME end-to-end encryption. Outlook also supports S/MIME separately for peer-to-peer certificate-based encryption between users who both hold certificates.

How do I send an encrypted email attachment? +

The attachment inherits the encryption of the message. Attach the file to a message you encrypt through Outlook Encrypt, Gmail S/MIME, Apple Mail S/MIME, or a portal gateway. The service encrypts the message body and attachment together. For separate protection, encrypt the file itself with a password using Adobe Acrobat for PDFs or 7-Zip for other files, then share the password out of band. Practices sending PHI attachments should verify recipient identity before releasing any password.

How to Send Encrypted Email from Gmail

send encrypted email from gmail guide featured image

๐Ÿ”‘ Key Takeaways

  • Free Gmail only has TLS in transit; Google still reads the stored copy in every mailbox.
  • Hosted S/MIME ships on Enterprise Plus and Education tiers; Business Starter and Standard skip it.
  • Confidential Mode blocks forwarding and prints but the body sits readable inside Google storage.
  • Cross-provider encryption needs shared keys or a portal service that both sides can open.
  • Google BAA covers storage and transport; a gateway BAA closes the recipient mailbox gap.

Gmail handles more than 1.8 billion active accounts, and a large share of small healthcare practices, therapists, and specialty clinics run their day-to-day communication through it. The default protection is TLS in transit, which is not the same as end-to-end message encryption.

To send encrypted email from Gmail in a way that satisfies HIPAA or protects sensitive content from mailbox breaches, you need to add a layer on top of the default setup. Google offers two native options, S/MIME on select Workspace tiers and Confidential Mode on all tiers, and a third-party route sits above both.

This guide walks through each option with the exact console clicks, the tier requirements, and the cases where each method fits. It also covers the cross-provider gap that catches most senders on the first try.

Gmail Uses TLS in Transit, Not Content Encryption

Standard Gmail encrypts the connection between Google and the receiving mail server using opportunistic TLS. If the receiving server accepts TLS, the message is protected on the wire. If the receiving server does not support TLS, the message drops to plaintext for that hop.

Once the message arrives at the destination mailbox, the TLS protection ends. The message body is stored in the recipient mailbox in a form the mail provider can read. The same applies to the copy in your Sent folder.

TLS in transit does not meet the HIPAA requirement for end-to-end protection of PHI. It also does not protect against a mailbox breach on either side. A stolen password or a compromised admin session exposes every message in the account.

For content-level encryption you have three native or near-native paths from Gmail. S/MIME through Workspace, Confidential Mode, or a third-party plugin or gateway. Each has a different security ceiling and a different setup cost.

S/MIME Requires a Supported Google Workspace Tier

Hosted S/MIME in Gmail is available on Google Workspace Enterprise Plus, Education Standard, and Education Plus. Business Starter, Business Standard, and Business Plus do not include it. Personal Gmail accounts do not include it either.

To enable it, an admin signs in to the Google Admin console, opens Apps, selects Google Workspace, then Gmail, then User settings. The S/MIME section allows the admin to enable the feature for specific organizational units.

Each user then needs a valid S/MIME certificate issued by a public certificate authority or a private CA integrated with the tenant. The certificate is uploaded to the user profile, either manually or through an API integration with the CA.

Once the certificate is in place, the Gmail composer shows a lock icon in the address field. The icon turns green when the recipient public certificate is known to Google. If the recipient has never sent an S/MIME message to your organization, the lock stays gray.

send encrypted email from gmail in article illustration one

Confidential Mode Is Access Control, Not Encryption

Confidential Mode sits in the Gmail composer next to the send button. Click the lock and clock icon, set an expiration date, and optionally require an SMS passcode. The recipient sees the message with forwarding, printing, and copy disabled.

The message content itself is not encrypted. It sits in Google storage in a form Google can read, and the recipient views it through a Google-hosted preview page. The expiration date deletes the preview link, but the underlying copy in Sent Mail remains in your account.

Confidential Mode is useful for reducing casual forwarding and setting a self-destruct on a routine message. It is not a substitute for encryption when PHI or regulated data is involved.

The Department of Health and Human Services has been consistent that HIPAA requires content-level protection of PHI at rest and in transit. Confidential Mode does not meet that bar on its own. Reference the HHS Security Rule guidance if you need the underlying text.

Google Signs a BAA for Paid Workspace Tiers Only

Google will sign a Business Associate Agreement for Business Starter, Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus. The BAA is opt-in through the Admin console under Account, then Legal and Compliance.

The BAA does not extend to personal Gmail accounts. Sending PHI from a free Gmail address is a HIPAA violation regardless of what encryption method you layer on top. The mail provider itself has to be under a BAA.

The Google BAA covers Google storage and transport. It does not cover the recipient mailbox, the recipient mail server, or any downstream forwarding by the recipient. Once the message leaves Google, the Google BAA no longer applies.

That is why message-level encryption matters. TLS protects the wire between Google and the next hop. Message-level encryption protects the content itself all the way through to the intended reader.

Example A five-therapist behavioral health group runs Google Workspace Business Standard at $14 per user per month. Upgrading every seat to Enterprise Plus for S/MIME would add roughly $150 per user per month, or $9,000 per year on top of the base plan. Instead the practice layers a portal-based gateway at $9 per user per month, keeps the existing Workspace BAA, and adds a second BAA with the gateway vendor. Patients read encrypted messages through a browser link with a passcode. Total encryption spend lands near $540 per year.

PGP Requires Key Exchange with the Recipient

PGP is a public-key encryption system that predates S/MIME by several years. It works well between two technical users who have exchanged public keys, and it works poorly at scale across a healthcare organization.

On Gmail, PGP is delivered through browser extensions like FlowCrypt or through a desktop client that syncs with Gmail over IMAP. The sender private key stays on the local device. The recipient needs the same tooling and needs to import your public key before decrypting.

Key management is the friction point. Every new recipient needs a public key exchange. Every device change needs the private key transferred securely. Lost private keys mean lost access to every previously encrypted message.

PGP is not a good fit for a clinical staff workflow where messages go to dozens of external patients, insurance carriers, and referral partners per week. It fits a small circle of technical users. It does not fit a front-desk workflow.

Cross-Provider Encryption Breaks Without a Shared Method

The hard case is sending an encrypted message from Gmail to a Yahoo, Outlook.com, or AOL account. None of those recipients typically has an S/MIME certificate on file. None of them typically has PGP tooling installed. A Confidential Mode message drops to a preview link the recipient may not trust.

The workable pattern for cross-provider encryption is a portal-based encrypted email service. The service intercepts the outbound message, encrypts the payload with a key held on its servers, and sends the recipient a link to a hosted decryption page.

The recipient clicks the link, authenticates with a passcode or email verification, and reads the message in a browser session. The message never lands in the recipient mailbox in decrypted form. Only the link and the metadata do.

This is the same pattern Microsoft uses with Purview Message Encryption for Outlook. It is provider-agnostic on the recipient side, which is why it works for cross-provider sending.

send encrypted email from gmail in article illustration two

Third-Party Services Work with Existing Gmail Accounts

A HIPAA-compliant encrypted email service usually plugs into Gmail one of two ways. The first is a Chrome extension that adds an encrypt button to the composer. The second is a routing configuration in Google Admin that sends outbound mail through the service gateway.

The extension approach fits solo practitioners and small teams. The user installs the extension, signs in to the service account, and gets a new send button next to the standard Gmail send button. The clinical staff experience stays inside Gmail.

The gateway approach fits larger practices with a Workspace admin. Outbound mail from designated accounts is routed through the service SMTP relay, which applies encryption based on the recipient domain or a keyword in the subject line.

Mailhippo uses this pattern. Users keep their existing Gmail account, the recipient gets a portal link, and Mailhippo signs a BAA that covers the encrypted mail path. No S/MIME certificates and no key exchange with the recipient.

Client-Side Encryption Keeps Keys Outside Google

Google Workspace Enterprise Plus offers client-side encryption, or CSE, for Gmail. Keys are held by an external key service that the customer controls, and Google never sees the plaintext of the message or the encryption key.

CSE is designed for regulated customers who need to prove that the mail provider cannot decrypt their messages even under legal request. Government agencies, defense contractors, and some large healthcare systems fit the profile.

The setup cost is significant. The admin has to stand up or contract with a Key Access Control List Service that speaks the Google CSE API, then configure each user account to use it. External recipients need matching CSE tooling, which limits interoperability.

CSE is the right choice for a small subset of Enterprise Plus customers with an existing key management infrastructure. It is not a first-move option for a typical outpatient clinic on Business Standard.

๐Ÿ’กPro Tip: Block outbound send when the S/MIME lock stays grayThe Gmail composer shows a gray lock when the recipient certificate is not on file, and the message goes out over TLS only. Staff assume the lock means safe and send PHI unencrypted. Set a tenant DLP rule in the Admin console that blocks outbound send from PHI-handling accounts when the S/MIME lock is not green. Route those messages to a portal-based gateway as a fallback. This removes the single most common failure mode in a Workspace S/MIME deployment.

Mobile Gmail Sends Encrypted Messages Through the Same Paths

The Gmail mobile app on iOS and Android supports Confidential Mode natively. Tap the three-dot menu in the composer and select Confidential Mode. The expiration and passcode options are the same as on desktop.

S/MIME on mobile requires a Workspace tier that supports it plus a certificate provisioned to the mobile device. iOS handles certificate installation through a configuration profile pushed by MDM. Android handles it through the enterprise container.

Third-party encryption services that offer a Chrome extension do not run on the Gmail mobile app. Their mobile support is usually a standalone iOS or Android app that composes an encrypted message and sends it through the service directly.

For a clinical staff workflow where phones and tablets are common, verify the mobile path before rolling out the desktop-first setup. A method that works on the browser but not on a phone will not survive contact with actual daily use.

Practical Setup Order for a Small Healthcare Practice

Start with the BAA. Confirm the Google Workspace tier and enable the BAA in the Admin console. A personal Gmail account is not a starting point for PHI. Move to Workspace first.

Second, decide on the encryption method based on tier. If the practice is on Enterprise Plus and has an existing PKI, S/MIME is a clean fit. If the practice is on Business Standard or Business Plus, a third-party service is the shorter path than upgrading every seat to Enterprise Plus.

Third, train the front desk on the send workflow. The most common failure mode is a staff member forgetting the encrypt button and sending PHI in cleartext. A gateway that encrypts based on recipient domain or subject keyword removes that human step.

For related work on other clients, see the send a encrypted email from outlook guide and the how to send encrypted email from yahoo account reference. For a mobile-first walkthrough, see how to send an encrypted email from phone. Practices building out the broader digital stack for patient trust often pair encrypted email with a locked-down healthcare website security posture and a HIPAA-aware healthcare website design.

Common Failure Modes and How to Avoid Them

The most common failure is treating Confidential Mode as encryption. Front-desk staff assume the lock icon means the message is safe. It reduces forwarding but leaves the body readable to Google. Document the difference in the staff handbook.

The second is sending PHI from a personal Gmail account. There is no BAA, so any PHI in the message is a breach the moment it is sent. Migrate every clinical account to Workspace and disable personal Gmail forwarding.

The third is assuming S/MIME works when the recipient public certificate is not on file. The lock icon stays gray and the message goes out with TLS only. Set the tenant policy to block outbound send on the gray-lock state for accounts that handle PHI.

See the NIST SP 800-177 Rev 1 guidance on trustworthy email for the underlying reasoning on why TLS alone is not sufficient. The HIPAA Journal encryption requirements page summarizes the practical bar for covered entities.

  • Confirm your Workspace tier before assuming S/MIME is available.
  • Sign the Google BAA in the Admin console under Account, Legal and Compliance.
  • Never send PHI from a personal Gmail account.
  • Use Confidential Mode as a policy control, not as encryption.
  • Verify the mobile path before rolling out the desktop workflow.
  • Test S/MIME by exchanging a signed message with the recipient first, then encrypt.
  • Set a tenant policy that blocks unencrypted send for accounts that handle PHI.
  • Route outbound PHI mail through a gateway with a recipient-domain rule.
  • Keep the encrypt button visible in the composer to reduce human error.
  • Audit sent-folder contents monthly for accidental unencrypted PHI.

Can I Encrypt an Email in Gmail (and Every Other Client)

can i encrypt an email in gmail guide featured image

๐Ÿ”‘ Key Takeaways

  • Gmail offers three paths: Confidential Mode, native S/MIME, or a third-party portal extension.
  • Confidential Mode is not real encryption; Google reads the body and it fails HIPAA audits.
  • Native S/MIME needs Enterprise Plus and the recipient public cert, which patients rarely have.
  • Outlook 365 Business Premium unlocks the Encrypt button; Outlook Desktop S/MIME works on any plan.
  • GoDaddy Professional Email offers no BAA; healthcare needs Microsoft 365 Business Premium or higher.

Encrypting an email should be a one-click operation. In practice it depends on which client, which plan, and which recipient the sender is dealing with.

The core question, can I encrypt an email in Gmail, has three answers. So does the same question for Outlook and GoDaddy. This guide walks through each path, when to use it, and when a hosted encrypted email service is the simpler choice.

The setup order matters. Check the client, check the plan, then choose the encryption method that matches the recipient. A method that works for a colleague on the same tenant may not work for a patient on a free consumer account.

Gmail Confidential Mode is not encryption

Confidential Mode appears in the Gmail compose window as a lock icon at the bottom of the toolbar. Clicking it opens a dialog for expiration and passcode settings.

The message body is not encrypted. Google servers store the message in the same format as any other Gmail message. The controls are behavioral, meaning they restrict what the recipient can do in the Gmail interface.

The recipient can still screenshot the message, retype it, or print the screen. The expiration setting removes access from the Gmail viewer, but any content already read is out of the sender’s control.

For casual privacy, Confidential Mode is useful. For HIPAA or any regulated data, it is not sufficient. The Security Rule requires actual encryption of the transmitted content.

Native S/MIME in Gmail requires Enterprise Plus

Google Workspace supports hosted S/MIME on Enterprise Plus, Education Standard, and Education Plus. Business Starter, Standard, Plus, and Enterprise Standard do not include native S/MIME.

To enable S/MIME, an administrator uploads each user’s S/MIME certificate through the Admin console and configures the S/MIME setting under Apps, Google Workspace, Gmail, User settings.

Sending an encrypted message to an external recipient requires the recipient’s public certificate. If Gmail does not have the certificate on file, the compose window shows the message as signed but not encrypted.

The certificate exchange problem is the reason most practices skip S/MIME even when the plan supports it. Patients and external contacts rarely have S/MIME certificates.

can i encrypt an email in gmail in article illustration one

Third-party extensions add encryption to any Gmail plan

Browser extensions like Mailhippo, Virtru, and FlowCrypt add an encryption toggle to the Gmail compose window. When the toggle is on, the extension encrypts the message before it leaves the browser.

External recipients receive a link and open the message in a portal. They authenticate with a Google, Microsoft, or email-verified passcode, depending on the extension.

The advantage over S/MIME is that recipients need no configuration. The advantage over Confidential Mode is that the encryption is real. The trade-off is a per-user monthly fee.

For healthcare senders, the extension has to come with a signed BAA. Mailhippo, Virtru, and Paubox all offer BAAs. FlowCrypt does not, which rules it out for HIPAA use. Practices weighing which extension to install often compare notes across how can i encrypt my emails and similar decision guides.

Outlook 365 has an Encrypt button that triggers Purview

Can I encrypt an email in Outlook? Yes. On Microsoft 365 Business Premium or higher, the Encrypt button appears on the Options ribbon in Outlook Desktop and in the Actions menu in Outlook on the web.

Clicking Encrypt applies Microsoft Purview Message Encryption. The message body and attachments are encrypted, and external recipients receive a portal link that they open after authenticating with Microsoft, Google, or a one-time passcode.

The Encrypt button only appears if Azure Rights Management is active on the tenant. If a super administrator has never enabled it, the button is invisible even on the correct license.

On Business Basic or Business Standard, the Encrypt button is not available. Practices on those plans need to upgrade to Business Premium or use a third-party gateway.

Example

A family law attorney on GoDaddy Professional Email started sending confidential settlement drafts to opposing counsel and clients. She assumed the padlock icon in her webmail meant messages were encrypted end-to-end. Her paralegal researched the plan and discovered GoDaddy Professional Email uses TLS in transit only, with no message-level encryption and no BAA. The firm migrated the 4 mailboxes to Microsoft 365 Business Premium through GoDaddy at $88 per month total, activated the Encrypt button, and set a mail flow rule requiring encryption on all outbound client mail.

Outlook Desktop supports S/MIME on any plan

Outlook Desktop has supported S/MIME for over 20 years. The setup runs through File, Options, Trust Center, Trust Center Settings, Email Security.

A user imports an S/MIME certificate from a certificate authority into the Windows certificate store, then binds it to their Outlook profile. Digital signing and encryption become available on the compose window.

To send an encrypted message to an external recipient, the sender needs the recipient’s public certificate. Outlook stores public certificates from previously received signed messages, which is how the exchange usually happens.

Outlook on the web has more limited S/MIME support and requires the S/MIME control installed through the browser. Outlook Mobile does not support S/MIME send at all on most versions.

can i encrypt an email in gmail in article illustration two

Consumer Outlook.com has free encryption between Microsoft accounts

Outlook.com consumer accounts include free encryption for messages between Microsoft accounts. The shield icon in the compose window toggles encryption on.

The recipient experience depends on what account they use. Other Outlook.com or Microsoft 365 users see the decrypted message natively. External recipients on Gmail, Yahoo, or similar receive a portal link.

The free encryption tier does not include a BAA. Microsoft signs BAAs on Microsoft 365 business plans, not on consumer Outlook.com. Healthcare users on Outlook.com are not compliant.

For a personal user who wants to send an encrypted message once in a while, Outlook.com’s built-in encryption is a fine free option. For a practice, it is not.

GoDaddy email splits into two products with different encryption options

GoDaddy sells two email products under two brand names. Professional Email is GoDaddy’s own product, and Microsoft 365 from GoDaddy is a rebranded Microsoft 365 tenant.

On Professional Email, transit encryption uses TLS whenever the receiving server supports it. There is no built-in body encryption. Users who need it install a third-party extension or upgrade.

On Microsoft 365 from GoDaddy, encryption works exactly like any Microsoft 365 tenant. Business Premium and higher get the Encrypt button. Lower tiers do not.

GoDaddy does not sign a BAA for its consumer-tier products. Healthcare senders on GoDaddy need to be on the Microsoft 365 Business Premium tier, activate the BAA through the Microsoft admin center, and use Purview or a third-party service for encryption.

๐Ÿ’กPro Tip: Confirm the BAA is signed before trusting any padlock icon

Every email vendor displays some security indicator, and users routinely interpret padlock icons as evidence of HIPAA compliance. The icon usually indicates only TLS-in-transit, not message-level encryption or business associate coverage. Before sending PHI through any account, verify the BAA is signed and covers the specific service in use. Google Workspace Admin console records the acceptance under Legal and compliance. Microsoft 365 records it in the Service Trust Portal. GoDaddy Professional Email offers no BAA at all.

Comparison of encryption methods across common clients

The three main methods, TLS, S/MIME, and portal-based, each have trade-offs. TLS is automatic and covers most modern receivers, but the sender has no visibility into whether a specific message actually used TLS on delivery.

S/MIME is strong when both sides have certificates, but the certificate exchange kills the workflow for most external recipients. Portal-based services solve the certificate problem but add a step for the recipient.

Method Recipient effort HIPAA-ready Included in
TLS only None Only with signed BAA plus verified TLS enforcement Every provider
Gmail Confidential Mode Passcode entry No Every Gmail plan
S/MIME Certificate install Yes, if BAA in place Enterprise Plus, Outlook Desktop, Microsoft 365
Purview Message Encryption Portal login Yes, if BAA in place Microsoft 365 Business Premium+
Third-party portal service Portal login Yes, with signed BAA Mailhippo, Virtru, Paubox

The right column matters more than the others for a healthcare practice. If the encryption method is not paired with a signed BAA, it does not meet the Security Rule requirement regardless of how strong the cryptography is.

What to choose based on the sender’s situation

A solo practitioner on Gmail should install a hosted encryption service and skip the plan-tier gymnastics. The monthly fee is smaller than the friction of managing S/MIME certificates for every recipient.

A small group practice on Microsoft 365 Business Standard should upgrade to Business Premium, activate the Encrypt button, and train staff on when to use it. That is the shortest path to compliance for a Microsoft-first shop.

A larger clinic with mixed email systems benefits from a gateway service that sits in front of every outbound path. The gateway enforces encryption regardless of which client the user sends from.

Practices that want the marketing site and patient intake to match the email compliance posture should work with an agency familiar with HIPAA-compliant website design so the intake forms, the appointment reminders, and the outbound clinical mail all share the same encryption story.

Quick setup steps for the three most common configurations

For Google Workspace Business Standard with a hosted encryption service: sign up with the vendor, connect the Gmail account through OAuth, install the browser extension, and send a test message to a personal address on a non-compliant server. Confirm the recipient sees a portal link.

For Microsoft 365 Business Premium: activate Azure Rights Management under Settings, Org settings, Services, Microsoft Azure Information Protection. Confirm the Encrypt button appears in the Outlook ribbon. Send a test message.

For Outlook Desktop with S/MIME: purchase a certificate from a certificate authority, install it in the Windows certificate store, bind it under Trust Center, Email Security, and exchange a signed message with the intended recipient to swap public certificates.

The Google Confidential Mode help page and the Microsoft Purview documentation both walk through the client-side steps for reference.

  • Check the plan tier before choosing an encryption method.
  • Skip Confidential Mode for any regulated data.
  • Use a third-party hosted service if S/MIME certificate exchange is not practical.
  • Confirm a signed BAA is in place before sending PHI over any channel.
  • Test with a real external recipient before rolling out to staff.

Answering can i encrypt an email in gmail is the easy part. The harder question is which method fits the sender’s plan, the recipient’s setup, and the compliance requirements attached to the content. The right combination changes the moment any of those three factors change.

Frequently Asked Questions

Can I encrypt an email in Gmail without upgrading my plan? +

Yes. Confidential Mode is available on every Gmail plan, though it is not real encryption. For actual body encryption on a Business Starter, Standard, or Plus plan, install a third-party extension like Mailhippo, Virtru, or FlowCrypt. The extension encrypts the message before it leaves the browser and delivers external recipients a portal link. Native S/MIME requires Enterprise Plus. The extension route is the simplest way to add real encryption to a Gmail account without changing the plan tier.

How can I encrypt an email for free? +

Free options exist but each has a limit. ProtonMail encrypts messages to other ProtonMail users automatically and delivers messages to outside recipients through a password-protected portal. FlowCrypt adds free PGP encryption to Gmail through a browser extension. Outlook.com sends free encrypted messages between consumer Microsoft accounts. None of the free options include a business associate agreement, so they are unsuitable for healthcare use. Compliance-grade sending requires a paid service with a signed BAA.

Can I encrypt an email in Outlook? +

Yes. On Microsoft 365 Business Premium or higher, click the Encrypt button on the message ribbon to trigger Purview Message Encryption. On any plan with S/MIME certificates installed, click the security icon and choose Encrypt Message Contents. On Outlook.com consumer, click the shield icon in the compose window to send a message with Microsoft encryption. Each option produces a slightly different recipient experience, but all three encrypt the message body and support external delivery.

How can I easily encrypt an email from any client? +

The easiest path across every client is a third-party encryption service that connects to the existing account. Mailhippo works this way with Gmail, Outlook, and any IMAP or SMTP account. Send from the normal compose window, and the service encrypts the message automatically before it reaches the recipient. No certificates, no toggle, no compose window changes. The recipient gets a portal link or an encrypted TLS-delivered message depending on their provider’s support.

How does GoDaddy encrypt email on its Professional Email plan? +

GoDaddy Professional Email uses TLS for transit encryption whenever the receiving server supports it. There is no built-in body encryption on the standalone Professional Email product. Users who need message-level encryption on GoDaddy Professional Email have to install a third-party extension or upgrade to the Microsoft 365 tier sold through GoDaddy. GoDaddy does not sign a BAA for its consumer or small-business tiers, so healthcare senders need to be on a Microsoft 365 plan that qualifies for the Microsoft BAA.

Does encrypting an email guarantee the recipient can read it? +

No. If the recipient does not have S/MIME certificates configured and the encryption path used S/MIME, they cannot decrypt the message. Portal-based services solve this by delivering a link the recipient opens in a browser, which works on any email client. Before sending an encrypted message to a first-time recipient, most encryption services show a preview of what the recipient will see. That preview is useful for confirming the recipient will actually be able to open the message.

What is the difference between encryption and Confidential Mode in Gmail? +

Confidential Mode adds three controls to a message. The recipient cannot forward, copy, print, or download the message from the Gmail interface. The message expires on a schedule the sender sets. The recipient must enter a passcode sent by SMS to open it. None of those controls encrypt the message content. Google can still read the body, and a determined recipient can screenshot the content. Real encryption protects the body from anyone without the decryption key.

How to Send Encrypted Email Without Extra Software

send encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Gmail offers confidential mode for basics and S/MIME on paid Workspace plans for real encryption.
  • Outlook's Encrypt button works on 365 Business Premium and higher, backed by Purview and Azure RMS.
  • iPhone Mail supports S/MIME via config profile, but only if both sides already exchanged certs.
  • Developers can wire S/MIME in C# via System.Security.Cryptography.Pkcs or ship faster with an API.
  • Mailhippo layers on existing Gmail or 365 mailboxes, ships the BAA, and skips all cert management.

Sending an encrypted email used to require certificates, keys, and a shared setup between sender and recipient. Native email clients now include options that skip most of that friction, and dedicated services handle it entirely on the server side.

The right method depends on the account you send from, the recipient software, and whether the message contains regulated data like protected health information. Practices and developers who need a HIPAA-safe path can look at a secure email service that sits behind Gmail or Microsoft 365 without extra client software.

This guide walks through the native encryption steps for Gmail, Outlook, iPhone Mail, and code, and shows where each option fits. It also covers the recipient experience, which is the part that most often decides whether an encryption workflow gets used or ignored.

Gmail confidential mode is a starting point, not full encryption

Gmail confidential mode is available on every account, including free personal Gmail. Composing a message and clicking the padlock-and-clock icon at the bottom of the window opens the confidential mode panel.

Confidential mode sets an expiration date, blocks recipients from forwarding, copying, printing, or downloading the message, and can require an SMS passcode. Google stores the message on its own servers and delivers the recipient a link rather than the full body.

The message body itself is not encrypted end-to-end. Google can read it, and confidential mode alone does not satisfy HIPAA requirements because Google does not sign a business associate agreement for free consumer Gmail.

For paid Google Workspace tenants, S/MIME is available on the Enterprise Plus, Education Standard, and Education Plus plans. The admin enables hosted S/MIME in the Google Admin console, uploads a certificate for each user, and the compose window then shows a lock icon that toggles between signed, encrypted, and both.

External S/MIME requires the recipient to hold a matching certificate, which limits the practical scope to organizations that have already exchanged certificates. For patient communication, most practices use a portal-based service instead.

Outlook uses the Encrypt button on Business Premium and higher

Microsoft 365 Business Premium, Apps for Enterprise, and the E3 and E5 tiers include Microsoft Purview Message Encryption. In new Outlook and Outlook on the web, the Encrypt button appears in the Options ribbon and offers two presets.

The first preset is Encrypt, which locks the message so only recipients with valid credentials can open it. The second is Do Not Forward, which encrypts the message and additionally blocks forwarding, printing, and copying by the original recipients.

External recipients receive a link and open the message in a browser portal after signing in with Microsoft, Google, Yahoo, or a one-time passcode. The workflow is documented in the Microsoft Purview Message Encryption reference.

For a tenant on Business Basic or Business Standard, the Encrypt button does not appear. Options are to upgrade the affected mailboxes, add Azure Information Protection as a per-user license, or layer a third-party encrypted email service on top of the existing account.

Purview also requires the tenant to have signed a business associate agreement with Microsoft before it can be considered HIPAA-covered. That agreement is available at no extra cost on eligible plans but must be requested through the Service Trust Portal.

send encrypted email in article illustration one

iPhone Mail supports S/MIME with a configuration profile

Apple Mail on iOS 17 and later supports S/MIME on iCloud, Exchange, and IMAP accounts. Enabling it requires a personal certificate installed through a configuration profile, either from the organization mobile device management console or a signed .mobileconfig file.

Once the certificate is trusted, the account Advanced settings screen exposes a Sign and an Encrypt toggle under S/MIME. Enabling Encrypt tells Mail to attempt encryption on every outbound message from that account.

The compose screen shows a lock icon next to the recipient. A closed lock means Mail has the recipient public certificate and will encrypt the message. An open lock means the certificate is missing and the message will go out unencrypted.

For clinical staff sending patient information from a phone, S/MIME on iOS works but depends on prior certificate exchange with every recipient. That is often unrealistic for patient-facing mail.

A hosted encrypted email service accessed through the mobile browser or a light native app removes the certificate management step. The same account works from desktop, web, and phone.

C# applications can encrypt mail with System.Security.Cryptography.Pkcs

The .NET standard library ships with S/MIME primitives in the System.Security.Cryptography.Pkcs namespace. The developer loads the recipient X.509 certificate, wraps the message body in an EnvelopedCms container, and encrypts it using the certificate public key.

The resulting binary is packaged into a MIME message with the application/pkcs7-mime content type, then sent through SMTP with SmtpClient or MailKit. Recipients open it in an S/MIME-aware mail client, which decrypts it with the matching private key.

The MimeKit library adds a higher-level Multipart/Signed and Multipart/Encrypted wrapper that handles most of the MIME assembly automatically. MimeKit also supports PGP through the BouncyCastle backend for teams that prefer that path.

For applications that send protected health information, calling a secure email API that encrypts every outbound message server-side is usually faster than building and maintaining certificate code. The BAA is signed at the vendor level and covers every message the application sends.

SSIS packages that need to send encrypted mail from a scheduled data flow can call a script task that runs the same .NET code, or shell out to a PowerShell step that uses the Send-MailMessage cmdlet against a hardened SMTP relay.

Example A solo family physician on Microsoft 365 Business Basic tried to send a lab result to a specialist and found no Encrypt button in Outlook. Upgrading her single seat to Business Premium cost $22 per month against $6 for Business Basic. She instead layered Mailhippo at $4.95 per month on top of her existing Business Basic account. The BAA was bundled, setup took 18 minutes, and her first encrypted send to the specialist opened on his iPhone with a single tap. Total added cost was under $60 per year.

PGP is powerful but rarely the right fit for everyday practice mail

PGP encrypts the message body with the recipient public key and signs it with the sender private key. It has been the standard for security-conscious technical users since the 1990s.

The friction is real. Both sides must generate keys, publish public keys somewhere the other side can find them, and use a mail client with PGP support such as Thunderbird with the built-in OpenPGP module or GPG Suite on macOS.

Web-based Gmail and Outlook require browser extensions like Mailvelope to handle PGP, which adds another moving part and a browser-side keyring the user must protect and back up.

For patient-facing communication, PGP is impractical because most patients do not have keys and will not create them. Portal-based systems bypass the key exchange problem entirely and are easier to explain to non-technical recipients.

For sending encrypted messages between two developers or two security teams, PGP remains an efficient choice, and the OpenPGP working group standard is documented at the IETF.

HIPAA-safe encrypted email needs a signed business associate agreement

HIPAA requires covered entities and their business associates to sign a business associate agreement before sharing protected health information. That agreement must be in place before any email service can be considered HIPAA-safe for patient data.

Google Workspace and Microsoft 365 both offer a BAA on eligible paid plans, but the practice must request and sign it. Free consumer accounts are never covered, regardless of how the mail is encrypted.

The HHS HIPAA guidance explains which providers count as covered entities and when a BAA is required. Any vendor that touches, stores, or transmits PHI on the covered entity behalf falls under the rule.

A dedicated encrypted email service such as Mailhippo includes the BAA in the base plan, so every message sent through the account is covered without a separate request or license upgrade. That removes one of the more common compliance gaps found in small-practice audits.

For practices that want the convenience without changing their existing mail platform, see how to send encrypted emails from any account without adding client software.

send encrypted email in article illustration two

The recipient experience decides whether the workflow gets used

The most secure encryption method fails if the recipient cannot open the message. Every method above has a different recipient experience, and matching that experience to the audience matters as much as the underlying cryptography.

S/MIME and PGP require the recipient to have keys or certificates already set up. Purview and Workspace portal messages require the recipient to sign in or use a one-time passcode.

Portal-based encrypted email services typically deliver a link that opens in a browser, with a passcode sent to the recipient inbox or phone. Patients open it, read the message, and reply through the same secure channel without any account setup.

Front-desk staff, billing, and referring providers each have different tolerance for portal login steps. Testing the full round-trip with a real recipient before rolling the workflow out avoids the most common cause of failed encryption programs, which is that nobody actually opens the encrypted messages.

Practices building a full patient communication stack should also think about the surrounding website. Guidance on security features for healthcare websites covers form handling, SSL, and portal integration alongside encrypted email.

Attachments carry the same encryption rules as the message body

Attachments are the most common source of PHI exposure because staff often paste a scanned document or a lab report into a message without thinking about the transport. The same encryption rules apply to attachments as to the body.

Purview and Google Workspace S/MIME encrypt attachments along with the body when the encryption toggle is on. Confidential mode in free Gmail applies expiration and forwarding limits but does not encrypt the attachment end-to-end.

File size limits are a separate consideration. Gmail caps attachments at 25 MB, Outlook at 20 MB on most tiers, and many portal-based encrypted services support larger files by hosting the attachment on their own storage and delivering a link.

For large medical imaging files, a dedicated secure file transfer service alongside encrypted email is often the right pattern. A single encrypted message can then reference the file link and include the passcode.

Verifying that attachments actually arrive encrypted is worth doing during initial rollout. Sending a test message to a personal address on a different provider surfaces any downgrade to plain text.

๐Ÿ’กPro Tip: Test the round-trip before rolling outThe most secure encryption fails if the recipient cannot open the message or reply. Before announcing a new encryption workflow to staff, send a test message from your production account to a personal Gmail, a personal iCloud address, and an Outlook.com address. Confirm each opens on both mobile and desktop. Confirm the reply arrives back encrypted. A five-minute round-trip test catches mobile browser bugs, spam-filter blocks, and portal registration friction before a real patient hits them.

Automation and shared inboxes need a different setup

Scheduled reports, appointment reminders, and billing notifications sent from an application or a shared inbox cannot rely on a human clicking Encrypt in the ribbon. They need a policy or an API that encrypts every outbound message automatically.

Microsoft Purview supports mail flow rules that apply encryption based on the sender, recipient, subject, or content. A rule can encrypt every message going to a specific insurance carrier or every message from a specific mailbox.

Google Workspace has similar content compliance rules under Apps, Google Workspace, Gmail, Compliance in the Admin console. Rules can trigger S/MIME encryption or route the message through a third-party gateway.

For custom applications, a secure email API removes the rule complexity by encrypting every message at the transport layer. The application calls a single endpoint and the vendor handles the compliance mechanics.

Common patterns worth automating include appointment reminders with clinic name and date only in the plain-text body and the full detail behind a secure link, and billing statements delivered through a portal link rather than a raw PDF attachment.

Auditing what you actually send matters more than the theory

Every encrypted email program should include a periodic audit of the sent folder against the encryption logs. The point is to confirm that messages containing PHI actually went out encrypted, not that the option was available.

Microsoft Purview reports show which messages triggered the Encrypt policy and which recipients opened them. Google Workspace audit logs show S/MIME activity and portal opens.

A monthly review that samples a handful of outbound messages catches the common failure modes early. Common findings include messages sent from a mobile client that skipped the encryption step, messages CC-ed to personal addresses, and forwarded threads that dropped the encryption header.

The NIST SP 800-177 Rev. 1 Trustworthy Email guidance covers the technical controls that support this kind of audit, including DKIM, DMARC, and TLS reporting.

Practices that want a shorter path can use encrypted email as a single-vendor service that logs every message, portal open, and reply against the account, which shortens the audit to a single report.

Picking a method comes down to the recipients and the volume

For internal mail between employees on the same tenant, S/MIME or Purview Do Not Forward is the low-friction path because everyone already has the required setup.

For mail to patients, referring providers, and insurance carriers, portal-based encryption avoids the certificate exchange problem. Recipients get a link and read the message without installing anything.

For high volume automated mail from an application, a secure email API is the right layer because it applies encryption once at the transport rather than in every application code path.

Sole practitioners and small practices sending occasional patient mail from a mixed set of devices, including iPhones, get the least friction from a dedicated encrypted email service that includes the BAA and works with any existing Gmail or Microsoft 365 account.

Whichever method fits, the first test is always the same. Send a message to a real recipient outside your organization, confirm they can open it, and confirm they can reply through the same encrypted channel. If any step fails, patient mail will fall back to plain text within days.