๐ Key Takeaways
- Outlook 365 Business Premium adds the Encrypt button; lower tiers need a license upgrade.
- Gmail confidential mode is not real encryption; client-side S/MIME needs admin setup on both ends.
- Outlook 2010 through 2016 encrypt with S/MIME certs, which fail for ad hoc consumer recipients.
- Yahoo Mail has no message-level encryption; TLS in transit alone will not meet HIPAA.
- Portal encryption reaches any inbox; S/MIME fits PKI-equipped internal and government mail.
Sending encrypted email is straightforward once you know which method your client supports. Outlook 365, Outlook 2010 through 2016, Gmail, and Yahoo each handle encryption differently, and the right method depends on both your sender platform and your recipient.
This guide walks through each client step by step, then compares the methods. If you need a service that layers on top of any of these clients with a signed business associate agreement, see the overview of encrypted email options.
The audience assumed here is a business user or clinician who wants to send an encrypted message today, not a developer building an integration.
How to send encrypted email in Outlook 365
Outlook 365 on Business Premium, Enterprise E3, or Enterprise E5 includes the Encrypt button in the Options ribbon. This is the fastest path if your account is on a qualifying plan.
Compose a new message. Click Options in the ribbon. Click Encrypt. Choose Encrypt-Only for a message the recipient can reply and forward. Choose Do Not Forward for a message where you want to restrict sharing.
Send the message. The recipient on your own tenant sees the message inline in Outlook with a lock icon. External recipients see a notification email with a Read the message button. Clicking the button opens the Office 365 message encryption portal in a browser.
Setup requires an admin to enable Azure Rights Management on the tenant. Full guidance is published by Microsoft in the Microsoft Purview Message Encryption reference. If Encrypt is missing from your ribbon, your tenant or license does not have Purview enabled.
How to send encrypted email in Outlook 2010, 2013, and 2016
These versions do not include the modern Encrypt button that appears in Outlook 365. Encryption uses S/MIME certificates and works well for organizations where both sender and recipient have certificates issued through corporate PKI or a public certificate authority.
Import your certificate through File, Options, Trust Center, Trust Center Settings, Email Security. Click Import Export and load your certificate file. Enter the password and complete the import. Outlook now has your certificate bound to your mailbox.
Compose a new message. In the message window, click Options in the ribbon, then click the small dialog launcher in the More Options group. In the Properties dialog, click Security Settings. Check Encrypt message contents and attachments. Click OK. Send.
The recipient needs a matching certificate to decrypt. This is where S/MIME breaks down for ad hoc external mail. For enterprise-to-enterprise and government correspondence, S/MIME works well. For consumer mail, use portal-based encryption instead. The how do I send an encrypted email in Outlook guide covers additional edge cases.

How to send encrypted email in Gmail
Gmail on Google Workspace offers two paths. Gmail on a personal account has no HIPAA-grade encryption option at all.
Confidential mode is available on every Gmail account. Click the padlock and clock icon in the compose window, set an expiration and a passcode option, and send. This restricts forwarding, printing, downloading, and copying. It does not encrypt content at rest inside Gmail systems.
Google Workspace client-side encryption applies true end-to-end encryption for qualifying tiers. An admin configures a client-side encryption identity for the account. Once configured, the sender can toggle client-side encryption on a message. Recipients must also be configured for client-side encryption to decrypt.
For the widest recipient reach and healthcare use, a dedicated secure email service that installs as a Gmail add-on gives you a Send Encrypted button that routes the message through the vendor. The recipient reads it in a portal. This is the simplest path for a solo practice or small clinic.
How to send encrypted email in Yahoo Mail
Yahoo Mail does not offer a built-in message encryption feature. There is no Send Encrypted button in Yahoo, and Yahoo does not sign a business associate agreement for HIPAA use.
Yahoo servers use TLS between mail servers, which protects messages in transit when the receiving server supports TLS. This is a baseline measure that any modern mail provider offers. TLS alone is not equivalent to end-to-end or message-level encryption.
To send encrypted email from a Yahoo address, you have two practical options. Use a third-party encryption service that can send on your behalf and reply through a portal. Or move the encrypted correspondence to a provider that supports encryption natively.
Yahoo is not a supported platform for HIPAA-covered mail. A therapist or medical office running client communications through a Yahoo address is not compliant regardless of what encryption is added on top of the sending experience. Change providers first.
Comparing the encryption methods across clients
The methods trade off between ease of use, recipient reach, and compliance strength. This table lays out the practical differences.
| Method | Sender platform | Recipient reach | Compliance-grade |
|---|---|---|---|
| Outlook 365 Encrypt button | Business Premium and up | Any recipient via portal | Yes with BAA on tenant |
| S/MIME certificate | Outlook 2010 to 2016 and 365 | Recipients with certificates | Yes when configured |
| Gmail confidential mode | Any Gmail account | Any recipient | No, not on its own |
| Gmail client-side encryption | Qualifying Workspace tiers | Workspace with CSE identity | Yes with BAA on tenant |
| Yahoo native | None available | Not applicable | No |
| Dedicated encrypted email service | Any client with plug-in or web | Any recipient via portal | Yes with vendor BAA |
Portal-based methods reach any recipient. Certificate-based methods only work between correspondents with matching PKI infrastructure. Choose based on who you actually send to.
For solo practices sending to patients on consumer email, portal-based encryption is the reliable default. The how to send encrypted email guide covers the sender workflow in more detail.

Choosing between Encrypt-Only and Do Not Forward in Outlook
Outlook’s Encrypt button gives two options that trip up new users. The right choice depends on how much control you need after the message leaves your outbox.
Encrypt-Only encrypts the message content and attachments. The recipient can reply and forward. Any forwarded copy remains encrypted. This is the right choice for a normal sensitive message where the recipient may legitimately need to share it with a colleague.
Do Not Forward encrypts the message and also blocks forwarding, reply-all, printing, copying, and attachment download. This is the right choice for a legal notice, an executive communication, or a message where you want tight distribution control.
Both options use Microsoft Purview Message Encryption underneath. The distinction is in the rights template applied to the message. Guidance on rights templates is in the Microsoft Azure Rights Management documentation.
Recipient experience across encryption methods
The sender picks the method. The recipient lives with it. Understanding the recipient experience for each method helps a sender choose the right one for the audience.
Portal-based encryption gives the recipient a notification email with a link. The recipient clicks, signs in with a one-time passcode or a linked account, and reads the message in a browser. First-time recipients often need a short explanation of the flow.
S/MIME opens the message inline in the recipient mail client once the recipient certificate is installed. There is no portal step. If the certificate is missing, the message body appears garbled or refuses to open.
Confidential mode from Gmail sends the recipient a link to a Google-hosted view where the message opens after optional passcode verification. Downloads and forwarding are blocked but the underlying storage is not encrypted at rest.
When each method is the right choice
Method choice comes down to who you send to and what compliance obligation applies. The following patterns match methods to typical use cases.
- Sending to patients on any consumer email: portal-based encryption from Outlook 365 or a dedicated encrypted email service
- Sending to another business on Microsoft 365: Outlook 365 Encrypt button, message opens inline for the recipient
- Sending to a corporate or government recipient with existing S/MIME: import certificates and use S/MIME
- Sending non-PHI internal-sensitive mail inside Google Workspace: Gmail confidential mode is acceptable for the sensitivity but not for HIPAA
- Sending high-volume transactional email programmatically: a HIPAA-eligible email API through a vendor with a BAA
Match the method to the strictest requirement in the message flow. A healthcare practice that sends both internal-sensitive and patient-covered mail needs the patient-covered method for both, not the internal-sensitive method for the mix.
Practices with a website that also collects sensitive information should align their web infrastructure with the email choice. Redefine Web covers relevant patterns in the overview of healthcare website security features.
Troubleshooting common send failures
Encryption send failures usually trace back to configuration rather than the message itself. The following symptoms map to specific fixes.
Missing Encrypt button in Outlook 365 means the account is not on a qualifying plan or the tenant has not enabled Azure Rights Management. The fix is either a license upgrade or an admin action on the tenant.
S/MIME send fails with a certificate error means the recipient certificate is not available. Outlook cannot encrypt to a recipient whose public certificate has not been previously received. Ask the recipient to send you a signed message first so their certificate is captured.
Recipient reports the portal login fails with a one-time passcode. Passcodes expire after fifteen minutes. Ask the recipient to request a fresh code and use it immediately. Some corporate spam filters delay the passcode delivery past the expiration window, in which case an alternate email address is needed. The National Institute of Standards and Technology publishes recommended email security guidance in NIST SP 800-177 Rev. 1.
Setting up encrypted email once so future sends are easier
Sending encrypted email should not be a per-message decision. Configure the account once so the workflow is consistent across all correspondence.
For Outlook 365, ask your admin to set default encryption on messages to certain external domains through a mail flow rule. This means messages to patient addresses or partner accounts are always encrypted without the sender toggling the button.
For dedicated encrypted email services, install the Gmail or Outlook plug-in on every workstation used by clinical or administrative staff. Enable the default-encrypt behavior in the service settings so no untrained sender accidentally sends plain text.
Document the workflow in a one-page internal reference. Include screenshots of the Encrypt button, the confidential mode toggle, or the plug-in send button as appropriate. New staff can then reach compliant sending on their first day rather than after weeks of trial and error.

