What Are Encrypted Emails and How They Actually Work

what are encrypted emails guide featured image

๐Ÿ”‘ Key Takeaways

  • Encrypted email means ciphertext in transit and at rest, decoded only by the recipient's key.
  • Gmail auto-encrypts transport via TLS, but true content encryption needs S/MIME on Enterprise Plus.
  • S/MIME forwards re-encrypt per recipient; portal messages usually can't be forwarded at all.
  • You get encrypted mail when a provider, lawyer, or insurer applies encryption to protect the thread.
  • Encryption stops interception, not phishing or malware. Layer MFA and endpoint protection on top.

Encrypted emails are messages you cannot read without the right key or credential. The concept is simple. The specific methods, recipient experiences, and edge cases behind it are where confusion starts.

This guide covers what encrypted emails actually are, how Gmail and Outlook handle them, whether they can be forwarded, and how to tell a legitimate encrypted message from a phishing attempt. For senders evaluating an encrypted email service, the recipient experience is often more important than the technical specs.

Read the sections in order. Each one covers a specific question users typically ask.

Encrypted Emails Turn Message Content Into Unreadable Ciphertext

An encrypted email is a message where the content has been transformed into ciphertext that only the intended recipient can decode. Encryption applies at one or more layers of the email delivery path.

Transport encryption using TLS protects the message between mail servers. The message body is readable at the servers themselves but not on the network between them.

Content encryption using S/MIME or PGP protects the message body itself. The message stays encrypted at the recipient mail provider until decrypted by the recipient with a matching key.

Portal-based encryption stores the message on a vendor server and delivers a sign-in link. The recipient authenticates to the vendor portal and reads the message in a browser.

Each method covers different threats. Best practice layers TLS with content or portal encryption rather than relying on transport alone.

Gmail and Encrypted Email Behavior

Gmail encrypts messages automatically for transport but not for content by default. Understanding the difference clears up common questions about Gmail encryption.

Google Workspace uses TLS 1.2 or 1.3 when connecting to receiving servers that support it. Standard consumer Gmail does the same. This transport encryption prevents interception on the network path.

Content encryption in Gmail requires Google Workspace Enterprise Plus for S/MIME. The administrator provisions certificates for users and enables encrypted sending inside the workspace policy.

Add-ons like FlowCrypt and Mailvelope bring PGP-based encryption to any Gmail account. The user installs the browser extension, generates a key pair, and encrypts messages one at a time.

Google Confidential Mode is not content encryption. It adds expiration and access controls but Google retains access to the underlying content. Practices should not treat Confidential Mode as HIPAA-compliant encryption.

what are encrypted emails in article illustration one

Outlook and Encrypted Email Behavior

Outlook supports S/MIME natively across Microsoft 365 Business Premium and higher tiers. The certificate installs into the local certificate store and enables signed and encrypted sending.

Microsoft Purview Message Encryption adds a policy-based layer that triggers on rules configured by the administrator. External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode.

Third-party add-ins from Virtru, Mailhippo, and other vendors add another encryption path that works across Microsoft 365 tiers without requiring Business Premium.

Outlook shows encrypted messages with a padlock icon in the header. The message properties confirm the encryption method and certificate details.

Users can verify a sent message was encrypted by checking the Sent Items folder for the same padlock indicator. Related coverage in encrypted emails Outlook covers the specific configuration steps.

Forwarding Encrypted Emails Changes the Encryption Context

Encrypted emails can sometimes be forwarded but the encryption context often changes depending on the method and sender policy.

S/MIME messages forwarded from Outlook typically get decrypted with the original recipient key and re-encrypted for the forward recipient if forwarding is permitted. The forward recipient must have a matching certificate or the message will not decrypt on their end.

Portal-based encrypted messages usually cannot be forwarded because the recipient holds a portal access link, not the underlying content. Some vendors allow the recipient to share the portal link with another user, subject to sender policy.

Sender-set rights management controls decide what forwarding is allowed. Microsoft Purview Message Encryption supports Do Not Forward as a rights template that blocks forwarding entirely.

Practices sending regulated content should default to Do Not Forward and enable forwarding only when the sender explicitly permits it. Blanket forwarding permissions undermine the sender control that encryption otherwise provides.

Example A patient received a Purview-encrypted email from her cardiologist with lab results. She forwarded the message to her adult son for a second opinion, expecting the encryption to travel with the message. The sender had applied the Do Not Forward template, so her Outlook client blocked the forward attempt with a rights management warning. She instead saved the PDF attachment locally, opened a separate encrypted email through Mailhippo to her son, and attached the PDF. The chain preserved sender control while still reaching the trusted second reader.

Encrypted Email Comparison Across Common Methods

The table below compares four common encryption methods across the fields that decide recipient experience and security posture.

MethodRecipient StepsContent Encrypted at RestForwarding BehaviorTypical Use
TLS Transport OnlyNoneNoFreely forwardableStandard business email
S/MIMECertificate installedYesRe-encrypted per recipientEnterprise between certificate holders
PGPKey installedYesRe-encrypted per recipientTechnical users, journalists
Portal EncryptionClick link, sign inYes on vendor serverUsually blockedHealthcare, finance to external recipients

Real-world deployments often layer TLS with either content or portal encryption. The layered approach covers more threats than any single method alone.

Why You Might Be Getting Encrypted Emails

Recipients often receive encrypted emails without expecting them. The reasons are usually straightforward.

A healthcare provider sending PHI encrypts to protect patient information under HIPAA. Test results, appointment details, and billing statements often arrive encrypted.

A financial services firm sending account details encrypts to protect against fraud and to meet GLBA requirements. Statements, tax documents, and account changes often arrive encrypted.

A legal counterparty sending privileged material encrypts to protect attorney-client privilege. Settlement documents, court filings, and case correspondence often arrive encrypted.

An employer sending HR content encrypts to protect employee records. Offer letters, tax forms, and performance reviews often arrive encrypted.

Legitimate encrypted messages come from known senders and route through recognizable vendors like Microsoft, Google, Mailhippo, Virtru, or Barracuda. Suspicious encrypted messages from unknown senders should be treated as potential phishing.

what are encrypted emails in article illustration two

Phishing Increasingly Mimics Encrypted Email Delivery

Phishing campaigns increasingly use fake encryption portals to harvest credentials. Recognizing the pattern reduces the risk of falling for one.

Fake encrypted email notifications typically arrive from unfamiliar senders and reference a document you did not expect. The link goes to a domain that looks similar to a real vendor but does not match.

The fake portal asks for the email password or a Microsoft account sign-in. Legitimate portals ask for a one-time passcode sent to your address or a sign-in with an existing account you recognize.

The CISA phishing guidance covers common patterns and what to do if you suspect a phishing attempt.

Best practice verifies the sender through a separate channel before clicking any encrypted email link from an unfamiliar source. A phone call to a known number is worth thirty seconds of caution.

Are Encrypted Emails Actually Safe

Encrypted emails are safer than unencrypted emails against interception and provider-side access. They do not defend against every threat.

Phishing attacks that steal mail credentials bypass encryption by giving the attacker legitimate access to the inbox. The attacker sees the plaintext through the same interface as the real user.

Malware on the sender or recipient device captures plaintext before encryption or after decryption. Keyloggers, screen scrapers, and clipboard monitors all bypass the encryption layer.

Weak recipient portal passwords make encryption meaningless. A message encrypted with AES-256 protected by a password of qwerty is not protected in any meaningful sense.

Real security posture layers encryption with multi-factor authentication, endpoint protection, phishing training, and incident response. Each layer covers threats the others miss.

๐Ÿ’กPro Tip: Default to Do Not Forward for regulated contentEncrypt-Only lets recipients forward, print, and copy freely once decrypted, which defeats sender control for regulated PHI, legal documents, and privileged material. Set Do Not Forward as the default template on any mail flow rule that fires for clinical, legal, or HR content. Recipients who genuinely need to share the content can request a fresh encrypted send to the additional party, which keeps the audit trail intact and preserves rights management on the second thread.

Shared Mailboxes and Encrypted Messages

Shared mailboxes complicate encrypted email handling. The complications matter more for regulated content than for general business email.

S/MIME-encrypted messages in a shared mailbox require the mailbox owner or delegated user to have a matching certificate. If the certificate is tied to an individual account, other delegates cannot decrypt.

Portal-encrypted messages in a shared mailbox arrive as notification emails. Anyone with credentials to the portal can sign in and read the content. This model preserves recipient anonymity at the cost of audit clarity.

Best practice restricts encrypted PHI or sensitive content to named individual mailboxes rather than shared ones. The audit trail stays clean, and inadvertent access by delegated users does not happen.

Practices with shared inboxes for reception or billing should route PHI through a named clinical inbox and reserve the shared inbox for non-PHI communication.

Related Encrypted Email Reading

Encrypted emails cover multiple adjacent topics. The companion guides below add depth on specific questions.

Users trying to open a specific encrypted message can review how to open encrypted emails in Outlook and how to view encrypted emails. Both guides cover the recipient-side workflow across common vendors.

Senders configuring encrypted sending in Outlook benefit from encrypting emails in Outlook. The guide covers S/MIME setup and the ribbon controls.

Users comparing encryption providers can review ProtonMail encrypted email for a specific vendor deep-dive. ProtonMail illustrates a pure E2EE approach.

Broader coverage of whether standard email is encrypted at all lives in are emails encrypted. The guide covers the transport-only default across major providers.

Where Redefine Web Fits the Healthcare Email Stack

Encrypted email covers the message pipeline. Website contact forms, patient portals, and marketing platforms carry PHI that must reach the same encryption controls.

A contact form on the practice website that emails PHI to a generic Gmail address bypasses every encryption control the practice buys. The submission arrives unencrypted, and the audit trail does not exist.

Redefine Web builds HIPAA-aware healthcare websites and integrates the forms with encrypted delivery paths. Details on the healthcare marketing agency practice cover the surface area that sits alongside encrypted email.

A closed-loop review across website, forms, email, and portal reduces the risk that a PHI leak lands in an unencrypted channel by mistake.

Mailhippo fits senders that want encrypted email delivery with the BAA, audit logging, and simple recipient experience in one product. The service integrates with existing Gmail or Outlook accounts and keeps the recipient path to a single click for most messages, whether the recipient is on Gmail, Outlook, or another provider. Understanding what encrypted emails are makes the vendor conversation shorter and the buying decision more defensible.

Email Encryption for Small Business Practical Buying Guide

email encryption for small business guide featured image

๐Ÿ”‘ Key Takeaways

  • Small business email encryption hinges on three questions, not a fifty-row enterprise checklist.
  • Dedicated services run $5 to $15 per user monthly with the BAA baked into the base plan.
  • Setup fits an afternoon at ten seats; multi-day quotes signal the wrong buyer profile.
  • HIPAA needs a signed BAA, workforce training, audit review, and an incident response plan.
  • Recipient friction over thirty seconds kills adoption and pushes staff back to plain email.

Email encryption for small business owners is a shorter conversation than most vendor demos suggest. The buying decision hinges on three questions rather than a fifty-row feature comparison.

This guide covers those three questions, the pricing tiers that fit small business budgets, the setup steps that fit an afternoon, and the recipient experience that actually determines whether staff keep using the tool. For HIPAA-adjacent small businesses, a secure email service that includes the BAA in the base plan removes most of the friction.

Read the sections in order. Each one filters the shortlist.

Small Business Encryption Needs Are Different From Enterprise

Small businesses buy encryption to solve one problem, not to consolidate a security operations program. The one-problem framing changes the product shortlist.

A five-person medical practice sends PHI to patients and referring providers. A ten-person law firm sends privileged documents to clients and opposing counsel. A twenty-person accounting firm sends tax filings to clients and payroll data to state agencies.

Each case has a well-defined sender group, a well-defined recipient audience, and a specific compliance requirement. None of the three needs data loss prevention with two hundred rules, advanced threat protection with sandboxing, or archiving for legal hold.

Enterprise gateway products bundle those features and price accordingly. Small businesses that buy enterprise gateways pay two to four times what a dedicated service would cost and use a fraction of the features.

The right product for a small business handles encryption, BAA coverage, and audit logging without the enterprise bundle. Extra features add cost without matching operational benefit.

Three Questions Filter the Shortlist

Three questions eliminate most vendors from the small business shortlist within an hour of research. Answer them before scheduling a demo.

  • Does the vendor include a business associate agreement in the base plan?
  • Does the service work with existing Gmail or Outlook accounts without a mailbox migration?
  • Does the recipient experience stay under thirty seconds for a typical patient or client?

Vendors that require a plan upgrade for the BAA drive up the effective cost for a healthcare practice. Microsoft and Google both fit this pattern. A dedicated service that includes the BAA in the base plan avoids the upgrade.

Vendors that require a mailbox migration disrupt every business process that depends on the current email addresses. A connector-based integration avoids the migration.

Vendors with heavy recipient portals reduce response rates. Test the recipient path during the trial with real target recipients, not internal test accounts.

email encryption for small business in article illustration one

Pricing Under Fifteen Dollars Per User Fits Most Small Businesses

Pricing at the small business tier lands between five and fifteen dollars per user per month for dedicated encryption services with BAA coverage.

Mailhippo publishes rates from about five dollars per user per month with unlimited encrypted sending and BAA coverage. LuxSci Standard runs about ten to fifteen dollars per user per month with S/MIME and portal options. Virtru sits in a similar range with plugin-based delivery.

Microsoft 365 Business Premium runs about twenty-two dollars per user per month and includes Purview Message Encryption plus a broader security bundle. Google Workspace Business Standard does not include client-side encryption. Enterprise Plus at about thirty dollars per user per month does.

A five-person practice pays roughly six hundred dollars per year for a dedicated encryption service against thirteen hundred for Business Premium. The gap widens at larger seat counts.

Practices that already use Business Premium for the other security features can extend that license rather than adding a separate product. Practices on Business Basic or Business Standard almost always save money on a dedicated service.

Setup Should Fit Inside One Afternoon

Small business encryption setup should take one to four hours for a dedicated service. Multi-day setup indicates a product built for larger buyers.

The standard steps involve creating the vendor account, adding DNS records for the sending domain, connecting the vendor to the existing Microsoft 365 or Google Workspace account through the admin console, and installing a plugin or Chrome extension for users.

DNS updates typically require SPF, DKIM, and DMARC alignment with the vendor sending infrastructure. Most vendors provide the exact record values in a setup wizard.

User training runs fifteen to thirty minutes per staff member. The training covers when to encrypt, how to trigger encryption, what the recipient sees, and how to check the audit log.

Practices without a dedicated IT team can handle the setup with a general familiarity with Microsoft 365 or Google Workspace admin panels. A local IT consultant can complete the deployment in a half-day site visit.

Example A five-clinician dental practice on Microsoft 365 Business Basic sends about 120 patient messages weekly with lab results, appointment details, and referral notes. The office manager evaluates two options. Upgrading fifteen seats to Business Premium costs roughly $3,960 per year. Adding Mailhippo at $8 per user monthly costs $1,440 per year and ships the BAA in the base plan. Setup runs three hours on a Friday afternoon. Within two weeks, patient open rates hold above 85 percent because recipients read messages inline without portal registration.

HIPAA Compliant Email for Small Business Requires More Than Encryption

HIPAA compliance for a small medical, dental, or therapy practice requires several components beyond the encryption tool itself.

The practice signs a business associate agreement with the encryption vendor. The BAA covers the vendor obligations for PHI handling, breach notification, and audit response.

The practice documents workforce training on PHI handling in email. Training covers what constitutes PHI, when encryption is required, how to recognize phishing that targets clinical staff, and how to report a suspected incident.

The practice audits access to encrypted messages periodically. The HHS Security Rule requires audit review as part of the administrative safeguards.

The practice maintains an incident response procedure covering suspected breach, notification to affected individuals, and reporting to OCR under the breach notification rule.

Encryption alone without these administrative controls does not create compliance. OCR investigations find the administrative gap in small practice settlements as often as they find technical gaps.

Comparison Across Small Business Options

The table below compares common encryption options for small business across the fields that matter most in the buying decision.

OptionPrice Per UserBAA IncludedSetup TimeWorks With Existing Gmail/Outlook
Mailhippo$5 to $12Yes1 to 4 hoursYes
Virtru Business$8 to $15Yes on paid tier1 to 4 hoursYes
LuxSci Standard$10 to $20Yes2 to 6 hoursYes
Microsoft 365 Business Premium$22Yes on eligible plan2 to 6 hoursYes, native
Google Workspace Enterprise Plus$30Yes on eligible plan4 to 8 hoursYes, native
Barracuda Email Gateway Defense$18 to $30Yes1 to 3 daysYes with MX cutover

Prices reflect 2026 published rates on annual billing. Actual quotes vary by seat count and add-on selection.

email encryption for small business in article illustration two

Working With Existing Gmail and Outlook Accounts

Small businesses rarely want to migrate mailboxes for an encryption feature. Every modern service integrates with the existing mail platform.

Google Workspace integrations use a routing connector inside the admin console. Outbound mail flows through the encryption service, and the user sees no change in Gmail.

Microsoft 365 integrations use a similar connector inside Exchange Online. Outbound mail routes through the vendor for encryption, and users continue sending from Outlook or Outlook on the Web.

Chrome extensions and Outlook add-ins provide the visible interface for users. An Encrypt button appears next to Send. Some services also allow subject line keywords like [encrypt] to trigger encryption.

The user keeps their existing email address. No mailbox migration. No lost email history. The change is invisible to internal workflow beyond the new Encrypt button.

Recipient Experience Predicts Adoption

Recipient experience is the strongest predictor of whether staff keep using the encryption tool six months later. Practices should test the recipient path before signing.

Direct delivery to Gmail or Outlook recipients with compatible domain settings looks like a normal message with a padlock indicator. No extra steps. This model works when both sides support the vendor delivery method.

Portal delivery with one-time passcode adds one step. The recipient clicks the notification link, enters a code sent to their email, and reads the message in a browser tab.

Portal delivery with account registration adds three or four steps. The recipient creates a portal account, verifies their email, sets a password, and then reads the message. This model reduces response rates significantly.

Test each vendor by sending three messages to real target recipients during the trial. Ask them how many steps they took and how long the process felt.

๐Ÿ’กPro Tip: Test the recipient path with real patients firstVendor demos always show the smoothest recipient experience. Real patients on old Android phones or basic Yahoo accounts often hit walls the demo hides. Send three test messages to actual target recipients during any trial. Ask them how many taps they took and whether they gave up. The vendor scoring highest on that single question will produce the fewest support tickets and the highest six-month adoption rate at the practice.

Common Small Business Vertical Fit

Different small business verticals have slightly different encryption needs. Understanding the vertical fit narrows the shortlist.

Medical and dental practices need HIPAA-covered encryption with BAA and audit logging. Recipient audience includes patients on various free mail providers. Direct delivery with portal fallback fits best.

Law firms need attorney-client privilege protection with retention controls. Recipient audience includes clients, opposing counsel, and courts. Portal delivery with strict access controls fits privileged material.

Accounting firms need financial data protection during tax season and payroll cycles. Recipient audience includes clients and government agencies. TLS transport plus content encryption on sensitive attachments covers most cases.

Real estate offices need transaction document protection during closing. Recipient audience includes buyers, sellers, lenders, and title companies. Portal delivery with expiration windows fits the transaction lifecycle.

Each vertical fits the same three-question filter with slightly different weight on each answer.

Where a Healthcare Website Ties Into the Encryption Stack

Small healthcare practices often overlook the website side of the PHI perimeter. Contact forms, appointment requests, and patient intake pages carry PHI that must reach the encrypted email pipeline or a HIPAA-covered database.

An unencrypted contact form that emails PHI to a generic Gmail address bypasses every encryption tool the practice buys. The submission arrives unencrypted, and the audit trail does not exist.

Redefine Web builds HIPAA-aware websites and integrates the forms with encrypted delivery paths. Details on HIPAA-compliant healthcare website design cover the surface area that sits alongside encrypted email.

A closed-loop review across website, forms, email, and portal reduces the risk that a PHI leak lands in an unencrypted channel by mistake.

Related Small Business Encryption Reading

The email encryption for small business decision touches several related topics. Practices narrowing a shortlist can review these companion guides.

Broader coverage of business email encryption pricing and vendor positioning applies to businesses above the small tier but often overlaps in the ten-to-fifty seat range.

Practices already on Microsoft 365 can compare with Microsoft 365 Business Premium email encryption to decide whether the license upgrade beats a dedicated service.

Practices new to the topic often benefit from encryption for email foundational reading before evaluating specific vendors. The technical background sharpens vendor questions.

Cost-focused searches often surface free HIPAA compliant email options. That guide covers where free tools stop and paid tools become necessary.

Mailhippo fits the profile of a small business that needs HIPAA-ready encrypted email at the lower end of the pricing tier. The service integrates with existing Gmail or Outlook accounts, includes the BAA in the base plan, and keeps the recipient path to a single click for most messages. A structured trial answers the three questions and produces a defensible buying decision.

How to Encrypt Email in Every Major Client

how encrypt email guide featured image

๐Ÿ”‘ Key Takeaways

  • Email encryption works at two layers: TLS on the wire and end-to-end on the message body itself.
  • Outlook 365 Business Premium unlocks the Encrypt button; lower tiers get no message protection.
  • Gmail Confidential Mode is portal access control, not encryption, and fails every HIPAA audit.
  • Yahoo and AOL rely on opportunistic TLS alone with no S/MIME, no BAA, no fit for PHI workflows.
  • GoDaddy Professional Email runs on Microsoft 365 and inherits Encrypt on Business Premium plans.

Every major email client handles encryption differently, and the differences matter the moment a message carries patient data, financial records, or contract terms. The Encrypt button in Outlook does one thing. The Confidential Mode toggle in Gmail does something else entirely. AOL and Yahoo do a third thing, which is essentially nothing at the body level.

This guide walks through how to encrypt email in Outlook, Outlook on the Web, Gmail, Yahoo Mail, AOL Mail, and GoDaddy Professional Email. Each section covers the real steps, the license requirements, and what happens on the recipient side. For teams that need HIPAA-covered encryption without per-recipient certificate management, a dedicated encrypted email service handles the workflow with a signed business associate agreement in the base plan.

The article closes with a comparison table, a short section on encrypted HTML messages, and answers to the questions readers most often ask about specific providers.

Email Encryption Has Two Layers That Behave Differently

The word encryption covers two separate protections in email. Transport Layer Security wraps the connection between mail servers so intercepted traffic looks like noise. End-to-end encryption protects the message body itself so the recipient inbox holds ciphertext until they authenticate.

Every major provider now uses TLS by default when the other side supports it. Google, Microsoft, Yahoo, and AOL all handshake to TLS 1.2 or 1.3 automatically. That covers the wire, which is one leg of the trip.

The body is a separate problem. TLS does nothing for a message once it lands on the recipient server. If an attacker gets into that inbox through credential theft or a backdoor, TLS did not encrypt what they can read. That is the gap end-to-end encryption closes.

The NIST cybersecurity framework treats these as two distinct controls. Regulated industries in the United States including healthcare, finance, and legal services are expected to apply both layers when sensitive data is in the message.

Outlook Desktop Uses the Encrypt Button Under Options

Outlook 365 on Windows and Mac exposes an Encrypt control on the Options ribbon when the underlying Microsoft 365 plan supports Purview Message Encryption. Open a new message, click the Options tab, then click Encrypt. Pick either Encrypt or Do Not Forward.

Encrypt allows the recipient to reply. Do Not Forward removes reply and forward permissions. Both options run through Microsoft cloud key management and require Azure Rights Management to be active on the tenant.

External recipients on any email platform get a link to a Microsoft portal. They sign in with their Microsoft, Google, or Yahoo account, or they request a one-time passcode delivered to that address. The portal shows the message body inside the browser without exposing the ciphertext.

Tenants below Business Premium do not see the Encrypt button. The Microsoft documentation on Message Encryption lists the exact eligible plans. Practices on lower tiers add the license across seats or move sensitive workflows to a dedicated service.

how encrypt email in article illustration one

Outlook on the Web Mirrors the Desktop Encrypt Menu

Outlook on the Web, sometimes called OWA, provides the same encryption control through a slightly different menu. Compose a new message. Click the three-dot menu next to the send button. Select Encrypt, then pick the policy.

The behavior on the recipient side is identical to desktop Outlook. External addresses get a portal link. Microsoft 365 and Google Workspace recipients often experience a direct inline decryption if their tenant is configured for it.

When the Encrypt menu does not appear in OWA, the tenant lacks the required license. Administrators can verify this in the Microsoft 365 admin center under Licenses. The affected users need a plan that includes Azure Information Protection or Microsoft 365 Business Premium and above.

Users authenticated through single sign-on with hardware keys retain the security posture on both platforms. The encryption policy travels with the message regardless of where the sender composed it.

Gmail Handles Encryption Three Different Ways

Gmail encrypts email in three modes that many users conflate. The first is TLS in transit, which every Gmail message uses when the receiving server supports it. Gmail shows a small padlock icon in the message header to indicate TLS status.

The second is Confidential Mode, which any Gmail user can activate by clicking the padlock-clock icon in the compose window. Confidential Mode adds expiration dates, passcodes over SMS, and revocation, but the body itself is stored on Google servers without additional cryptographic wrapping.

The third is client-side encryption on Workspace Enterprise Plus, Education Plus, and Education Standard. Admins enable it through the admin console, and users see a shield icon in the compose bar. Keys stay under the customer control through an external key service.

S/MIME support is also available on Workspace and can be enforced per-domain. The Google Workspace admin guide on hosted S/MIME covers configuration. Confidential Mode alone does not qualify as HIPAA-covered encryption because it lacks cryptographic body protection.

Example A solo massage therapist bills insurance and uses an AOL Mail account she has held for 15 years. Her billing service asks for signed authorization forms by email. AOL has TLS to and from the billing service but no end-to-end body encryption, no S/MIME support, and no BAA. She keeps the AOL address for personal mail and routes clinical correspondence through a dedicated encrypted email service tied to a new business address, which includes the BAA and delivers a one-click portal to the billing office.

Yahoo Mail and AOL Mail Rely on Transport Encryption Only

Yahoo Mail and AOL Mail both use TLS for server-to-server delivery and HTTPS for the browser session. Neither service offers a native encryption button in the compose window. Neither supports S/MIME certificate installation in the web interface.

A Yahoo user sending to a Gmail user gets TLS on the wire. The message body lands in Google storage in a form Google can read, and it stays that way until the recipient opens it. That is standard consumer webmail behavior.

Neither Yahoo nor AOL offers a business associate agreement for HIPAA-regulated senders. A dental practice, therapy clinic, or medical billing office using an AOL address for clinical correspondence has no compliant encryption path inside that account.

The remediation is straightforward. Move the mailbox to a Workspace or Microsoft 365 plan that supports encryption, or route sensitive messages through a dedicated encrypted email service that layers on top of the existing address.

GoDaddy Professional Email Inherits Microsoft 365 Encryption

GoDaddy Professional Email product runs on Microsoft 365 infrastructure under the hood. Users on the Business Premium tier and above get the same Encrypt button and Purview Message Encryption behavior as customers who buy directly from Microsoft.

The Encrypt control lives in the same place in Outlook desktop and Outlook on the Web. Portal delivery for external recipients works identically. GoDaddy also sells a Microsoft 365 Advanced Email Security add-on that adds threat protection on top of the base encryption feature.

GoDaddy Webmail Classic, the older non-Microsoft product, does not offer a native encryption interface. Accounts still using Webmail Classic should upgrade to the Microsoft-backed Professional Email product or route sensitive messages through a separate encrypted platform.

Practices in healthcare using GoDaddy for domain email should verify the specific product tier attached to the mailbox. The tier determines whether encryption is one click away or requires an entirely different tool.

how encrypt email in article illustration two

S/MIME and PGP Are the Certificate-Based Options

S/MIME and PGP are the two long-standing certificate-based encryption standards. Both require the sender and recipient to exchange public keys before the first encrypted message can travel. Both work across email clients that support the standard.

S/MIME is the dominant standard in enterprise environments. Outlook, Apple Mail, and Workspace on eligible plans support S/MIME natively. Certificates come from commercial certificate authorities like DigiCert, Sectigo, and Entrust, or from an internal PKI.

PGP, and its open source implementation GnuPG, is dominant in developer, journalist, and activist communities. Thunderbird ships with OpenPGP support built in. Outlook and Gmail require add-ons to work with PGP.

The friction with both standards is key management at scale. A clinic emailing 300 patients cannot ask each patient to install a certificate. That is where portal-based delivery from Microsoft Purview, dedicated encrypted email services, or client-side encryption on Workspace replaces per-recipient certificate exchange.

Encrypting an HTML Email Uses the Same Native Controls

HTML formatting and encryption are independent. The Encrypt button in Outlook, the client-side encryption shield in Workspace, and the S/MIME toggle all encrypt the entire message body including HTML markup, inline images, and attachments.

Do not attempt to encrypt HTML inside the source using scripts or base64 obfuscation. That approach breaks rendering across most clients and does not provide real cryptographic protection. Spam filters also flag obfuscated HTML.

Compose the message normally with rich formatting. Apply the native encryption control before pressing send. The recipient sees decrypted HTML with all formatting intact after authenticating through the portal or with their certificate.

Newsletter platforms and transactional email services handle HTML separately and often add DKIM and DMARC signatures without body encryption. Those signatures verify sender identity but do not encrypt content. Encryption is a separate step, applied by the sender.

๐Ÿ’กPro Tip: Verify the license tier before rolling out encryption trainingThe Encrypt button appears only on Business Premium and above in Microsoft 365, and Confidential Mode is not real encryption in Gmail. Before training staff on an encryption workflow, pull the license report from the admin console and confirm every mailbox that needs to send secure mail sits on a qualifying tier. Mismatched licenses produce a silent gap: staff click Encrypt, nothing happens, and PHI leaves unprotected.

Comparison of Native Encryption Options Across Providers

The table below summarizes native encryption support in the major email platforms. Availability shifts with license tier, so verify the specific plan attached to a mailbox before assuming a feature is present.

PlatformTLS in transitEnd-to-end bodyBAA availableLicense needed
Outlook 365YesYes, via PurviewYesBusiness Premium and above
Outlook on the WebYesYes, via PurviewYesBusiness Premium and above
Gmail freeYesNo, Confidential Mode is portal onlyNoFree
Workspace Enterprise PlusYesYes, client-side encryptionYesEnterprise Plus, Education Plus
Yahoo MailYesNoNoNone
AOL MailYesNoNoNone
GoDaddy Professional EmailYesYes, via PurviewYesBusiness Premium and above

Practices that need encryption without navigating license tiers often pair their existing Gmail or Outlook mailbox with a secure email service that applies encryption and a signed business associate agreement to every outgoing message without changing the sending address.

Common Mistakes When Setting Up Email Encryption

The most common mistake is assuming that a padlock icon in Gmail or the presence of HTTPS in the browser means the message body is encrypted end-to-end. Neither indicator means that.

The second most common mistake is turning on Confidential Mode and treating the result as HIPAA compliant. Confidential Mode is portal access control. It does not carry the cryptographic and BAA coverage HIPAA requires.

A third mistake is deploying S/MIME to internal staff and skipping the certificate distribution to external counterparties. Encryption then works only within the domain, which is not what the policy usually intends.

Before rolling out encryption to a practice, verify three items:

  • The license tier on every mailbox actually includes the encryption feature.
  • External recipients on major providers can decrypt without extra setup on their side.
  • A signed business associate agreement covers the specific product feature used, not just the base mailbox.

When a Dedicated Encrypted Email Service Makes Sense

Native encryption in Outlook and Workspace works well for organizations already on the required license tiers with IT staff to manage certificates, portal experiences, and admin console configuration. It fits enterprises with mature identity systems.

Smaller practices, solo providers, and multi-location dental groups often carry a different profile. They run on lower Microsoft 365 or Workspace tiers, they lack dedicated IT staff, and they need HIPAA coverage without buying enterprise seats across every user.

Mailhippo is a secure email service built for this profile. It works with existing Gmail and Outlook accounts, applies TLS and client-side encryption automatically, includes a business associate agreement in the base plan, and delivers messages through a one-click recipient experience without PGP keys or S/MIME certificate management. One brief mention here, in case the license math on native tools does not work out for the practice.

Healthcare practices weighing the tradeoffs between native and dedicated encryption often benefit from a broader look at their site and communication stack. A healthcare marketing agency can help align patient-facing channels with the encryption layer sitting behind them.

For a deeper look at the security controls that pair with encrypted communication in medical environments, review the guidance on security features on healthcare websites. Encryption is one control in a broader posture that includes authentication, backups, and monitoring.