๐ Key Takeaways
- Office 365 uses the Encrypt ribbon. Mac Mail and iPhone use S/MIME once a cert sits in the keychain.
- Recipient friction differs: Outlook Encrypt sends a link, S/MIME opens native, portal opens in web.
- Mac Mail has the deepest native S/MIME support and auto-caches public keys from any signed inbound.
- iPhone S/MIME needs an MDM profile or a manual .p12 install plus trust under Settings, Device Mgmt.
- A gateway skips per-device certs and runs from any Mail app on any device with a BAA in base plan.
Sending an encrypted email is a different set of steps on every device and every mail app. Office 365 has a button. Gmail has two paths that look similar but work differently. Mac Mail and iPhone Mail share the S/MIME model. Yahoo has no native option at all.
This guide walks through the exact steps for each. It also covers the access side so the recipient knows what to do when the message arrives. For a cross-provider path with one workflow, a gateway service handles the recipient side uniformly and delivers encrypted email to any inbox.
Skip to the section that matches your device. Every section stands on its own with the menu paths named directly.
Send an Encrypted Email in Office 365 With the Encrypt Button
Office 365 on Business Standard and above adds an Encrypt button to the compose ribbon. It uses Microsoft Purview Message Encryption underneath.
Open Outlook. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward.
Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.
Setup on the tenant side runs through the Microsoft Purview compliance portal. Admins should follow Microsoft Purview encryption documentation for the exact policy configuration.

Send an Encrypted Email on Mac With S/MIME
Mac Mail has native S/MIME support. Setup starts with installing an S/MIME certificate in Keychain Access.
Double-click the PKCS 12 file. Enter the password. Choose the login keychain. Keychain Access imports the private key and the certificate together.
Open Mail. Start a new message. If the recipient certificate is available, a lock icon appears next to the recipient field. Click the lock to encrypt. Write the message and click Send.
Signed mail from a recipient adds their public key to the local keychain automatically. This populates the encrypt cache without manual action. Related linked topic: how to send encrypted email for the parallel workflow on Windows.
Send an Encrypted Email From iPhone With S/MIME
iPhone Mail supports S/MIME natively. The certificate installs through a configuration profile pushed by MDM or a manual .p12 file.
Send the .p12 file to yourself, then tap it in Mail. Enter the password. Go to Settings, General, VPN and Device Management, and tap the profile. Tap Install and enter the device passcode.
Open Mail. Start a new message. If the recipient certificate is cached, a blue lock icon appears next to the recipient field. Tap the lock to encrypt. Tap Send.
Enterprise deployments push these profiles automatically through Jamf, Intune, or another MDM. Manual install is fine for a solo user but slow to scale beyond a few devices.
A traveling wound care nurse works from an iPhone, an iPad, and a MacBook across three clinic sites. Provisioning S/MIME certificates on all three devices requires an MDM profile push, manual trust in Settings, and Keychain Access sync verification. When one device replaces a battery and loses the private key, months of encrypted mail become unreadable. The clinic swaps to a gateway service. The nurse writes in the normal Mail app on any device, adds a trigger word to the subject, and the service encrypts server-side without device-level certificates.
Send an Encrypted Email in Google Workspace
Google Workspace offers two encryption paths. Confidential mode is available on all tiers. Hosted S/MIME is available on Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus.
For confidential mode, click the lock and clock icon at the bottom of the compose window. Set expiration and passcode. Click Save. Write and Send.
For hosted S/MIME, the admin uploads CA certificates in the Google Admin console under Apps, Google Workspace, Gmail, User Settings. Each user then uploads their personal certificate through Gmail settings under Accounts.
Once configured, a lock icon appears next to the recipient field in the compose window. Green means encryption is possible. Related: how do I send an encrypted email for a full walkthrough of the confidential mode versus hosted S/MIME choice.

Send an Encrypted Email in Yahoo Mail
Yahoo Mail has no native encrypted email feature. There is no Encrypt button, no confidential mode, and no hosted S/MIME.
The practical workaround is to connect the Yahoo account to Thunderbird by IMAP. Install an S/MIME certificate in Thunderbird. Send encrypted mail from Thunderbird using the Yahoo address as the From address.
The alternative is a gateway service that authenticates against the Yahoo account and sends portal-delivered encrypted mail on its behalf. This is a workaround, not a supported feature.
Yahoo does not offer a Business Associate Agreement. Yahoo is not appropriate for HIPAA use. Practices sending PHI should migrate off Yahoo to a business mail provider that offers a BAA before starting a real encryption program.
Access an Encrypted Email You Received
Access on the recipient side is the mirror of the send side. The path depends on how the sender encrypted the message.
An Outlook Encrypt message arrives with a link. Click it. Authenticate with Microsoft, Google, or a one-time passcode. Read the message in a browser.
An S/MIME encrypted message opens normally inside a client that supports S/MIME and holds the recipient private key. An unsupported client shows an unopenable attachment. Recipients on personal Gmail cannot open S/MIME encrypted mail.
A portal-delivered message from a gateway service arrives with a notification link. Click the link. Enter the passcode. Read the message in the hosted view. Related linked topic: how to open an encrypted email.
Manual .p12 installation on iPhone requires downloading a file, entering a password, opening Settings, and trusting the profile in Device Management. This process fails at scale beyond a few devices and creates support tickets when users hit the trust step. Deploy Jamf, Intune, or another MDM to push configuration profiles automatically. The certificate installs silently, trust is preauthorized by the organization, and revocation happens centrally when a device is lost or a user leaves.
HIPAA Notes for Sending Encrypted Email
Sending PHI over email requires a signed Business Associate Agreement with the mail provider. Encryption alone does not equal HIPAA compliance.
Microsoft 365 Business Standard and above and Google Workspace Business Standard and above both offer BAAs. Apple iCloud, Yahoo Mail, and free personal Gmail and Outlook.com do not.
The HHS Security Rule requires access controls, audit logging, session timeouts, and workforce training in addition to encryption. Policy documentation is required for a defensible program.
Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. See related healthcare security context for how email fits inside the wider stack.
Common Sending Problems and How to Fix Them
The Encrypt button is missing in Outlook. Cause. Business Basic tier or free Outlook.com. Fix. Upgrade to Business Standard or higher, or use a gateway service.
The lock icon is grayed out in Mac Mail. Cause. Recipient certificate is not in the local keychain. Fix. Ask the recipient to send a signed message first. The public key caches automatically.
Common sending problems and fixes:
- Missing certificate on iPhone. Install through Settings and trust the profile
- Recipient reports unopenable attachment. Recipient client does not support S/MIME
- Portal notification landed in spam. Add sender portal domain to safe senders
- Sender From address does not match certificate. Fix in Outlook Trust Center
- Certificate expired. Renew with the CA and reinstall on all devices
Related: how to troubleshoot encrypted email for a deeper diagnostic walkthrough.
Cross-Device Encrypted Email With a Gateway Service
Managing S/MIME certificates across desktop and mobile at scale is real operational work. Gateway services remove the certificate step by handling encryption at the server.
The sender writes the message in the normal mail app on any device. A trigger word in the subject or a plugin button triggers encryption. The service uploads the message to a hosted portal.
The recipient receives a notification. They click, authenticate with a passcode, and read in a browser. This works on any device with any modern browser.
Mailhippo works this way. It sits on top of Gmail or Outlook, includes a BAA in the base plan, and works uniformly across desktop, iPhone, iPad, and Android. Practices sending PHI to a mix of clinical peers and patients can pair this with healthcare marketing services to keep the intake, contact, and email chain inside the same compliance boundary.
Frequently Asked Questions
Open Outlook on desktop or on the web. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown. Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser. The Encrypt button appears on Microsoft 365 Business Standard, Business Premium, Enterprise E3, Enterprise E5, and Government plans.
Install an S/MIME certificate. Open the PKCS 12 file, enter the password, and let Keychain Access import it. Open Mail. Start a new message. If the recipient certificate is available, a lock icon appears next to the recipient field. Click the lock to encrypt. Write the message and click Send. The recipient must have a compatible client with S/MIME support. If encryption is not possible, the lock icon is grayed out and the message sends unencrypted with a warning.
Install an S/MIME certificate through a configuration profile or by tapping a .p12 file in Mail or Files. Enter the password. Go to Settings, General, VPN and Device Management, and trust the profile. Open Mail. Start a new message. If the recipient certificate is cached, a blue lock icon appears next to the recipient. Tap the lock to encrypt. Write the message and tap Send. Mobile device management deployments push these profiles automatically for enterprise users.
Two paths. Confidential mode is available on all Workspace tiers. Click the lock and clock icon in the compose window, set expiration and passcode, then send. This is not end-to-end encryption. Hosted S/MIME is available on Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus. Admin uploads CA certificates and enables S/MIME for the org unit. Each user uploads their personal certificate through Gmail settings. Once configured, a lock icon appears next to the recipient field when encryption is possible.
Yahoo Mail has no native encrypted email feature. The practical option is to connect the Yahoo account to Thunderbird by IMAP and install an S/MIME certificate in Thunderbird. Send encrypted mail from Thunderbird using the Yahoo address as the From address. Yahoo does not offer a Business Associate Agreement and is not appropriate for HIPAA use even with a workaround. Practices on Yahoo should migrate to Google Workspace, Microsoft 365, or a HIPAA-focused mail provider before starting a real encryption program.
The access path depends on the sender method. An Outlook Encrypt message arrives with a link. Click it and authenticate with Microsoft, Google, or a one-time passcode. An S/MIME message opens normally inside a client that supports S/MIME and holds the recipient private key. A portal-delivered message from a gateway service arrives with a notification link. Click the link, enter the passcode, and read the message in the hosted view. Confidential mode messages also arrive with a link and a passcode step.
The attachment inherits the encryption of the message. Attach the file to a message encrypted through Outlook Encrypt, Gmail S/MIME, Mac Mail S/MIME, or a portal gateway. The service encrypts the message body and the attachment together. For extra protection, encrypt the file itself with a password using Adobe Acrobat for PDFs, Word for docx, or 7-Zip for archives. Share the password out of band by phone or text. Practices sending PHI attachments should verify recipient identity before releasing any password.



