How to Send an Encrypted Email on Any Device

how to send an encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Office 365 uses the Encrypt ribbon. Mac Mail and iPhone use S/MIME once a cert sits in the keychain.
  • Recipient friction differs: Outlook Encrypt sends a link, S/MIME opens native, portal opens in web.
  • Mac Mail has the deepest native S/MIME support and auto-caches public keys from any signed inbound.
  • iPhone S/MIME needs an MDM profile or a manual .p12 install plus trust under Settings, Device Mgmt.
  • A gateway skips per-device certs and runs from any Mail app on any device with a BAA in base plan.

Sending an encrypted email is a different set of steps on every device and every mail app. Office 365 has a button. Gmail has two paths that look similar but work differently. Mac Mail and iPhone Mail share the S/MIME model. Yahoo has no native option at all.

This guide walks through the exact steps for each. It also covers the access side so the recipient knows what to do when the message arrives. For a cross-provider path with one workflow, a gateway service handles the recipient side uniformly and delivers encrypted email to any inbox.

Skip to the section that matches your device. Every section stands on its own with the menu paths named directly.

Send an Encrypted Email in Office 365 With the Encrypt Button

Office 365 on Business Standard and above adds an Encrypt button to the compose ribbon. It uses Microsoft Purview Message Encryption underneath.

Open Outlook. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward.

Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.

Setup on the tenant side runs through the Microsoft Purview compliance portal. Admins should follow Microsoft Purview encryption documentation for the exact policy configuration.

how to send an encrypted email in article illustration one

Send an Encrypted Email on Mac With S/MIME

Mac Mail has native S/MIME support. Setup starts with installing an S/MIME certificate in Keychain Access.

Double-click the PKCS 12 file. Enter the password. Choose the login keychain. Keychain Access imports the private key and the certificate together.

Open Mail. Start a new message. If the recipient certificate is available, a lock icon appears next to the recipient field. Click the lock to encrypt. Write the message and click Send.

Signed mail from a recipient adds their public key to the local keychain automatically. This populates the encrypt cache without manual action. Related linked topic: how to send encrypted email for the parallel workflow on Windows.

Send an Encrypted Email From iPhone With S/MIME

iPhone Mail supports S/MIME natively. The certificate installs through a configuration profile pushed by MDM or a manual .p12 file.

Send the .p12 file to yourself, then tap it in Mail. Enter the password. Go to Settings, General, VPN and Device Management, and tap the profile. Tap Install and enter the device passcode.

Open Mail. Start a new message. If the recipient certificate is cached, a blue lock icon appears next to the recipient field. Tap the lock to encrypt. Tap Send.

Enterprise deployments push these profiles automatically through Jamf, Intune, or another MDM. Manual install is fine for a solo user but slow to scale beyond a few devices.

Example

A traveling wound care nurse works from an iPhone, an iPad, and a MacBook across three clinic sites. Provisioning S/MIME certificates on all three devices requires an MDM profile push, manual trust in Settings, and Keychain Access sync verification. When one device replaces a battery and loses the private key, months of encrypted mail become unreadable. The clinic swaps to a gateway service. The nurse writes in the normal Mail app on any device, adds a trigger word to the subject, and the service encrypts server-side without device-level certificates.

Send an Encrypted Email in Google Workspace

Google Workspace offers two encryption paths. Confidential mode is available on all tiers. Hosted S/MIME is available on Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus.

For confidential mode, click the lock and clock icon at the bottom of the compose window. Set expiration and passcode. Click Save. Write and Send.

For hosted S/MIME, the admin uploads CA certificates in the Google Admin console under Apps, Google Workspace, Gmail, User Settings. Each user then uploads their personal certificate through Gmail settings under Accounts.

Once configured, a lock icon appears next to the recipient field in the compose window. Green means encryption is possible. Related: how do I send an encrypted email for a full walkthrough of the confidential mode versus hosted S/MIME choice.

how to send an encrypted email in article illustration two

Send an Encrypted Email in Yahoo Mail

Yahoo Mail has no native encrypted email feature. There is no Encrypt button, no confidential mode, and no hosted S/MIME.

The practical workaround is to connect the Yahoo account to Thunderbird by IMAP. Install an S/MIME certificate in Thunderbird. Send encrypted mail from Thunderbird using the Yahoo address as the From address.

The alternative is a gateway service that authenticates against the Yahoo account and sends portal-delivered encrypted mail on its behalf. This is a workaround, not a supported feature.

Yahoo does not offer a Business Associate Agreement. Yahoo is not appropriate for HIPAA use. Practices sending PHI should migrate off Yahoo to a business mail provider that offers a BAA before starting a real encryption program.

Access an Encrypted Email You Received

Access on the recipient side is the mirror of the send side. The path depends on how the sender encrypted the message.

An Outlook Encrypt message arrives with a link. Click it. Authenticate with Microsoft, Google, or a one-time passcode. Read the message in a browser.

An S/MIME encrypted message opens normally inside a client that supports S/MIME and holds the recipient private key. An unsupported client shows an unopenable attachment. Recipients on personal Gmail cannot open S/MIME encrypted mail.

A portal-delivered message from a gateway service arrives with a notification link. Click the link. Enter the passcode. Read the message in the hosted view. Related linked topic: how to open an encrypted email.

๐Ÿ’กPro Tip: Push S/MIME profiles through MDM instead of manual install

Manual .p12 installation on iPhone requires downloading a file, entering a password, opening Settings, and trusting the profile in Device Management. This process fails at scale beyond a few devices and creates support tickets when users hit the trust step. Deploy Jamf, Intune, or another MDM to push configuration profiles automatically. The certificate installs silently, trust is preauthorized by the organization, and revocation happens centrally when a device is lost or a user leaves.

HIPAA Notes for Sending Encrypted Email

Sending PHI over email requires a signed Business Associate Agreement with the mail provider. Encryption alone does not equal HIPAA compliance.

Microsoft 365 Business Standard and above and Google Workspace Business Standard and above both offer BAAs. Apple iCloud, Yahoo Mail, and free personal Gmail and Outlook.com do not.

The HHS Security Rule requires access controls, audit logging, session timeouts, and workforce training in addition to encryption. Policy documentation is required for a defensible program.

Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. See related healthcare security context for how email fits inside the wider stack.

Common Sending Problems and How to Fix Them

The Encrypt button is missing in Outlook. Cause. Business Basic tier or free Outlook.com. Fix. Upgrade to Business Standard or higher, or use a gateway service.

The lock icon is grayed out in Mac Mail. Cause. Recipient certificate is not in the local keychain. Fix. Ask the recipient to send a signed message first. The public key caches automatically.

Common sending problems and fixes:

  • Missing certificate on iPhone. Install through Settings and trust the profile
  • Recipient reports unopenable attachment. Recipient client does not support S/MIME
  • Portal notification landed in spam. Add sender portal domain to safe senders
  • Sender From address does not match certificate. Fix in Outlook Trust Center
  • Certificate expired. Renew with the CA and reinstall on all devices

Related: how to troubleshoot encrypted email for a deeper diagnostic walkthrough.

Cross-Device Encrypted Email With a Gateway Service

Managing S/MIME certificates across desktop and mobile at scale is real operational work. Gateway services remove the certificate step by handling encryption at the server.

The sender writes the message in the normal mail app on any device. A trigger word in the subject or a plugin button triggers encryption. The service uploads the message to a hosted portal.

The recipient receives a notification. They click, authenticate with a passcode, and read in a browser. This works on any device with any modern browser.

Mailhippo works this way. It sits on top of Gmail or Outlook, includes a BAA in the base plan, and works uniformly across desktop, iPhone, iPad, and Android. Practices sending PHI to a mix of clinical peers and patients can pair this with healthcare marketing services to keep the intake, contact, and email chain inside the same compliance boundary.

Frequently Asked Questions

How to send an encrypted email on Office 365? +

Open Outlook on desktop or on the web. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown. Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser. The Encrypt button appears on Microsoft 365 Business Standard, Business Premium, Enterprise E3, Enterprise E5, and Government plans.

How to send an encrypted email on Mac? +

Install an S/MIME certificate. Open the PKCS 12 file, enter the password, and let Keychain Access import it. Open Mail. Start a new message. If the recipient certificate is available, a lock icon appears next to the recipient field. Click the lock to encrypt. Write the message and click Send. The recipient must have a compatible client with S/MIME support. If encryption is not possible, the lock icon is grayed out and the message sends unencrypted with a warning.

How to send an encrypted email from iPhone? +

Install an S/MIME certificate through a configuration profile or by tapping a .p12 file in Mail or Files. Enter the password. Go to Settings, General, VPN and Device Management, and trust the profile. Open Mail. Start a new message. If the recipient certificate is cached, a blue lock icon appears next to the recipient. Tap the lock to encrypt. Write the message and tap Send. Mobile device management deployments push these profiles automatically for enterprise users.

How to send an encrypted email in Google Workspace? +

Two paths. Confidential mode is available on all Workspace tiers. Click the lock and clock icon in the compose window, set expiration and passcode, then send. This is not end-to-end encryption. Hosted S/MIME is available on Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus. Admin uploads CA certificates and enables S/MIME for the org unit. Each user uploads their personal certificate through Gmail settings. Once configured, a lock icon appears next to the recipient field when encryption is possible.

How to send an encrypted email in Yahoo? +

Yahoo Mail has no native encrypted email feature. The practical option is to connect the Yahoo account to Thunderbird by IMAP and install an S/MIME certificate in Thunderbird. Send encrypted mail from Thunderbird using the Yahoo address as the From address. Yahoo does not offer a Business Associate Agreement and is not appropriate for HIPAA use even with a workaround. Practices on Yahoo should migrate to Google Workspace, Microsoft 365, or a HIPAA-focused mail provider before starting a real encryption program.

How to access an encrypted email you received? +

The access path depends on the sender method. An Outlook Encrypt message arrives with a link. Click it and authenticate with Microsoft, Google, or a one-time passcode. An S/MIME message opens normally inside a client that supports S/MIME and holds the recipient private key. A portal-delivered message from a gateway service arrives with a notification link. Click the link, enter the passcode, and read the message in the hosted view. Confidential mode messages also arrive with a link and a passcode step.

How to send an encrypted email attachment? +

The attachment inherits the encryption of the message. Attach the file to a message encrypted through Outlook Encrypt, Gmail S/MIME, Mac Mail S/MIME, or a portal gateway. The service encrypts the message body and the attachment together. For extra protection, encrypt the file itself with a password using Adobe Acrobat for PDFs, Word for docx, or 7-Zip for archives. Share the password out of band by phone or text. Practices sending PHI attachments should verify recipient identity before releasing any password.

How Do You Encrypt an Email in Outlook, Gmail, and Office 365

how do you encrypt an email guide featured image

๐Ÿ”‘ Key Takeaways

  • Modern Outlook uses Purview from the Encrypt ribbon. Outlook 2013 and older still route via S/MIME.
  • Personal Gmail has only Confidential Mode. Workspace Enterprise adds hosted S/MIME for true E2E.
  • Attachments inherit message encryption, or lock the file first with Acrobat, Word, or 7-Zip AES-256.
  • Office 365 Encrypt needs Business Standard or higher plus Azure Rights Management on the tenant.
  • A gateway skips per-user certs, works from Gmail or Outlook, and ships a BAA in the base plan.

Encrypting an email is a different set of steps in every mail client. Outlook has a button. Gmail has two paths that look similar but work differently. Outlook 2013 uses an older S/MIME workflow. Attachment encryption is its own separate topic.

This guide covers each of them in order. It also flags the HIPAA implications for practices sending PHI. For a cross-client path that works uniformly, a gateway service delivers encrypted email to any recipient without version dependencies.

Every section stands on its own with the menu paths named directly. Skip to the client and version that matches your setup.

Encrypt an Email in Modern Outlook on Microsoft 365

Modern Outlook on Business Standard and above adds an Encrypt button to the compose window. The service is Microsoft Purview Message Encryption.

Open Outlook. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown.

Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.

Business Basic tier and free personal Outlook.com do not have the Encrypt button. Related linked topic: how do you encrypt emails for a broader coverage of alternatives.

Encrypt an Email in Outlook 2013 With S/MIME

Outlook 2013 supports S/MIME natively but has no Purview Encrypt button. The workflow uses the Trust Center and a client-installed certificate.

Install an S/MIME certificate in the Windows personal certificate store. Open Outlook. Go to File, Options, Trust Center, Trust Center Settings, Email Security.

Under Encrypted email, click Settings. Pick your signing certificate and your encryption certificate. Choose whether to sign or encrypt by default. Click OK.

To encrypt a single message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key. This workflow also applies to Outlook 2016, 2019, and Outlook LTSC 2021 when S/MIME is the chosen path.

how do you encrypt an email in article illustration one

Encrypt an Email in Gmail With Confidential Mode

Gmail confidential mode is available on all Google Workspace tiers and personal Gmail. Click the lock and clock icon at the bottom of the compose window.

Set an expiration date from the dropdown. Choose whether to require a passcode. Passcode by SMS is the higher-security option. Click Save.

Write the message and click Send. The recipient receives a link. They open it in a browser, enter the passcode if required, and read the message in a hosted view.

Confidential mode is not end-to-end encryption. Google holds the keys. The mode prevents forwarding, copying, and printing. It does not seal the content against the provider. For HIPAA-scoped mail, confidential mode alone is not sufficient.

Encrypt an Email in Gmail With Hosted S/MIME

Hosted S/MIME is the Gmail path to true end-to-end encryption. It requires Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.

The admin uploads root and intermediate CA certificates in the Google Admin console under Apps, Google Workspace, Gmail, User Settings, then S/MIME. Enable S/MIME for the organizational unit.

Each user uploads their personal certificate through Gmail settings under Accounts. Once configured, a lock icon appears next to the recipient field. Green means encryption is possible.

Recipients on personal Gmail, Business Standard, or Business Plus cannot receive hosted S/MIME messages. The encrypted content arrives as an unopenable attachment. See Google Workspace admin help for the current tier list.

Example

A physical therapy clinic on Microsoft 365 Business Premium builds an automatic DLP rule in the Purview compliance portal. The rule matches the US HIPAA template and triggers when outbound messages contain MRN patterns or SSN patterns. Action: apply Do Not Forward automatically. A new hire forgets to click Encrypt when replying to an insurance verifier and pastes a partial MRN into the body. The DLP rule fires server-side, encrypts the message, and creates an audit log entry the compliance officer reviews weekly.

Encrypt an Email Attachment for Extra Protection

The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. This is sufficient for most cases.

For extra protection, encrypt the file itself before attaching. This adds a second layer that survives even if the message encryption fails or the recipient forwards the message to an unencrypted inbox.

Common attachment encryption tools:

  • Adobe Acrobat for PDF password protection with AES-256
  • Microsoft Word, Excel, PowerPoint via File, Info, Protect Document, Encrypt with Password
  • 7-Zip for archive password protection with AES-256
  • Apple Preview for basic PDF password protection on macOS

Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password. Related linked topic: encrypt an email.

how do you encrypt an email in article illustration two

Encrypt an Email in Office 365 With Automatic DLP Rules

Office 365 supports automatic encryption through Data Loss Prevention rules on Business Premium and Enterprise tiers. This removes the human step of clicking Encrypt.

The admin opens the Microsoft Purview compliance portal. Under Data Loss Prevention, create a new policy. Choose a template for U.S. Health Insurance Act (HIPAA) or a custom policy with SSN, MRN, or ICD patterns.

Configure the action. Apply Do Not Forward, Encrypt-Only, or a custom rights template when a match is found. The policy can also block the send or require justification.

Automatic DLP encryption reduces the risk of staff forgetting to click Encrypt on a sensitive message. It also creates audit trail evidence that the covered entity applied technical safeguards under the HHS Security Rule.

Encrypt an Email With PGP Using FlowCrypt

FlowCrypt is a browser extension that adds PGP support to Gmail. It works on personal Gmail and any Google Workspace tier.

Install the extension from the Chrome or Firefox web store. Create a keypair when prompted. Back up the private key to a hardware token or an encrypted vault.

Send a secure message from the FlowCrypt compose window inside Gmail. The extension encrypts the body with the recipient public key if it is in the FlowCrypt cache. If not, the extension prompts for the recipient key or sends through the FlowCrypt password-protected fallback.

PGP is not native to any major business mail workflow. FlowCrypt fills that gap for teams that want end-to-end encryption without moving to Google Workspace Enterprise. It is not commonly used in regulated healthcare settings.

๐Ÿ’กPro Tip: Automate PHI encryption through DLP rules, never rely on manual clicks

Staff forget to click Encrypt on sensitive messages, especially during busy scheduling windows or shift handoffs. A single missed click is a HIPAA breach. Configure DLP rules in the Microsoft Purview compliance portal or Google Workspace Data Loss Prevention to match SSN, MRN, ICD-10, and custom keyword patterns. Apply Encrypt or Do Not Forward automatically when a match is found. This removes the human factor from compliance and creates audit trail evidence during OCR investigations.

Encrypted Email Options Compared

The table below compares the main paths a business considers.

Method Client Support Recipient Setup End-to-End HIPAA Fit
Outlook Encrypt (Purview) M365 Business Standard+ Passcode or SSO No, portal Yes with BAA
Outlook S/MIME Outlook 2013+ Certificate install Yes Peer traffic
Gmail confidential mode All Workspace Passcode No Not sufficient alone
Gmail hosted S/MIME Workspace Enterprise+ Certificate install Yes Yes
FlowCrypt PGP Gmail via extension PGP key exchange Yes Rare in healthcare
Gateway (Mailhippo) Any provider Passcode Portal-based Yes with base plan BAA

HIPAA Notes on Encrypting Email in Practice

Encryption is one technical safeguard among many. HIPAA requires access controls, audit logging, session timeouts, workforce training, and a signed BAA with each business associate.

Automatic DLP triggers reduce the risk of missed manual encryption. Portal delivery removes the recipient-side certificate requirement. Both are practical for a real HIPAA workflow.

Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. Document policies and train staff. See related healthcare security features context.

Retention matters. Encrypted mail counts as PHI storage. Retention policies must match state medical board rules and the six-year HIPAA administrative retention requirement.

When a Gateway Is the Better Fit

Managing S/MIME certificates across a small team is meaningful operational work. Certificate expiration, mobile provisioning, and cross-platform trust chains all take time.

A gateway service removes the certificate step. The sender writes in the normal client. A trigger word or plugin button triggers encryption. The recipient reads in a browser.

Mailhippo works this way on top of Gmail or Outlook. It includes a BAA in the base plan. It works uniformly on desktop and mobile without version dependencies. See related how to encrypt an email for the broader walkthrough. Practices building a compliant public-facing site can pair this with HIPAA-conscious website design so intake, contact, and email flows stay inside the same compliance boundary.

Frequently Asked Questions

How do you encrypt an email in Outlook? +

On Microsoft 365 Business Standard and above, open a new message and click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The recipient receives a link and authenticates with Microsoft, Google, or a one-time passcode. On older Outlook versions with S/MIME, install a certificate through the Trust Center under Email Security, then click the encrypt icon in the compose window before sending. The two paths produce different recipient experiences.

How do you encrypt an email in Gmail? +

Click the lock and clock icon at the bottom of the compose window for confidential mode. Set expiration and passcode. Write and Send. This is not end-to-end encryption. For true end-to-end on Google Workspace Enterprise, the admin configures hosted S/MIME and each user uploads a personal certificate. A lock icon then appears next to the recipient field. Green means encryption is possible. For personal Gmail, install a plugin like FlowCrypt to add PGP support. Confidential mode alone is not HIPAA-appropriate.

How do you encrypt an email attachment? +

The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. For separate protection, encrypt the file before attaching. Open the PDF in Adobe Acrobat, choose Protect, set a password. Open the docx in Word, choose File, Info, Protect Document, Encrypt with Password. For archives, use 7-Zip with AES-256. Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password.

How do you encrypt an email in Office 365? +

Open Outlook on desktop, mobile, or the web. Start a new message. Click Options in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The Encrypt button is available on Business Standard, Business Premium, Enterprise E3, Enterprise E5, and Government plans. Admins configure encryption templates in the Microsoft Purview compliance portal. Automatic encryption through DLP rules is available on Business Premium and Enterprise plans, which triggers Encrypt when messages match sensitive data patterns like SSN or MRN.

How do you encrypt an email in Outlook 2013? +

Outlook 2013 supports S/MIME but not Microsoft Purview Message Encryption. Install an S/MIME certificate in Windows through the personal certificate store. Open Outlook, go to File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings, pick your certificate, and choose to sign or encrypt by default. To encrypt a specific message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key.

How do you use encrypted email in daily workflow? +

Set a policy. Encrypt any message containing PHI, PII, or financial data. Use S/MIME for peer recipients who hold certificates. Use portal encryption or Outlook Encrypt for external recipients on any provider. Verify recipient email address before sending. Confirm identity by phone before releasing any attachment password. Log the send in the practice communication system if required by policy. Train staff on the trigger words that identify sensitive content and the correct encryption path for each recipient type.

Can you encrypt an email to a recipient without setup on their side? +

Yes, with portal-based encryption. Outlook Encrypt, Gmail confidential mode, and third-party gateways all use a portal model where the recipient receives a link, authenticates with a passcode or SSO, and reads the message in a browser. The recipient needs only a modern browser and the passcode. S/MIME and PGP require setup on both sides because the recipient client must decrypt with a private key it holds. Portal delivery is the model to use when the recipient set is variable or non-technical.

How Do I Send an Encrypted Email in Outlook, Gmail, and Yahoo

how do i send an encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook on Microsoft 365 Business Standard uses the Encrypt button in Options ribbon via Purview.
  • Gmail has Confidential Mode (weak) and hosted S/MIME on Enterprise. Personal Gmail has no real E2E.
  • Yahoo has no native encryption and no BAA. Regulated senders must migrate off or wrap in a gateway.
  • Apple Mail on macOS and iOS reads S/MIME from the keychain and shows a lock icon in the compose bar.
  • Gateways sit on top of any provider, add a trigger word or button, and ship a BAA in the base plan.

Sending an encrypted email looks different in every mail client. The button is in a different place in Outlook, Gmail, Yahoo, and Apple Mail. Some clients offer true end-to-end encryption while others offer a portal-based feature that looks similar but works differently.

This guide walks through the exact steps for each major provider. It also flags the HIPAA implications for practices sending PHI. For a gateway option that works across all of them, Mailhippo offers encrypted email as a portal service with a BAA in the base plan.

Start with the client you already use. Every section stands on its own with the buttons and menu paths named directly.

Sending Encrypted Email in Outlook 365

Outlook on Microsoft 365 Business Standard and above has an Encrypt button in the compose window. It uses Microsoft Purview Message Encryption underneath.

Open a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown menu that appears.

Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.

Business Basic and free personal Outlook.com do not have the Encrypt button. Upgrading to Business Standard or higher unlocks it. Related linked topic: how do you encrypt an email in outlook for the setup on older versions.

Sending Encrypted Email in Gmail With Confidential Mode

Gmail confidential mode is available on personal Gmail and every paid Google Workspace tier. Open a new message. Click the lock and clock icon at the bottom of the compose window.

Set an expiration date. Choose whether to require a passcode. Click Save. Write the message and click Send. The recipient receives a link and reads the message in a hosted view.

Confidential mode is not end-to-end encryption. Google holds the keys. The mode adds an extra step for the recipient and prevents forwarding, but the content is not sealed against the provider.

For a HIPAA workflow, confidential mode alone is not sufficient even with a BAA. Practices sending PHI need either hosted S/MIME on the Enterprise tier or a third-party gateway. See Google confidential mode documentation for the current feature list.

how do i send an encrypted email in article illustration one

Sending Encrypted Email in Gmail With Hosted S/MIME

Hosted S/MIME is the Gmail path to true end-to-end encryption. It requires Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.

The admin uploads root and intermediate CA certificates in the Google Admin console. They enable S/MIME for the organizational unit. Each user then uploads their personal certificate through Gmail settings under Accounts.

Once configured, a lock icon appears next to the recipient field in the compose window. Green means encryption is possible because the recipient certificate is cached. Gray means the recipient certificate is missing.

Recipients on personal Gmail, Business Standard, or Business Plus cannot receive hosted S/MIME encrypted messages. The encrypted content arrives as an unopenable attachment. This is the main operational limit of S/MIME in a mixed environment.

Sending Encrypted Email in Yahoo Mail

Yahoo Mail has no native encrypted email feature. There is no Encrypt button, no confidential mode, and no hosted S/MIME. Yahoo Mail Plus adds ad-free browsing and more storage but no encryption.

To send encrypted email from a Yahoo address, the practical options are limited. Connect the Yahoo account to Thunderbird by IMAP. Install an S/MIME certificate in Thunderbird. Send encrypted mail from Thunderbird using the Yahoo address as the From address.

The other option is a gateway service that authenticates against the Yahoo account and sends portal-delivered encrypted mail on its behalf. This is a workaround, not a supported feature.

Yahoo does not offer a Business Associate Agreement. Yahoo is not appropriate for HIPAA use. Practices on Yahoo should migrate to Google Workspace, Microsoft 365, or a dedicated healthcare mail provider before starting a real encryption program.

Example

A solo dermatologist on personal Yahoo Mail wants to send lab results to a referring internist. Yahoo has no Encrypt button, no confidential mode, no BAA. The dermatologist tries the workaround of connecting Yahoo to Thunderbird by IMAP and installing an Actalis S/MIME certificate, but the internist does not have S/MIME either. The practical resolution is migrating off Yahoo to Google Workspace Business Standard and adding a gateway service. The dermatologist then sends lab results with one click from a normal Gmail compose window.

Sending Encrypted Email in Apple Mail

Apple Mail on macOS and iOS supports S/MIME natively. The user installs an S/MIME certificate in the system keychain. Mail detects the certificate automatically.

On macOS, install the certificate through Keychain Access by opening the PKCS 12 file. On iOS, install through a configuration profile or by tapping the .p12 file in Files or Mail. Trust the certificate in Settings.

Once installed, a lock icon appears in the compose window when the recipient certificate is available. Click the lock to encrypt. A signed message from a recipient adds their public key to the local keychain automatically.

Apple Mail also opens Outlook Encrypt messages and portal-delivered messages from third-party gateways. Cross-platform S/MIME between Apple Mail and Outlook works reliably when both sides use the same certificate authority.

how do i send an encrypted email in article illustration two

Sending Encrypted Email With a Gateway Service

A gateway service sits between the sender mail client and the recipient. The sender writes the message in the normal client. A trigger word in the subject or a plugin button triggers encryption.

The service uploads the message to a hosted portal. The recipient receives a notification with a link. They authenticate with a passcode or SSO and read the message in a browser.

Gateway services work with any mail provider. They add a BAA when the underlying mail provider does not offer one. Setup takes minutes for a single user and hours for a full team.

Related linked topics: how to send an encrypted email for a broader walkthrough and how do I send encrypted email for cross-provider notes.

HIPAA Requirements for Encrypted Email Sending

Sending PHI over email requires a signed Business Associate Agreement with the mail provider and technical safeguards under the Security Rule. Encryption alone does not equal compliance.

Microsoft 365 Business Standard and above and Google Workspace Business Standard and above both offer BAAs. Personal Outlook.com, personal Gmail, personal Yahoo, and personal iCloud do not.

The HHS Security Rule requires access controls, audit logging, session timeouts, and workforce training in addition to encryption. Documentation of policies is required for a defensible program.

Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. Related: security features for healthcare websites for how email fits inside the wider stack.

๐Ÿ’กPro Tip: Verify the recipient email address before every PHI send

Encryption protects content but does not correct a wrong address. Sending PHI to the wrong recipient is a HIPAA breach even when the message is perfectly encrypted. Confirm the recipient email through a separate channel before sending, especially for new contacts. Use address book contacts rather than typing addresses each time. Practices sending PHI attachments should also verify recipient identity by phone before releasing any password shared out of band with the encrypted file.

Encrypted Email Feature Comparison Across Providers

The table below summarizes what each major mail provider offers natively.

Provider Native Encryption Feature End-to-End BAA Available Free Tier Encrypted Send
Outlook 365 Business Standard+ Encrypt button, Purview No, portal-based Yes No
Gmail Workspace Business Confidential mode No Yes on Business Standard+ Confidential mode only
Gmail Workspace Enterprise Hosted S/MIME Yes Yes Not on personal
Yahoo Mail None native No No No
Apple Mail on iCloud+ Manual S/MIME Yes with certificate No Manual setup only
ProtonMail Business Password-protected portal Yes to Proton, portal to others Yes on Business Free tier has portal send

Common Sending Problems and Their Fixes

The Encrypt button is missing in Outlook. This happens on Business Basic or free personal Outlook.com. Upgrade to Business Standard or above, or use a gateway service.

The S/MIME lock icon is gray in Gmail. This means the recipient certificate is not cached. Ask the recipient to send you a signed message first. The certificate cache populates automatically from signed inbound mail.

The recipient cannot open the encrypted message. Common causes:

  • Recipient client does not support S/MIME (personal Gmail, Business Standard Workspace)
  • Notification email landed in spam
  • Recipient failed the passcode step
  • Certificate address mismatch on the sender side
  • Corporate firewall blocks the portal domain

Related linked topic: how do I open an encrypted email in outlook for recipient-side fixes.

Picking the Right Sending Path for Your Practice

Practices already on Microsoft 365 Business Standard or above should use the native Encrypt button for external mail. Setup is minutes. The BAA is already in place.

Practices on Google Workspace Business Standard should use confidential mode for casual privacy and add a gateway service for HIPAA-scoped mail. Upgrading to Enterprise for hosted S/MIME is often costlier than the gateway approach.

Practices on Yahoo, iCloud, or free personal accounts need to migrate to a business mail provider before starting a real encrypted email program. No workaround makes those tiers HIPAA-appropriate.

Mailhippo works as the gateway option across all of these providers. It sits alongside Gmail or Outlook, includes a BAA in the base plan, and requires no per-user certificate management. Practices building a compliant public site alongside their email program can pair this with HIPAA-conscious website design so the whole intake chain stays inside the same compliance boundary.

Frequently Asked Questions

How do I send an encrypted email in Outlook 365? +

Open a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown. Write the message and click Send. The external recipient receives a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser. The Encrypt button appears on Microsoft 365 Business Standard, Business Premium, E3, E5, and Government plans. Free personal Outlook.com and Business Basic tiers do not have this feature.

How do I send an encrypted email in Gmail? +

Two options exist. For confidential mode, open a new message, click the lock icon at the bottom, set expiration and passcode, then send. Confidential mode is not end-to-end encryption. For true S/MIME encryption, the account must be on Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus. The admin uploads CA certificates and enables S/MIME, then each user uploads their personal certificate. A lock icon then appears next to the recipient field when encryption is possible.

How do I send an encrypted email with Yahoo? +

Yahoo has no native encrypted email feature. To send encrypted mail from a Yahoo address, connect the Yahoo account to Thunderbird via IMAP and install an S/MIME certificate in Thunderbird. Or connect the Yahoo account to a gateway service that handles portal delivery. Yahoo does not offer a Business Associate Agreement and is not a HIPAA-appropriate mail provider even with a workaround in place. Yahoo Mail Plus does not add encryption features. Business users should move to a provider that offers a BAA.

How do I send an encrypted email in Outlook 2013? +

Outlook 2013 supports S/MIME natively but not Microsoft Purview Message Encryption. Install an S/MIME certificate in Windows through the personal certificate store. Open Outlook, go to File then Options then Trust Center then Trust Center Settings then Email Security. Under Encrypted email, click Settings and pick your certificate. Choose to sign or encrypt outgoing messages by default. To encrypt a specific message, click the Encrypt Message Contents and Attachments button in the compose ribbon before sending.

Can I send encrypted email without buying a service? +

Yes, with limits. Free options include manual S/MIME with a free personal certificate from Actalis in Outlook or Apple Mail, PGP with a plugin like FlowCrypt in Gmail, and a personal ProtonMail account for external portal delivery. All three require setup effort and none qualifies for HIPAA on the free tier. For regulated work, a paid service with a BAA is the only defensible path. For casual privacy, the free options work well after the initial setup.

Is Outlook confidential mode the same as encryption? +

Outlook does not use the term confidential mode. Gmail uses that term. In Outlook, the equivalent feature is Encrypt or Do Not Forward inside Microsoft Purview Message Encryption. Encrypt-Only prevents unauthorized reading. Do Not Forward adds restrictions against forwarding, copying, and printing. Both use portal-based delivery for external recipients. Neither is the same as S/MIME end-to-end encryption. Outlook also supports S/MIME separately for peer-to-peer certificate-based encryption between users who both hold certificates.

How do I send an encrypted email attachment? +

The attachment inherits the encryption of the message. Attach the file to a message you encrypt through Outlook Encrypt, Gmail S/MIME, Apple Mail S/MIME, or a portal gateway. The service encrypts the message body and attachment together. For separate protection, encrypt the file itself with a password using Adobe Acrobat for PDFs or 7-Zip for other files, then share the password out of band. Practices sending PHI attachments should verify recipient identity before releasing any password.