๐ Key Takeaways
- An encryption solution has three jobs: protect the body, verify the sender, and log every event.
- Small teams on Gmail or M365 win with a hosted service at $5 to $15 per user per month.
- MSPs need a multi-tenant console; wholesale pricing plus co-branded portals drive the margin.
- Advisors juggle GLBA, SEC 17a-4, and FINRA; the archive must ingest encrypted mail cleanly.
- Enterprise buyers weigh native Purview or S/MIME against a gateway for cross-platform coverage.
Every organization that sends email containing sensitive data eventually needs an encryption solution. The question is not whether to encrypt, but which solution fits the actual mailflow, the regulatory framework, and the recipient audience.
Small practices sending patient mail have different needs than a 5000-user enterprise sending contracts. Financial advisors have different rules than defense contractors. A HIPAA-covered service such as encrypted email covers small healthcare practices well. A CMMC-covered gateway covers a defense contractor.
This guide walks through the buyer decision by audience. Small business, MSPs, financial advisors, defense contractors, and enterprise buyers each get a section with the specific rules they need to meet and the solution shapes that fit.
The three jobs an email encryption solution actually does
The first job is protecting the message and any attachments in transit and at rest. TLS covers the connection between mail servers. End-to-end encryption or portal-based delivery covers the message content itself.
The second job is verifying the sender identity so the recipient can trust the message. S/MIME and DKIM both do this at different layers. Signing prevents impersonation attacks and provides non-repudiation for legal purposes.
The third job is producing audit logs the organization can use to prove compliance. Send events, delivery events, open events, and download events all need to be logged for the retention period the applicable regulation requires.
Most buyers focus on the first job and underestimate the second and third. A solution that encrypts strongly but does not log opens will fail a real audit because the auditor cannot confirm that the recipient actually received the message.
The mechanics of each job are covered in the technical guide on encryption for email, which walks through the algorithms and the protocols in detail.
Small business buyers optimize for setup speed and staff friction
Small businesses under 25 users typically already run Gmail or Microsoft 365 on a lower tier. The encryption question is whether to upgrade the license, add a native encryption add-on, or layer a third-party service on top.
The license upgrade path adds cost across every mailbox even if only a subset actually needs encryption. Microsoft 365 Business Premium runs about triple the cost of Business Standard.
The add-on path, such as Azure Information Protection Premium P1, gives per-user encryption without the full Business Premium bundle. It also requires the IT team to configure the tenant, which is often outside the skill set of a five-person practice.
The third-party service path layers on top of the existing mailbox. Common pricing runs $5 to $15 per user per month with a signed BAA included. Setup takes an afternoon with no tenant configuration required.
For a healthcare practice specifically, the buyer decision also touches the surrounding website. Guidance on security features for healthcare websites covers the portal, form handling, and file upload side of the workflow that complements the encrypted email side.

MSPs optimize for multi-tenant control and margin
Managed service providers selling encryption to multiple clients need a control plane that manages multiple tenants from a single admin console. Provisioning a new client, adjusting policy, and producing a quarterly report all need to be single-console operations.
Wholesale pricing with per-user billing lets the MSP set retail pricing that covers support and margin. Vendors that publish MSP-specific pricing typically also offer a partner portal for user provisioning and client-level reporting.
Compliance mix matters for the vendor choice. An MSP with mostly healthcare clients wants HIPAA-first support. An MSP with mostly financial clients wants GLBA and SEC 17a-4 support. An MSP with defense contractor clients needs FIPS 140-3 validated crypto.
Co-branded portal delivery is a nice-to-have that many MSPs value because the recipient experience carries the MSP client brand rather than the encryption vendor brand. Not every vendor supports co-branding, so this needs to be confirmed upfront.
The MSP also needs the vendor to sign a business associate agreement or its equivalent as a subcontractor, so the compliance chain flows correctly from the covered entity through the MSP to the encryption vendor.
Financial advisors face SEC, FINRA, GLBA, and state privacy law
Financial advisors sending statements, account changes, and estate planning documents need an encryption solution that satisfies four different rule sets at once.
SEC Rule 17a-4 requires broker-dealers to retain electronic communication for six years in a non-erasable, non-rewritable format. The encryption solution must integrate with the retention archive so encrypted messages appear alongside plain-text messages.
FINRA Regulatory Notice 22-10 clarified that firms must supervise electronic communication regardless of the encryption method. The supervision includes an archive, keyword monitoring, and periodic sampling.
GLBA and the state privacy laws that layered on top, including California CCPA and the New York SHIELD Act, require reasonable security practices for consumer financial data. Encryption of transmitted account information satisfies the transmission side of the rule.
The vendor selection needs to confirm compatibility with the compliance archive the firm already uses. Common archives include Global Relay, Smarsh, and Mimecast Compliance. Encrypted messages need to feed into the archive in a searchable format.
An MSP with 40 client tenants averaging 15 seats each shortlists three encryption vendors. The wholesale rate lands at $4 per seat per month, and the MSP prices retail at $9. Across 600 seats the recurring wholesale cost is $2,400 per month, retail revenue reaches $5,400, and the margin covers a half-time technician handling recipient portal support tickets. The MSP picks the vendor with the strongest multi-tenant admin console because provisioning a new client takes 20 minutes instead of two hours across three separate portals.
Defense contractors need FIPS-validated crypto for CMMC
Defense contractors handling controlled unclassified information under DFARS 252.204-7012 must meet CMMC 2.0 requirements. Level 2 assessments apply to any contractor handling CUI.
The relevant CMMC control, SC.L2-3.13.11, requires FIPS-validated cryptography when used to protect the confidentiality of CUI. The validation must be documented on the NIST CMVP list at the time of use.
Microsoft Purview Message Encryption on the GCC High tenant meets the requirement. Preveil and specific gateway products also qualify. Standard commercial encryption vendors need a specific FIPS validation certificate to be considered.
The NIST CMVP lists the validated modules. Buyers should confirm the specific module and version number the vendor uses matches an active certificate on the list.
Level 3 assessments apply to contractors handling higher-value CUI and add controls including advanced persistent threat detection. Level 3 typically requires a dedicated CMMC-focused solution rather than a general-purpose encryption gateway.

Enterprise buyers choose between native and gateway architectures
Enterprise buyers with more than 500 mailboxes usually already run Microsoft 365 E3 or E5, Google Workspace Enterprise Plus, or a mixed environment. The encryption question is whether to use the native platform features or add a third-party gateway.
Microsoft Purview Message Encryption is included in E3 and E5 and integrates with the tenant compliance dashboard, mail flow rules, and Azure Rights Management. It handles the common Outlook and Outlook on the web cases well.
Google Workspace hosted S/MIME on Enterprise Plus covers Google-native encryption for Gmail. Client-side encryption with a customer-managed key is available on the same tier for organizations that want the key material outside Google infrastructure.
Third-party gateways add cross-platform coverage, more flexible policy control, and enforcement without user interaction. Common enterprise gateway vendors include Proofpoint, Mimecast Encryption, and Cisco Secure Email.
The mixed-platform case usually goes to a gateway because the same policy needs to apply to mail leaving Microsoft 365, Google Workspace, and any legacy on-premises mail server. Native features solve only their own platform.
Recipient experience decides adoption more than encryption strength
The most secure encryption solution fails if the recipient cannot open the message. Every buyer should run a round-trip test with a real external recipient before signing a contract.
Portal-based delivery works well for one-off recipients and patient mail because the recipient does not need any prior setup. A link opens in the browser, a passcode arrives at the recipient inbox, and the message is readable.
S/MIME delivery works well between organizations that have exchanged certificates in advance. It fails when the recipient does not have a certificate or when the certificate has expired.
PGP delivery works well between technical users who both run PGP-aware mail clients. It rarely works with patients, retail clients, or non-technical recipients because setup is too high.
The best-fit recipient experience depends on the audience. A healthcare practice usually picks portal delivery. A defense contractor usually picks S/MIME between contract parties. A financial advisor usually picks portal delivery for retail clients and S/MIME for wholesale counterparts.
Vendor demos never expose the recipient friction that matters most. Run a two-week pilot before signing a contract. Send test messages to Gmail, Outlook.com, Yahoo Mail, and a corporate Outlook. Confirm the portal login works on iOS Safari and Android Chrome. Open a real support ticket during and outside business hours to test response time. Verify the audit log shows every field the applicable regulation requires. Real workflow tests reveal issues that documentation and sales-team responsiveness hide.
Total cost of ownership includes licenses, admin time, and support
The sticker price on the encryption service is only part of the total cost of ownership. License upgrades, admin time to configure policy, and support calls when recipients cannot open messages all add up.
For a small practice, the third-party layer typically wins on TCO because it avoids the Microsoft 365 Business Premium upgrade across every mailbox. The service price of $10 per user per month is less than the $10 per month license delta on 20 mailboxes.
For an enterprise already on E3 or E5, native Purview is free at the license level but adds admin time to configure mail flow rules, monitor delivery, and handle the recipient support tickets that follow policy changes.
Support cost scales with recipient volume. A portal-based service that handles the recipient authentication step centrally usually reduces the practice help desk load compared to an S/MIME deployment that pushes certificate management to the recipient side.
For a five-year total cost estimate, count license fees, one-time deployment work, ongoing admin, and support tickets. Most vendors publish enough detail to build the estimate.
Common vendor shortlists by buyer profile
Small healthcare practice on Gmail or Microsoft 365: Mailhippo, LuxSci, and NeoCertified all offer HIPAA-covered service with a BAA in the base plan.
MSP with mixed client base: Sherweb, Trustifi, and Mailhippo Partner offer multi-tenant control planes with wholesale pricing.
Financial advisor with SEC 17a-4 requirement: Smarsh, Global Relay, and Mimecast Compliance all bundle encryption with the required archive. Standalone encryption vendors need to be paired with a separate archive.
Defense contractor at CMMC Level 2: Microsoft GCC High tenant with Purview, Preveil, and specific FIPS-validated gateway products qualify. General commercial vendors do not automatically qualify.
Enterprise mixed platform: Proofpoint, Mimecast Encryption, and Cisco Secure Email all handle cross-platform enforcement. Native Purview or Workspace S/MIME can also work if the mailflow is single-platform.
How to run a short evaluation before signing
Every vendor evaluation should include a two-week pilot with a subset of users. The pilot answers the questions that vendor demos cannot answer.
Test with real external recipients on Gmail, Outlook.com, Yahoo Mail, and a corporate Outlook. Recipient experience is the most common failure mode and is not visible in a demo.
Test the audit log by sending a batch of messages, opening some as the recipient, and running the report. Confirm the log shows the fields that the applicable regulation requires.
Test the policy enforcement by sending a message that should trigger a rule and confirming the rule fired. Do the same with a message that should not trigger the rule.
Test the support responsiveness by opening a real ticket during business hours and again outside business hours. Response time and resolution quality on real tickets predicts the long-run experience better than sales-team responsiveness.
Frequently Asked Questions
Six features cover most buyer needs. Encryption in transit and at rest, a signed business associate agreement or a compliance certification appropriate for the regulatory framework, a recipient experience that does not require the recipient to install software, audit logs of message send and open events, integration with the existing mail platform, and policy control so encryption can be enforced by rule rather than user click. For regulated industries, retention and archival features also matter.
For a small business under 25 users on Gmail or Microsoft 365, a hosted encryption service that includes a BAA in the base plan is usually the fastest fit. The service layers on top of the existing mailbox, encrypts every outbound message, and delivers a portal link to external recipients. Pricing typically runs $5 to $15 per user per month. Native Microsoft Purview requires a Business Premium license on every mailbox, and Google Workspace hosted S/MIME requires the top-tier Enterprise Plus license, both of which cost more.
MSPs need a multi-tenant control plane that manages multiple client tenants from a single admin console. Look for wholesale pricing with per-user billing, a partner portal for user provisioning and reporting, and support for client-specific policy templates. Common MSP-focused encryption vendors include Sherweb, Trustifi, and Mailhippo Partner. The right pick depends on which mail platforms the MSP clients use most, how many clients need HIPAA versus GLBA versus CMMC coverage, and whether the MSP wants co-branded portal delivery.
Microsoft 365 Business Premium, Apps for Enterprise, and the E3 and E5 tiers include Microsoft Purview Message Encryption. Users click the Encrypt button in the Options ribbon in new Outlook or Outlook on the web. External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode. Purview supports mail flow rules that trigger encryption based on the sender, recipient, or content pattern. The BAA is available through the Service Trust Portal for tenants that need HIPAA coverage.
CMMC, the Cybersecurity Maturity Model Certification, applies to defense contractors handling controlled unclassified information. CMMC 2.0 Level 2 requires FIPS 140-2 or 140-3 validated cryptography for CUI in transit and at rest. Solutions that qualify use FIPS-validated crypto modules and support the specific labeling and handling controls that CMMC requires. Microsoft Purview with the GCC High tenant, Preveil, and specific gateway products meet the requirement. Standard commercial encryption solutions do not automatically satisfy CMMC and need a specific FIPS validation review.
Google Workspace offers three encryption features. Confidential mode is available on every account and applies expiration and forwarding controls but not cryptographic encryption. Hosted S/MIME is available on Enterprise Plus, Education Standard, and Education Plus and encrypts the message body with an S/MIME certificate managed in the Google Admin console. Client-side encryption is available on Enterprise Plus with a customer-managed key from an external key service. The BAA is available on eligible paid Workspace plans through the Google Admin console.