Encrypting an Email Explained From Setup to Recipient View

encrypting an email guide featured image

๐Ÿ”‘ Key Takeaways

  • Encryption turns the message body and attachments into ciphertext only the reader can decrypt.
  • Business Premium unlocks the Outlook Encrypt button; lower tiers need a bump or a HIPAA service.
  • Gmail client-side encryption requires Workspace Enterprise Plus and a customer-managed key service.
  • Attachments encrypt with the body across S/MIME, PGP, Purview, and Google client-side encryption.
  • Encryption alone fails HIPAA without a signed BAA, access logs, staff training, and response plan.

Encrypting an email converts the message body and attachments into ciphertext that only an authorized recipient can read. The sending client, the mail server, or both handle the encryption depending on the method used.

This guide covers the current methods for encrypting an email across Outlook, Gmail, and HIPAA-focused services. It explains the setup, the sender steps, the recipient experience, and when a dedicated encrypted email service is a simpler fit.

Encryption is one layer in a broader security posture. The right method depends on plan level, recipient environment, and compliance requirements. Read each section to match the method to the use case.

Encryption Standards Fall Into Three Main Categories

Email encryption uses three main models: transport-level encryption, message-level encryption, and portal-based encryption. Each model protects a different segment of the delivery path.

Transport-level encryption uses TLS between the sending and receiving mail servers. TLS is the baseline. It protects the message during network transmission but leaves the content in cleartext on the mail servers at each end.

Message-level encryption uses S/MIME or PGP to encrypt the message body and attachments before they leave the sending client. Only the recipient key can decrypt the message. The mail servers see ciphertext.

Portal-based encryption stores the encrypted message on a server and delivers a link to the recipient. Microsoft Purview Message Encryption and most HIPAA email services use this model. The recipient authenticates and reads the message in a browser session.

Microsoft Purview Message Encryption Covers Most Outlook Users

Microsoft Purview Message Encryption is the default encryption path for Outlook users on Microsoft 365 Business Premium and higher. The sender clicks Options, then Encrypt, in the ribbon of a new message. Purview handles the encryption and delivery on the server side.

Two options appear: Encrypt-Only and Do Not Forward. Encrypt-Only encrypts the content and lets the recipient reply, forward, and print. Do Not Forward encrypts the content and blocks forward, print, and download.

External recipients on Gmail, Yahoo, or another provider receive a notification email with a Read the message button. The button opens outlook.office365.com in a browser. The recipient signs in with a Microsoft or Google account or requests a one-time passcode.

Detailed sender steps are in the Microsoft support guide for encrypted messages in Outlook. The setup on the tenant side is minimal if Azure Rights Management is already active.

encrypting an email in article illustration one

Gmail Users Rely on Confidential Mode or Client-Side Encryption

Gmail offers two encryption features. Confidential mode is available on every Gmail account, including personal Gmail and every Workspace plan. Client-side encryption is available only on Workspace Enterprise Plus and Education Plus.

Confidential mode sets an expiration date and disables forward, copy, print, and download. It does not encrypt the message body in a way that meets HIPAA transmission requirements on its own. Google can still access the content on its servers.

Client-side encryption encrypts the message content in the browser before it reaches Google servers. The encryption keys are managed by the customer through an external key service. Google cannot decrypt the message.

Standard Workspace plans that need encryption for HIPAA use a gateway or a dedicated HIPAA email service. The Gmail interface stays the same. The encryption happens at the outbound gateway or at the service layer.

S/MIME Provides End-to-End Encryption With Certificates

S/MIME is a message-level encryption standard supported by Outlook, Apple Mail, and most enterprise mail clients. It uses X.509 certificates issued by a trusted certificate authority such as DigiCert, Sectigo, or IdenTrust.

The sender installs a personal certificate in the mail client. The recipient must also have an S/MIME certificate available. Outlook stores recipient certificates from signed messages the user has previously received.

Once certificates are in place, the sender clicks Encrypt on a new message. The mail client uses the recipient public key to encrypt the content. The recipient decrypts with the private key stored in the recipient client.

S/MIME provides true end-to-end encryption because no server between the sender and recipient can decrypt the message. The trade-off is certificate management. Practices with dozens of external recipients need a workflow for exchanging certificates before the first encrypted message can go out.

Example

A behavioral health group of eight clinicians switches from personal Gmail to Google Workspace Business Standard for HIPAA coverage. The admin accepts the BAA in the console, but discovers client-side encryption requires Enterprise Plus at roughly $30 per user. Instead of upgrading all eight seats at $240 per month, the group adds a HIPAA email service at $10 per clinician for $80 per month. The service handles PHI mail with encryption plus BAA, and Workspace Business Standard handles everything else.

PGP Handles Encryption Between Technical Users

PGP, sometimes called OpenPGP or GPG, is a second message-level encryption standard. It relies on a web of trust rather than a centralized certificate authority. Users generate a key pair and publish the public key to a key server or exchange it directly.

PGP is common in security research, legal work, and technical communities where both parties are comfortable managing keys. Mainstream Outlook and Gmail do not include PGP out of the box. Third-party plugins add support.

The strengths of PGP are strong cryptography and no dependence on a central authority. The weaknesses are key management overhead and a recipient experience that assumes technical familiarity. A patient receiving a PGP message will not know how to decrypt it.

Healthcare practices sending PHI to patients almost never use PGP because the recipient experience is unrealistic. PGP fits internal or business-to-business scenarios where both sides run the same tooling.

TLS Alone Does Not Meet HIPAA Transmission Requirements

TLS encrypts the connection between mail servers. It is the baseline for any modern mail transmission. TLS 1.2 and TLS 1.3 are the current versions in use, according to NIST SP 800-52 Rev. 2.

Opportunistic TLS is the common default. If the receiving server supports TLS, the connection uses TLS. If the receiving server does not support TLS, the connection falls back to cleartext. A sender using opportunistic TLS cannot guarantee the message stayed encrypted end to end.

Forced TLS requires the receiving server to support TLS or the message does not go out. Forced TLS is safer but harder to configure across a large recipient list. Most Outlook and Gmail tenants use opportunistic TLS by default.

HHS guidance treats TLS as acceptable for transmission but recommends message-level encryption for high-risk PHI. See the HHS Security Rule guidance for the current position. Practices should assume TLS alone is not sufficient.

encrypting an email in article illustration two

Sensitivity Labels Automate Encryption at Scale

Sensitivity Labels in Microsoft 365 apply encryption automatically based on content classification. Administrators define labels in the Microsoft Purview compliance portal and set rules that trigger a label when the message contains specific patterns.

Patterns can include medical record numbers, Social Security numbers, credit card numbers, or custom regular expressions for practice-specific fields. A matching pattern applies the label and the encryption policy in one step.

The sender does not have to remember to click Encrypt. The system enforces encryption based on content. This removes human error from the encryption decision on routine mail.

Deployment requires Microsoft 365 E3 or E5 licensing and configuration of Purview Information Protection. Sensitivity Labels fit large practices and health systems that already run Microsoft 365 at the enterprise tier.

Attachments Are Encrypted Along With the Message Body

Every current message encryption method encrypts attachments as part of the message. S/MIME, PGP, Microsoft Purview, and Google client-side encryption all treat attachments and the body as a single encrypted unit.

The recipient sees one verification step. After the sign-in or key decryption, both the body and the attachments become readable. Do Not Forward rights in Microsoft Purview show attachments in the portal preview and block download.

Attachment size limits apply before encryption is added. Outlook and Gmail cap standard attachments at 20 to 25 megabytes. Very large files exceed the limit and get rejected before encryption is even attempted.

Practices sending large imaging files, video, or full record sets should use a HIPAA-compliant file transfer service instead of email attachments. The email carries the link. The file transfer service handles the payload.

Encryption Alone Does Not Equal HIPAA Compliance

HIPAA compliance includes administrative, physical, and technical safeguards. Encryption is one of the technical safeguards. The covered entity is responsible for the full set.

The covered entity needs a signed business associate agreement with the email provider, access logging, workforce training, an incident response plan, and configuration that enforces encryption on PHI. Microsoft 365 and Google Workspace include a BAA as part of the standard business terms.

Practices that outsource the full mail security posture use a HIPAA email service that includes the BAA, encryption, access logs, and audit trails in a single plan. Mailhippo is one option for practices that want a HIPAA-compliant secure email service that works with an existing Gmail or Outlook account without switching providers.

The choice between running encryption inside Microsoft 365 or Google Workspace and using a dedicated service comes down to IT capacity, license cost across all seats, and the sensitivity of the mail volume.

๐Ÿ’กPro Tip: Test the recipient view before rolling out to staff

The sender view is not the recipient view. Send a test encrypted message to your own personal Gmail, Yahoo, and a corporate Outlook address. Walk through each opening path start to finish. If any path takes more than a minute or requires an account, patients will drop off. Front-desk staff who have not seen the recipient view cannot answer basic questions on the phone, and open rates on patient PHI mail crash within the first week.

Practical Setup Checklist for a First-Time Sender

A first-time sender can get an encrypted message out today by picking one path and running through the setup. The choice depends on the mail platform already in use.

  • Confirm the license level of the Microsoft 365 or Google Workspace tenant.
  • Verify that a business associate agreement is in place with the mail provider if PHI is involved.
  • Enable the Encrypt button in Outlook or client-side encryption in Gmail if the license supports it.
  • Test with an external recipient on a different mail platform to see the actual recipient view.
  • Document the sender steps for staff who will send encrypted mail on a routine basis.

The test send matters. The sender view is not the recipient view. A practice sending encrypted PHI to a patient should see the exact browser experience the patient will see before sending real mail.

Practices building the wider HIPAA posture around the encryption method also need to cover the website, intake forms, and patient portals. See the guide on healthcare website security features for the site-side controls that pair with encrypted email.

Common Errors When Encrypting an Email

Several errors show up in the first weeks of a new encrypted email workflow. Most trace back to license mismatch, recipient environment, or a missing configuration step on the tenant.

  • The Encrypt button does not appear in Outlook because the license is Business Basic or Business Standard.
  • The recipient does not receive the notification because a corporate spam filter blocks the outlook.office365.com sender.
  • The S/MIME send fails because the recipient certificate is not in the Outlook contact record.
  • The one-time passcode does not arrive because the recipient inbox filters bulk mail into a folder the recipient does not check.
  • Attachments exceed the 25 megabyte limit and get rejected before encryption is applied.

Each of these errors has a fix. Licensing is a purchase or a switch to a service that bundles encryption. Recipient filters can be addressed by asking the recipient to allow the sender domain. Certificates can be exchanged through a first signed message.

Related reading covers practical steps for common platforms: to encrypt an email, encrypting email in Outlook, email encrypting workflows, and what does encrypting an email do in outlook. Each guide breaks down the sender view for a specific tool.

When a Dedicated Encrypted Email Service Fits Better

A dedicated encrypted email service fits practices that need HIPAA compliance without adding license overhead or IT complexity. The service handles the encryption, the BAA, the access logs, and the recipient portal.

The sender writes mail in the same Gmail or Outlook interface. Outbound mail routes through the service gateway. The recipient gets a portal link or a native decrypt depending on the service configuration.

Mailhippo is a HIPAA-compliant secure email service that works with existing Gmail and Outlook accounts. The BAA is included in the base plan. Encryption applies to every outbound message. Recipients open messages with one click, without creating a Microsoft or Google account.

Practices building the wider healthcare digital presence often pair encrypted email with a compliant site, intake, and portal setup. A healthcare marketing agency can coordinate the site and communication layer around the encryption service already in place.

Frequently Asked Questions

What is encrypting an email? +

Encrypting an email is the process of converting the message body and attachments into ciphertext so that only an authorized recipient with the correct key can read the content. The encryption can happen at the sending client, at the sending mail server, or at both points. Modern methods include S/MIME, PGP, Microsoft Purview Message Encryption, Google Workspace client-side encryption, and gateway-based encryption used by HIPAA email services. Each method protects the same fundamental thing: the confidentiality of the message contents in transit and at rest.

Does encrypting an email make it secure? +

Encryption protects the message contents from interception and unauthorized reading. It does not protect against a compromised sender account, a compromised recipient account, or social engineering that tricks either party into sharing credentials. Encryption is one control in a layered security model. Practices sending PHI need encryption plus multi-factor authentication, access logging, phishing training, and endpoint protection. Encryption also does not protect a message that a legitimate recipient forwards to an unauthorized party, unless rights management is applied on top of the encryption.

Does encrypting an email encrypt attachments? +

Yes. S/MIME, PGP, Microsoft Purview Message Encryption, and Google Workspace client-side encryption all encrypt attachments along with the message body. The recipient sees a single verification step for both. Do Not Forward rights in Microsoft Purview block download of attachments and display them only in the portal preview. Attachment size limits still apply. Practices sending very large files containing PHI should use a HIPAA-compliant file transfer service instead of email attachments, because the mail server may reject files that exceed the platform limit before encryption is applied.

How do I encrypt an email in Outlook? +

Open a new message in Outlook. Click Options in the ribbon. Click Encrypt and pick Encrypt-Only or Do Not Forward. Encrypt-Only lets the recipient reply, forward, and print. Do Not Forward blocks forward, print, and download. Write the message, add recipients, and click Send. Microsoft Purview handles the delivery. Internal Microsoft 365 recipients see the message inline. External recipients receive a notification with a Read the message button that opens the encrypted content in a browser tab on outlook.office365.com.

How do I encrypt an email in Gmail? +

Gmail on Google Workspace Enterprise Plus and Education Plus supports client-side encryption. The admin enables it in the Google Admin console under Security, Access and data control, Client-side encryption. Users see a lock icon in the compose window that toggles encryption on. Standard Gmail and Workspace Business plans do not have this feature. Those accounts can use confidential mode, which sets an expiration and disables forwarding, or route encrypted mail through a HIPAA email service that works with the existing Gmail account.

What are the benefits of encrypting an email? +

Encryption blocks interception of message contents in transit, protects the content at rest on mail servers, and reduces the impact of a mail server breach because the stolen data is ciphertext. For regulated industries, encryption is a required control under HIPAA, HITECH, GLBA, and similar frameworks. For any business, encryption reduces the risk of an accidental data disclosure when a message is sent to the wrong address or forwarded outside the organization. Recipients also gain confidence that the sender has invested in secure communication.

Is TLS encryption enough for HIPAA compliance? +

TLS encrypts the connection between mail servers but does not encrypt the message at rest inside the recipient inbox. TLS also depends on both sending and receiving servers supporting the same version and cipher suite. Opportunistic TLS falls back to cleartext if the receiving server does not support TLS. The HHS guidance on encryption treats TLS as one acceptable safeguard for transmission but recommends message-level encryption for high-risk PHI. Practices should assume TLS alone is not sufficient and layer message-level encryption on top for regulated content.

How Can I Encrypt My Emails in Gmail, Outlook, and Office 365

how can i encrypt my emails guide featured image

๐Ÿ”‘ Key Takeaways

  • Email encryption stacks in three layers: TLS in transit, portal-based, and full end-to-end.
  • Personal Gmail has zero real encryption; Confidential Mode fails HIPAA, CMMC, and GDPR checks.
  • Outlook’s Encrypt button on Business Premium runs Purview and reaches any recipient via portal.
  • S/MIME suits business rollouts; PGP suits individuals; both stall on recipients without keys.
  • Compliance needs a BAA, retained logs, and a documented standard, not a per-message click.

The question “how can I encrypt my emails” has different answers depending on which mail provider is in front of you. Gmail, Outlook, and Microsoft 365 each expose different controls, and personal accounts on all three offer less than their business counterparts.

This guide walks through the encryption paths available in each platform, explains where S/MIME and PGP fit, and covers the compliance layer for practices that need audit trails. For practices sending patient information, dedicated encrypted email services are usually the shortest path.

Each section below covers the steps for a specific platform or method. Skip to the section that matches your setup.

Three layers of email encryption you need to understand first

Email encryption is not one thing. It operates at three layers, and each solves a different problem.

The first layer is TLS between mail servers. It protects the message on the wire from one server to the next. Gmail, Outlook.com, and Microsoft 365 all enforce TLS 1.2 or 1.3 by default when the receiving server supports it.

The second layer is message-level encryption. The mail provider encrypts the message body on its own servers and delivers it to external recipients through a portal or a signed session. Microsoft Purview Message Encryption and Google Workspace hosted S/MIME operate at this layer.

The third layer is end-to-end encryption. The message body is encrypted on the sender’s device and stays encrypted until the recipient decrypts it. S/MIME with client-held certificates and PGP both operate at this layer.

Most business scenarios stop at the second layer. The third layer adds friction that only pays off when the message content is unusually sensitive or the recipient’s mail server cannot be trusted with plain text.

How to encrypt emails in Gmail with a Workspace account

Gmail on Google Workspace Enterprise Plus supports hosted S/MIME. The admin enables it in the Google Admin console under Apps, Google Workspace, Gmail, User settings.

Once enabled, users upload their S/MIME certificate through Gmail settings. Compose messages then show a lock icon next to the recipient field, indicating that the message will send encrypted.

Encryption only applies when the recipient also holds a certificate. For recipients without one, Gmail falls back to standard TLS delivery. That fallback is the reason S/MIME alone is not sufficient for a healthcare workflow.

The Google Workspace S/MIME setup guide walks through the certificate upload and enforcement policies. Confidential Mode is not a substitute for S/MIME and does not satisfy HIPAA.

Practices on lower Workspace tiers do not have hosted S/MIME. Those accounts need a third-party gateway or a dedicated compliant email service.

how can i encrypt my emails in article illustration one

How to encrypt emails in Outlook with a Microsoft 365 plan

Outlook on Microsoft 365 Business Premium, E3, and E5 exposes an Encrypt button in the compose window. It sits in the Options ribbon on the desktop app and in the three-dot menu on Outlook web.

Clicking Encrypt triggers Purview Message Encryption. The user picks an encryption policy such as Encrypt Only or Do Not Forward. The message travels encrypted, and external recipients receive a portal link with sign-in options.

The Microsoft Purview Message Encryption documentation details the policy options and the recipient experience. Setup usually completes in the admin center within an hour if Azure Rights Management is already active on the tenant.

Business Basic and Business Standard do not include the Encrypt button. Practices on those plans either upgrade or add a dedicated encryption layer. Sibling coverage for the Outlook-specific path is in can I encrypt emails in Outlook.

For a broader walkthrough of Gmail-side encryption steps, see how can I encrypt an email.

Setting up S/MIME on a desktop Outlook client

Desktop Outlook supports S/MIME natively. The user needs a certificate issued to their email address, installed in the Windows certificate store or on a smart card.

  • Obtain an S/MIME certificate from a trusted certificate authority. Commercial certificates cost $20 to $60 per year.
  • Import the certificate into the Windows certificate store under Personal, Certificates.
  • In Outlook, open File, Options, Trust Center, Trust Center Settings, Email Security.
  • Under Encrypted email, click Settings and select the imported certificate.
  • Optionally enable Encrypt contents and attachments for outgoing messages to make encryption the default.

Once configured, the compose window shows a lock icon when the recipient’s certificate is available. If the recipient has never sent a signed message, Outlook cannot encrypt to them until their certificate is exchanged.

The exchange step is the operational tax of S/MIME. It works well inside a practice where every mailbox has a certificate. It falls apart with external partners and patients who do not.

Example

A five-provider family medicine clinic runs on Google Workspace Business Standard at $12 per user per month. Staff want to send referral summaries to a cardiologist on Outlook. Business Standard does not include hosted S/MIME. Upgrading five seats to Enterprise Plus at $30 each would cost $150 per month. Instead, the practice adds a gateway service at $10 per mailbox that layers on top of Workspace, keeps Gmail as the compose interface, and includes the BAA and audit trail for $50 per month total.

Using PGP with Thunderbird or Mailvelope

PGP encryption uses a public-private key pair that the user generates and controls. It works with any email account, including personal Gmail and Outlook.com, but requires a compatible client on both ends.

Thunderbird has built-in PGP support since version 78. The user generates a key pair in Account Settings, End-to-End Encryption. The public key is shared with correspondents through a keyserver, direct exchange, or embedded in outgoing signatures.

Mailvelope is a browser extension that adds PGP support to Gmail and other web-based clients. It handles key generation and message encryption directly in the browser without the mail provider seeing plain text.

PGP is the preferred method for individual users, journalists, and technical audiences who prioritize key control. It is rarely the right method for a healthcare practice because patients and referring providers will not install a PGP client.

For a client-facing walkthrough of PGP versus gateway encryption, the sibling article how do my clients encrypt email covers the tradeoffs.

Encrypting attachments without encrypting the message

Sometimes the message body is fine to send in plain text and only the attachment carries sensitive data. Password-protecting the attachment lets the email travel through any provider.

  • Compress the file using 7-Zip, WinRAR, or Windows built-in compression with AES-256 encryption enabled.
  • Set a strong password of 12 characters or more with mixed case, numbers, and symbols.
  • Attach the encrypted archive to the email as normal.
  • Share the password over a separate channel, such as a phone call, SMS, or in-person conversation.

This method is common for one-off file transfers between organizations that have no shared encryption infrastructure. It is not compliant on its own for HIPAA because it does not produce an audit trail and the password channel is often insecure.

Practices exchanging patient files frequently should route those exchanges through a compliant email service instead. The sibling piece on how to encrypt my sent emails covers the outbound side in more depth.

how can i encrypt my emails in article illustration two

Government and military email encryption requirements

Army and other DoD email accounts require encryption through the DoD Common Access Card or Personal Identity Verification card. The CAC holds the S/MIME certificate that Outlook and OWA use to encrypt outbound mail.

Signed drivers for the CAC reader and the ActivClient middleware need to be installed on the endpoint. Once installed, Outlook detects the certificate and enables Sign and Encrypt buttons in the compose ribbon.

Encrypting from a home computer to a .mil address requires the sender’s CAC and the recipient’s published certificate. The DoD Global Address List holds those certificates for internal-to-internal traffic.

Contractors handling Controlled Unclassified Information under CMMC use a similar S/MIME model or a compliant email gateway. The NIST SP 800-171 Rev. 2 guidance covers the required controls for those workloads.

Compliance-driven encryption for HIPAA, CMMC, and GDPR

User-driven encryption on a per-message basis rarely satisfies a compliance framework. The framework requires a documented standard, retained audit trails, and a signed agreement with the vendor handling the data.

HIPAA requires a Business Associate Agreement with the email vendor. CMMC requires FIPS 140-2 validated cryptographic modules for CUI. GDPR requires a Data Processing Agreement covering personal data of EU residents.

A gateway-based compliant service handles all three by applying encryption at the mail server, retaining logs, and providing the signed agreement in the base plan. That removes the burden of a user deciding whether a specific message qualifies.

Practices that also send bulk patient communications should coordinate with a healthcare marketing agency so that outreach and compliance sit on the same infrastructure.

The HIPAA Journal breakdown of compliant email is the authoritative external reference for the healthcare side.

๐Ÿ’กPro Tip: Pick the framework before you pick the technology

Framework first, technology second. HIPAA, CMMC, and GDPR each demand different documentation and cryptographic standards. Write down which framework applies, which data types you send, and how you will prove encryption during an audit. Only then compare S/MIME, Purview, or gateway services against those requirements. Buying the tool first almost always produces a mismatch that surfaces six months later.

Verifying that a message was actually encrypted

An encrypted send is only useful if the encryption held. Every major mail client provides a way to verify.

In Gmail, open the message, click the three-dot menu, and select Show Original. The header displays the TLS status of the delivering connection.

In Outlook desktop, right-click the message and choose Message Options. The header shows Received lines with TLS version details.

For end-to-end encryption, the client shows a lock icon or shield in the message header. S/MIME messages in Outlook show a blue ribbon. Encrypted messages in Gmail show a green lock.

If none of those indicators appear, the message either traveled without encryption or the encryption fell back to a lower tier than the sender expected. That is worth catching before the next send rather than after an audit.

When a dedicated compliant email service saves setup time

The setup steps above cover the manual paths available in Gmail, Outlook, and Microsoft 365. Each works for individual users comfortable managing certificates or keys per contact.

A dedicated compliant email service replaces the manual path with an automatic one. The practice connects its existing mailbox, adds a DNS record, and every outbound message is encrypted at the gateway. No per-contact certificate exchange is required.

Mailhippo is one example of that model. It works with existing Gmail and Microsoft 365 accounts, includes the Business Associate Agreement in the base plan, and delivers messages directly to recipient inboxes without a portal login for standard scenarios.

For the underlying encryption model comparison, the sibling article how to encrypt email covers the technical layer in more depth. For the recipient-side experience, how can you encrypt an email walks through what the reader sees.

Choosing the right method for your workflow

The right encryption method depends on volume, sensitivity, and recipient technical skill.

Individuals sending occasional sensitive messages to technical peers can use PGP through Thunderbird or Mailvelope. The setup pays off because the recipient list is small and every recipient has the tools.

Small businesses on Microsoft 365 Business Premium can use the Encrypt button. It handles the recipient experience through the portal and needs no per-user certificate.

Healthcare practices, law firms, and financial services with compliance obligations need a gateway-based service. It removes the user decision and produces the audit trail auditors ask for.

Practices reviewing the broader digital footprint alongside the email decision can also review their healthcare website security features so the same standards apply across email, forms, and portals.

Frequently Asked Questions

Can I encrypt an email in regular Gmail without upgrading my plan? +

Not with real encryption. Personal @gmail.com accounts do not offer S/MIME or Purview-style message encryption. Confidential Mode adds an expiration date and disables forwarding on some clients, but the message body is not encrypted in a way that satisfies HIPAA or CMMC. Options are to upgrade to Google Workspace Enterprise Plus for hosted S/MIME, install a browser extension that adds PGP support on both sides of the conversation, or route the mailbox through a dedicated encryption gateway that handles the encryption automatically.

What does the Encrypt button in Outlook actually do? +

On Microsoft 365 Business Premium and Enterprise plans, the Encrypt button triggers Purview Message Encryption. The message is encrypted at the Microsoft server and delivered to external recipients through a portal link. Internal recipients on the same tenant read the message directly in Outlook because the encryption keys travel inside the tenant. The button appears in the Options ribbon on desktop Outlook and in the three-dot menu on Outlook web. It does not appear on personal @outlook.com accounts.

Do I need to buy an S/MIME certificate for every employee? +

One per employee, yes, if you route encryption through S/MIME. Certificates are issued per email address by a trusted certificate authority and typically cost $20 to $60 per year at the business tier. Some Microsoft 365 Enterprise plans include managed certificates. The larger operational cost is the certificate exchange with external recipients, because both sides need each other’s public certificate before encryption works. That exchange is the reason many practices choose a gateway-based service instead of S/MIME.

Can I encrypt an attachment without encrypting the email itself? +

Yes, and it is a common workaround. Zip the file with a password using 7-Zip or the built-in Windows compression tool, then share the password over a separate channel like a phone call or SMS. The email carrying the encrypted zip stays unencrypted, so it can travel through any provider. The tradeoff is friction for the recipient, who has to install a compatible unzip tool and manage the password. Encrypting the message itself is simpler once the practice has a compliant service in place.

How does encryption work with a mobile Gmail or Outlook app? +

Gmail on mobile inherits the encryption settings of the underlying account. A Workspace mailbox with hosted S/MIME sends encrypted messages from the mobile app once the certificate is installed on the device. Outlook on iOS and Android supports the Encrypt button for Microsoft 365 Business Premium and Enterprise users. Personal accounts on both apps have no encryption controls. A gateway-based compliant email service handles encryption at the server, so the mobile experience is identical to a regular send.

Does encrypting an email hide the subject line? +

Usually not. Most encryption methods, including S/MIME, PGP, and Microsoft Purview Message Encryption, encrypt the message body and attachments but leave the subject line in plain text. That is because mail servers use the subject for routing, filtering, and threading. Sensitive information should therefore stay out of the subject line even when the message body is encrypted. Some end-to-end services encrypt the subject as well, but interoperability with standard clients drops sharply when they do.

How do I verify that a specific email was actually encrypted in transit? +

On Gmail, open the message and click the three-dot menu, then View Original. The header shows the TLS status of the connection that delivered the message. On Outlook, right-click the message and select Message Options or View Source. Look for the Received header lines and check for TLS 1.2 or 1.3 versions. For end-to-end encrypted messages, the client shows a lock or shield icon in the message header. If neither the header nor the icon confirms encryption, the message traveled unprotected.

What Does Encrypting an Email Do Behind the Scenes

what does encrypting an email do guide featured image

๐Ÿ”‘ Key Takeaways

  • Encryption turns the body and attachments into ciphertext only the recipient key can decode.
  • Outlook’s Encrypt button applies a Purview template that controls reply, forward, and copy rights.
  • Gmail Confidential Mode adds portal access and expiry but leaves the body readable to Google.
  • Native tools encrypt attachments alongside the body; files above 25 MB usually need a portal.
  • Encryption never hides sender, recipient, subject, timestamp, or message size from the network.

Encrypting an email means one thing in a headline and something more specific inside the mail flow. The button in Outlook, the shield in Gmail, and the toggle in a dedicated service each perform a slightly different action on the message, the attachments, and the recipient experience.

This guide covers what encryption actually does to the body, attachments, subject line, and metadata across the major clients, and where dedicated tools like an encrypted email service fit when native options do not match the workflow.

The intent is a practical picture, not a cryptography lecture. Practice managers, compliance leads, and IT administrators can use it to align staff training with the real mechanics.

Encrypting an Email Transforms the Body Into Ciphertext

At the mechanical level, encryption replaces the readable message body with a string of characters that mean nothing without a key. The transformation uses a symmetric cipher such as AES-256 for the body itself and an asymmetric algorithm to protect the AES key for the recipient.

The transformation happens in one of three places. The sender client does it locally in S/MIME and PGP. The sender mail server does it in Microsoft Purview Message Encryption and Workspace routing. A dedicated encryption service does it inside its own infrastructure before the message leaves.

The recipient decrypts using their private key, their certificate, or a portal sign-in. The decrypted body appears inside the recipient inbox or portal session, and it stays there until the recipient closes the session or deletes the message.

Anything intercepted on the wire between sender and recipient sees only ciphertext. The NIST guidance on trustworthy email covers the specific cipher and key management standards regulated organizations should apply.

what does encrypting an email do in article illustration one

Attachments Encrypt Along With the Body in Native Tools

Attachments follow the encryption method chosen for the message body in most native implementations. Outlook with the Encrypt button, Workspace with client-side encryption, S/MIME, and PGP all cover attachments as part of the encrypted payload.

The recipient sees decrypted attachments alongside the decrypted body once they authenticate. The attachment file names and sizes stay hidden inside the encrypted payload in most cases, so a network observer cannot tell whether the message carried a PDF, a spreadsheet, or a set of image files.

Attachments over 25 MB run into message-size limits on most mail systems. That is where portal delivery through a dedicated service handles the case. The attachment uploads separately to a secure portal, and the recipient authenticates through a link.

File-level encryption with a PDF password or a ZIP password is a separate approach. It does not require email encryption at all. The tradeoff is key exchange, since the sender has to communicate the file password out of band. Email-level encryption avoids that step by binding decryption to the recipient identity.

The Subject Line Usually Stays in Cleartext

Most encryption implementations leave the subject line unencrypted for routing and inbox display. Office 365 Message Encryption, standard S/MIME, PGP, and portal-based systems all follow this pattern. The recipient sees the subject in their inbox alongside the sender name before opening anything.

That reality shapes staff training. Subject lines should not carry patient names, diagnosis codes, financial figures, or contract terms. Neutral phrasing like “Report available” or “Follow-up from clinic” keeps the sensitive content inside the encrypted body.

S/MIME 4.0 supports subject encryption when both sender and recipient clients implement the extension. Adoption is limited. For most cross-organization exchanges, the subject travels in cleartext regardless of what encryption method protects the body.

Practices that route encrypted mail through a subject-line trigger like the word “secure” should also strip that trigger from the outbound subject through a rewrite rule. That way the sensitivity marker does not leak into the recipient inbox preview.

Example

A billing manager at a physical therapy clinic clicks the Encrypt button in Outlook 365 before sending a 3 MB PDF superbill to a patient at yahoo.com. Purview applies the Encrypt template, ciphers the body and PDF together with AES-256, and rewrites the message as a notification with a Read the message button. The subject line "Statement for March visits" travels in cleartext because Purview does not encrypt subjects. The patient signs in through the Microsoft portal with a one-time passcode delivered to her Yahoo inbox and downloads the superbill inside the portal session.

Metadata Continues to Travel in Cleartext

Encryption protects the body and attachments. It does not protect the routing metadata. The sender address, recipient addresses, message ID, timestamp, and message size travel in cleartext through the SMTP relay chain.

An observer with access to the relay path can build a communication pattern from that metadata even without reading a single body. Who sends to whom, when, and how often is often the payload of value in intelligence work.

For most healthcare, legal, and financial email, body encryption plus HIPAA or equivalent framework coverage is sufficient. The metadata gap matters most in high-stakes negotiations, executive communication, and situations where the pattern itself signals value to an adversary.

Organizations concerned about metadata typically move sensitive discussion to secure messaging platforms with additional protections. Email remains the correct tool for most patient and client communication.

what does encrypting an email do in article illustration two

Encryption in Outlook Applies a Rights Management Template

Clicking the Encrypt button in Outlook connected to Microsoft 365 applies a rights management template to the message. The default templates include Encrypt, which allows the recipient to reply, and Do Not Forward, which removes reply and forward permissions.

Administrators can create custom templates that add expiration dates, watermarks on displayed content, or restrictions on copying and printing. The template travels with the message and the client enforces the rules.

External recipients on any email platform get a portal link. They sign in with a Microsoft, Google, or Yahoo account, or they request a one-time passcode. The Microsoft Purview Message Encryption documentation covers the exact recipient experience.

Internal recipients on the same Microsoft 365 tenant often see inline decryption because their client already trusts the tenant identity. Cross-tenant Microsoft 365 recipients typically get the portal step, though federation configurations can smooth that path.

Encryption in Gmail Uses One of Three Distinct Mechanisms

Gmail encrypts email through three separate mechanisms, and each does something different. Confusion between them is the most common source of policy gaps in healthcare practices using Workspace.

The mechanisms are:

  • TLS in transit, which every Gmail message uses when the receiving server supports it.
  • Confidential Mode, a portal-based access control with expiration and passcode options.
  • Client-side encryption on Workspace Enterprise Plus and Education Plus, which uses a customer-managed key from an external key service.

Only client-side encryption cryptographically protects the body against Google itself. TLS protects the wire. Confidential Mode restricts access but stores the body normally on Google infrastructure. S/MIME on eligible Workspace plans is a fourth option that administrators enable per domain.

Confidential Mode does not qualify as HIPAA-covered encryption on its own. The Google Workspace admin guide on hosted S/MIME covers the S/MIME configuration path for regulated tenants.

๐Ÿ’กPro Tip: Write neutral subject lines regardless of encryption

Purview, S/MIME, PGP, and most portal-based systems leave the subject line in cleartext. A subject like "MRI results for John Smith" leaks protected health information before the recipient opens anything. Train staff to write neutral subjects like "Report available" or "Follow-up from clinic" and keep sensitive detail inside the encrypted body. That single habit closes a gap that no encryption product on the market fixes for you.

Comparison of What Each Encryption Method Actually Protects

The table compares what the major encryption methods cover and what they leave exposed.

Method Body encrypted Attachments encrypted Subject encrypted Metadata encrypted
Outlook Encrypt button (Purview) Yes Yes No No
Gmail Confidential Mode No, portal only No, portal only No No
Workspace client-side encryption Yes Yes No No
S/MIME Yes Yes No, 4.0 optional No
PGP Yes Yes No No
Dedicated encrypted email service Yes Yes, via portal for large files No No

Practices routing all outbound mail through a secure email service get consistent body and attachment coverage without matching license tiers or maintaining transport rules across a tenant.

What Encryption Does Not Do

Understanding the limits of email encryption matters as much as understanding what it protects. Encryption does not stop a compromised sender account from generating new encrypted messages to attacker-controlled addresses.

Encryption does not stop a compromised recipient inbox from leaking decrypted content once the recipient reads the message. It does not prevent screenshot exfiltration by an authorized recipient who chooses to share content out of policy.

Encryption does not backfill weak account security. Multi-factor authentication on the sender account, endpoint protection on the recipient device, and access logging remain separate controls that pair with encryption to form a full posture.

The HIPAA Journal covers real breach cases where encryption alone did not prevent PHI exposure because the surrounding controls failed. Encryption is necessary but not sufficient on its own.

Related Setup Steps to Verify After Enabling Encryption

After turning on encryption in Outlook, Workspace, or a dedicated service, a short verification checklist confirms the setup covers the intended workflow. Skipping any of these items produces silent gaps that surface during compliance reviews or breach investigations.

Check each item:

  • External recipients on Gmail, Outlook, Yahoo, and iCloud can decrypt without additional software installation.
  • The signed business associate agreement covers the specific encryption feature in use, not just the base mailbox.
  • Attachments in the size range staff actually send arrive intact and encrypted.
  • The sent items folder shows a visible confirmation that the encryption action fired.
  • Message trace or audit logs record the encryption event for compliance evidence.

Healthcare practices building patient communication programs around encrypted email benefit from aligning the encryption layer with the broader site and intake experience. A healthcare marketing agency can help ensure the patient-facing message matches the security posture staff execute on outbound mail.

For related reading on how encryption fits into the broader website security posture regulators expect, see the guide on security features for healthcare websites. Encryption is one control among many, and the surrounding controls determine whether it holds up under audit.

Frequently Asked Questions

What does encrypting an email do to the message body? +

Encrypting the message body replaces the readable text with ciphertext that requires a key or authentication to decode. In S/MIME, the recipient certificate provides the decryption key. In PGP, the recipient private key does the same. In Microsoft Purview and portal-based systems, the recipient authenticates through a browser sign-in and the server delivers decrypted content inside the portal. The original readable text never travels outside the sender and recipient trust boundary in plain form. Anyone who intercepts the message on the wire sees only ciphertext until a valid key or portal session decodes it.

What does encrypting an email do in Outlook specifically? +

In Outlook connected to a Microsoft 365 plan that includes Purview Message Encryption, clicking the Encrypt button on the Options ribbon applies an encryption template. The template determines recipient permissions and routing. External recipients get a portal link. Internal recipients often see inline decryption. Attachments protect along with the body. In personal Outlook.com accounts or on plans without the required license, the Encrypt button is absent and the client provides no native encryption. That is a common source of confusion when staff move between tenants.

What does encrypting an email do to attachments? +

Native encryption in Microsoft 365 and Workspace covers attachments as part of the encrypted message payload. When the recipient opens the message through the portal or with their key, they see the attachments decrypted alongside the body. S/MIME and PGP encrypt the entire MIME structure so attachments protect the same way. Large attachments above 25 MB usually cannot travel by message-level encryption and need portal delivery through a dedicated service. File-level encryption using a password on a PDF or ZIP is a separate approach and does not require email-level encryption.

Does encrypting an email hide the subject line? +

In most implementations no. Office 365 Message Encryption, standard S/MIME, PGP, and most portal-based systems leave the subject line in cleartext for routing and inbox display. That is why compliance teams write encryption policies that require neutral subject lines with no PHI or sensitive detail. S/MIME 4.0 introduced an extension for subject encryption, but both sender and recipient clients must support it, and most cross-organization exchanges do not have that support. Assume the subject is visible and write it accordingly.

Does encrypting an email stop a compromised inbox from leaking? +

No. Encryption protects the message in transit and at rest until the recipient decrypts. Once the recipient reads the message inside their inbox, the content sits in plain form in whatever storage the recipient client uses. If an attacker has already compromised the recipient inbox through credential theft or session hijacking, they read the decrypted content along with the recipient. Encryption is one control in a broader posture that includes account security, multi-factor authentication, and endpoint protection on the recipient side.

What does encrypting an email do to metadata like sender and timestamp? +

Metadata stays in cleartext on most email encryption implementations. The sender address, recipient addresses, subject line, message ID, timestamp, and message size travel through routing systems in readable form. Encryption protects the body and attachments only. That is why sensitive negotiations, medical case discussions, and legal exchanges often use dedicated secure messaging platforms instead of email, when the metadata pattern itself carries value to an attacker. For most healthcare communication, body encryption plus a business associate agreement covers the HIPAA requirement.

What is the difference between encrypting an email and using Confidential Mode in Gmail? +

Encrypting an email cryptographically transforms the body and attachments into ciphertext that requires a key or portal authentication to decode. Confidential Mode is a Gmail feature that stores the body normally on Google servers but restricts access through a link-based portal with expiration and passcode options. Confidential Mode is portal access control, not cryptographic body protection. The distinction matters for HIPAA because Google business associate agreement coverage does not extend to Confidential Mode content the same way it covers standard Workspace mail with the appropriate encryption controls.

Outlook Secure Email Encryption for Healthcare and Business Users

outlook secure email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook offers three encryption paths: Purview Message Encryption, S/MIME certs, and plain TLS.
  • The Encrypt button appears only on Business Premium, E3, E5, or a Microsoft 365 Compliance add-on.
  • S/MIME delivers true end-to-end but demands certificates on both sides and per-recipient exchange.
  • Opportunistic TLS drops to plain text without warning; force TLS via mail flow rules for HIPAA.
  • Microsoft’s BAA covers Purview only on eligible plans; unlicensed tenants need a dedicated service.

Outlook secure email encryption covers three distinct mechanisms, and each one solves a different problem. Confusing them wastes IT hours and leaves protected mail exposed.

Microsoft ships Purview Message Encryption, S/MIME, and opportunistic TLS across the Microsoft 365 stack. The right choice depends on plan level, recipient environment, and whether the send touches regulated data like PHI. For teams that need a simpler layer over Outlook or Gmail, a dedicated encrypted email service handles the details in the background.

This guide walks each option, the license and setup requirements, and where Outlook secure email encryption fits inside a HIPAA compliant workflow.

The Three Encryption Layers Outlook Actually Supports

Outlook does not have a single encryption switch. It exposes three layers, and each protects a different piece of the send.

Transport Layer Security protects the connection between the sender mail server and the recipient mail server. Microsoft 365 negotiates TLS on every outbound send by default. If the receiving side supports it, the wire hop is encrypted.

Microsoft Purview Message Encryption sits on top of Exchange Online and wraps the message in a portal experience. The Encrypt button on the Outlook Options ribbon triggers it. External recipients open the message through a link and authenticate with Microsoft, Google, or a one time passcode.

S/MIME encrypts the message body with a certificate pair. The sender needs a certificate installed in the Windows certificate store. The recipient needs a matching public certificate that the sender has previously received. It is the strictest option and the most technical to run at scale.

TLS Is a Baseline, Not a Compliance Answer

TLS in Outlook covers the connection between mail servers. Exchange Online offers TLS 1.2 and TLS 1.3 depending on the negotiation with the receiving system.

The catch is that TLS is opportunistic by default. If the receiving mail server does not advertise TLS support, Exchange Online delivers over plain text unless a mail flow rule enforces the connection or blocks the send.

TLS also does nothing once the message lands. The body sits in the recipient inbox as regular mail. Anyone with access to the receiving mailbox can read it, and anyone who compromises that account reads the message too.

For HIPAA sends, TLS is the floor. Auditors expect message level encryption on top of TLS, either through Purview, S/MIME, or a third party secure email service. Force TLS on outbound connectors with mail flow rules when TLS must not fall back.

outlook secure email encryption in article illustration one

Microsoft Purview Message Encryption Explained

Microsoft Purview Message Encryption, formerly Office 365 Message Encryption, is the mechanism most Outlook users know as the Encrypt button. It builds on Azure Rights Management.

Senders click Options, then Encrypt, then pick a policy. The default policies are Encrypt Only, Do Not Forward, Confidential, and Highly Confidential. Encrypt Only lets the recipient read and reply. Do Not Forward blocks forwarding and printing.

External recipients receive a wrapper email with a link. Clicking the link opens the Microsoft encrypted message portal. They authenticate with a Microsoft account, a Google account, a Yahoo account, or a one time passcode delivered by email.

Microsoft 365 users inside the same tenant see the message inline. No portal is needed. See the Microsoft Learn Message Encryption documentation for full setup detail.

S/MIME Setup for Certificate Based Encryption

S/MIME uses a certificate pair for signing and encryption. It is the strongest form of Outlook secure email encryption in the sense that only the recipient private key decrypts the message.

Start by obtaining a valid S/MIME certificate. Public certificate authorities issue them, and enterprises with an internal PKI can issue them as well. Install the certificate in the Windows certificate store on the sender device.

In Outlook desktop, open File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings and pick the installed certificate. Set the hashing and encryption algorithms. AES-256 for content and SHA-256 for signatures are the current defaults.

Before encrypting to a recipient, send a signed message first. The signature carries the sender public certificate. The recipient client stores it and can then encrypt replies back. Both sides need this exchange to complete before message level encryption works.

Example

A 12-seat orthodontic office runs on Microsoft 365 Business Standard at $12.50 per user per month. Staff need to send treatment plans to referring dentists and patient parents. Business Standard has no Encrypt button. Upgrading all 12 seats to Business Premium at $22 raises the monthly bill by $114. Instead, the office adds a dedicated secure email service at $10 per mailbox for the four staff who send regulated mail. Total added cost is $40 per month, BAA included in the base plan.

Comparing Purview, S/MIME, and TLS at a Glance

Each Outlook encryption path fits a different use case. The table below maps the main attributes so an IT lead can pick without reading three product pages.

Attribute Purview Message Encryption S/MIME TLS
Encryption scope Message body and attachments Message body and attachments Server to server connection
License required Business Premium, E3, E5, or add on Any Microsoft 365 plan with valid certificate Included on all plans
Recipient experience Portal link with sign in or passcode Inline in S/MIME capable clients Transparent
Per recipient setup None Public certificate exchange None
Fits HIPAA sends Yes, under Microsoft BAA Yes, with proper key management Only as a supporting layer
Ease of ad hoc use High Low N/A

Purview and a third party service handle the ad hoc case cleanly. S/MIME fits fixed partner exchanges where certificates are exchanged once and reused.

Enabling the Encrypt Button in the Outlook Ribbon

Purview Message Encryption is on by default for eligible tenants. The Encrypt button appears in Outlook on the web, Outlook for Windows, Outlook for Mac, and modern mobile Outlook apps.

If the button is missing, the tenant likely lacks a qualifying license, or Azure Rights Management is not activated. In the Microsoft 365 admin center, an administrator can verify license assignment on the user and confirm the Rights Management service is active.

Administrators can also set default encryption behavior through mail flow rules in the Exchange admin center. A rule can apply Encrypt Only when a message contains the word confidential in the subject, or when the recipient domain matches a partner list.

Sensitivity labels created in Purview can bind an encryption policy to specific document types or user groups. Labels apply on the client and travel with the message. See Microsoft Learn on sensitivity labels for configuration steps.

outlook secure email encryption in article illustration two

HIPAA and Outlook Encryption in Practice

Healthcare organizations sending protected health information over email need message level encryption plus a business associate agreement with the vendor handling the mail. Microsoft signs a BAA covering Microsoft 365, Exchange Online, and Purview Message Encryption on eligible plans.

The BAA only applies to workloads that are actually enabled and licensed. A tenant without Business Premium cannot rely on the Purview coverage inside the BAA for encrypted sends.

Related reading on the compliance side sits in the Mailhippo library. See the sibling guide on hipaa secure email for a broader compliance walkthrough and the piece on office 365 hiipa compliant secure email encryption outlook for the direct Microsoft 365 configuration path.

Practices building the underlying digital estate can also review Redefine Web guidance on healthcare website security features, which covers the wider control set that pairs with encrypted email.

Purview Versus Voltage, Cisco, and Third Party Services

Purview Message Encryption is the native path. Other tools plug into Outlook and Exchange Online through connectors or transport rules.

OpenText Voltage Secure Email, formerly Voltage SecureMail, uses identity based encryption. Recipients open messages through a browser or an add in without exchanging certificates. It suits large enterprises with existing OpenText security investment.

Related sibling coverage on the Cisco side sits at the guide on secure email encryption service cisco, which walks the Cisco Secure Email Encryption Service configuration path for organizations already on the Cisco email security stack.

For a broader look at the encryption format layer, the sibling piece on secure mail email encryption covers S/MIME versus PGP tradeoffs in more depth. Third party services fit best when the goal is a BAA in the base plan and a one click recipient experience without per certificate management.

๐Ÿ’กPro Tip: Force TLS on partner connectors before assuming it works

Opportunistic TLS drops to plain text when the receiving server does not advertise support, and Exchange Online does not warn the sender. For any recurring partner exchange, build a mail flow rule that requires TLS to the specific recipient domain and blocks delivery on fallback. Message trace logs then prove TLS negotiated on every send. That evidence is what auditors ask for during a HIPAA review.

Common Outlook Encryption Errors and How to Fix Them

Users hit a small set of predictable errors. Most are license or certificate mismatches rather than product defects.

  • Encrypt button is grayed out. The user account is not licensed for Business Premium, E3, E5, or a compliance add on. Assign the license or route through a third party service.
  • Recipient cannot open the message. The portal link expired or the recipient blocked the sign in email. Resend with a one time passcode option enabled in the mail flow rule.
  • S/MIME message shows Signature not valid. The sender certificate expired or was not issued by a trusted root the recipient client recognizes. Renew the certificate and confirm the root chain.
  • Message drops to plain text on send. The receiving server did not offer TLS. Configure a partner connector with force TLS and TLS certificate verification.
  • Encrypted attachment cannot be opened. The recipient client stripped the wrapper. Use the Encrypt Only policy rather than Do Not Forward for external partners on non Microsoft clients.

Log message trace results in the Exchange admin center to confirm what actually happened on the send. Trace results show whether TLS negotiated and which mail flow rule applied.

When a Dedicated Secure Email Service Fits Better

Native Outlook encryption works well on Business Premium and above with a stable IT team. Smaller practices and mixed environments hit friction on license cost, certificate management, and recipient support.

A dedicated secure email service like Mailhippo layers on top of the existing Outlook or Gmail mailbox. The sender workflow does not change. A short button sends the message through the encrypted channel, and the recipient opens it with a one click link. A BAA is included in the base plan.

The tradeoff sits between native platform integration and simplified operations. Purview is deeply tied into the Microsoft 365 admin experience. A dedicated service is faster to deploy across a small team, cheaper per seat below the Business Premium line, and does not require certificate management.

Rollout Checklist for a Clean Outlook Encryption Setup

A tidy rollout avoids the two common failure modes: users cannot find the Encrypt button, and receivers cannot open the message. Both trace back to preparation.

  • Audit Microsoft 365 licenses. Confirm the seats that need to send encrypted mail are on Business Premium, E3, E5, or a compliance add on.
  • Verify Azure Rights Management is active in the Microsoft 365 admin center.
  • Sign the Microsoft BAA and archive it with compliance records. Confirm the covered workloads.
  • Build mail flow rules that apply Encrypt Only for messages tagged confidential in the subject or sent to a defined partner list.
  • Publish an internal one page guide with the exact steps to click Encrypt, plus a screenshot of the recipient portal.
  • Test end to end with a personal Gmail address and a personal Yahoo address before the first live send.

Practices that need a BAA at a lower price point or that run mixed Gmail and Outlook environments should evaluate Mailhippo alongside the native path. The HIPAA Journal encryption reference gives the compliance backdrop for either choice.

Sibling reading for teams still building the compliance stack sits at the guides on hipaa secure email and secure encrypted email. The right Outlook secure email encryption setup is the one that matches license reality, recipient behavior, and the audit trail the compliance team needs.

Frequently Asked Questions

Is Outlook email encrypted by default? +

Outlook connections to Microsoft 365 use TLS, so mail moves encrypted between the client and Exchange Online. Delivery between Exchange Online and external mail servers uses opportunistic TLS when both sides support it. That is transport encryption only. The message itself is not encrypted at rest in the recipient inbox unless the sender applied Microsoft Purview Message Encryption, S/MIME, or a third party encryption service. Confidential business mail and any protected health information need one of those explicit layers on top of default TLS.

What license do I need to use the Encrypt button in Outlook? +

The Encrypt button on the Options ribbon requires Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, or an add on Microsoft 365 E5 Compliance license. Business Basic and Business Standard do not include Purview Message Encryption. Home and personal plans do not include it either. If the tenant is licensed, the button is available in Outlook on the web, the Windows desktop client, and the Mac desktop client. Administrators may also expose it inside mobile Outlook apps.

How does S/MIME differ from Microsoft Purview Message Encryption? +

S/MIME encrypts the message body with a certificate pair, so only the recipient with the matching private key can read it. Purview Message Encryption wraps the message in a portal experience where external recipients authenticate to view it. S/MIME needs certificates on both sides and does not require a portal. Purview needs a licensed Microsoft 365 tenant and works with any recipient email address. S/MIME fits fixed partner exchanges. Purview fits ad hoc secure sends to patients, clients, or unknown external parties.

Can I encrypt a Gmail message from Outlook? +

Outlook can send to any Gmail address. Whether the message is encrypted depends on the mechanism the sender applied. TLS covers the server hop when both Microsoft and Google negotiate it, which they do by default. If the sender used Purview Message Encryption, the Gmail recipient gets a portal link and signs in with Google. If the sender used S/MIME, the Gmail recipient needs S/MIME support and a matching certificate. Third party secure email services handle Gmail delivery with no setup on the recipient side.

Does TLS meet HIPAA email requirements on its own? +

TLS alone does not satisfy HIPAA in most audit reviews. The HHS guidance treats email as an addressable specification, which means covered entities must implement encryption or document why a different safeguard fits. Opportunistic TLS can drop to plain text if the receiving server does not support it, and messages sit unencrypted at rest in the recipient mailbox. Purview Message Encryption, S/MIME, or a dedicated secure email service provides message level protection that fits the standard cleanly and is easier to defend during an audit.

How do I turn on S/MIME in Outlook? +

Obtain a valid S/MIME certificate from a public certificate authority or internal PKI and install it in the Windows certificate store. In Outlook desktop, open File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, select the certificate and set the algorithms. Exchange public certificates with each recipient by sending a signed message first. On future outbound mail, click the Sign or Encrypt icon on the Options tab. Outlook on the web supports S/MIME through a browser extension distributed by Microsoft.

What if I need to send secure email but do not have Business Premium? +

The two practical paths are upgrading to a licensed plan or adding a dedicated encrypted email service. Upgrading applies across the seat, which raises cost linearly with headcount. A dedicated service like Mailhippo layers on top of the existing Outlook or Gmail mailbox, includes a BAA in the base plan, and does not require the sender to change clients. Recipients open messages through a one click portal or receive an encrypted PDF, depending on the delivery preference set by the sender.

How to Open Encrypted Email in Gmail Step by Step

how to open encrypted email in gmail guide featured image

๐Ÿ”‘ Key Takeaways

  • Gmail sees four wrappers: Purview, Proofpoint, Zix, and S/MIME, and each opens differently.
  • Portal messages need sign-in via Google, the sender platform, or a one-time inbox passcode.
  • S/MIME works only on Google Workspace with hosted S/MIME and a matching user certificate.
  • TLS-only mail lands as normal text; Show Original headers reveal whether TLS 1.3 was used.
  • Missing passcodes usually sit in spam; never paste a code into a mismatched portal domain.

Gmail users see encrypted mail in four common formats: Microsoft Purview, Proofpoint, Zix, and S/MIME. Each one opens a different way. Confusing them causes the recipient to give up on the message.

This guide walks the exact steps to open each type inside Gmail, plus the password and certificate issues that block delivery. For teams tired of portal friction on both sides, a dedicated encrypted email service handles the delivery in one click.

Start by identifying the wrapper. The Gmail message will say Read the message, View Encrypted Message, or Secure Message. That label tells the recipient which platform sent it.

Identify the Encryption Wrapper Before Clicking

The first step is knowing what arrived. Encrypted mail in Gmail is almost always a wrapper message with a button or link. The visible body does not contain the sensitive content.

Microsoft Purview Message Encryption arrives with a Read the message button and the phrase encrypted message from a Microsoft 365 sender. The wrapper is branded with the sender organization.

Proofpoint Encryption arrives with a Click here link that points to securereader.proofpoint.com or a custom subdomain like securemail.senderdomain.com. The subject often includes the marker Secure Message.

Zix Secure Email arrives with a similar Click here link that points to a domain under zixport.com or a custom subdomain. S/MIME arrives with an smime.p7m attachment and no visible readable body.

Open a Microsoft Purview Message in Gmail

Purview is the encryption most Outlook and Microsoft 365 senders use when they click the Encrypt button. Gmail recipients open it through a portal.

Open the wrapper email and click Read the message. A browser tab opens on the Microsoft encrypted message viewer. The viewer offers two options: Sign in with Google or Sign in with a one time passcode.

Sign in with Google is the fastest path. Click it, sign into the same Gmail account that received the mail, and the message renders inside the portal. The portal supports reply and forward when the sender allowed those actions.

If Sign in with Google fails, request a one time passcode. Microsoft sends the code to the same Gmail inbox. Paste the code into the viewer and the message opens. See Google Support on encrypted mail for Gmail side detail.

how to open encrypted email in gmail in article illustration one

Open a Proofpoint Encrypted Email in Gmail

Proofpoint Encryption uses a portal called Proofpoint Encryption Reader. First time recipients register a Proofpoint account tied to the Gmail address.

Click the Click here link in the wrapper message. The Proofpoint Encryption Reader loads in a browser tab. If this is the first time, a registration form asks for a password and security questions. Complete it and confirm the email.

Returning users sign in with the Gmail address and the Proofpoint password. The message renders inside the portal. Attachments download as separate files, and reply is available from the portal itself.

Store the Proofpoint password in a password manager. Proofpoint accounts do not federate with Google Sign In, so a lost password requires the Forgot Password link, which delivers a reset link back to the Gmail inbox.

Open a Zix Encrypted Email in Gmail

Zix Secure Email uses a similar portal model. The Gmail wrapper contains a Message from and a link to the Zix portal.

Click the link. The Zix portal loads and asks for the Gmail address and a password. First time recipients complete a short registration. The password is separate from any Google or Microsoft credentials.

Once signed in, the message renders inside the Zix portal. Reply, forward, and attachment download are supported when the sender allowed them. Some senders configure Zix to send the encrypted content as an encrypted PDF attachment instead of a portal link.

If Zix delivered an encrypted PDF, open the attachment in a PDF reader and enter the password the sender shared separately. The password is usually delivered by phone or a prior secure channel.

Example

A patient at a Gmail address receives a wrapper email from her cardiologist labeled Secure Message with a link to securereader.proofpoint.com. She clicks the link, sees a Proofpoint registration form because it is her first encrypted message from the practice, sets a password, and confirms through a link sent to the same Gmail inbox. The portal then renders her ECG summary and a follow-up recommendation. She saves the Proofpoint credentials in her password manager because the practice will send future results through the same portal, which does not federate with Google Sign In.

Open an S/MIME Encrypted Email in Gmail

S/MIME is a certificate based standard that requires matching keys on both sides. Gmail supports S/MIME only through Google Workspace with hosted S/MIME enabled by the administrator.

When an S/MIME message arrives at a properly configured Google Workspace account, Gmail decrypts the message inline. The body renders normally, and a padlock icon indicates the encryption status. No portal is involved.

Personal Gmail addresses at gmail.com do not support S/MIME. The message arrives with an smime.p7m attachment and no readable body. Ask the sender to resend using Purview Message Encryption or a dedicated secure email service.

Google Workspace administrators enable hosted S/MIME under Apps, Google Workspace, Gmail, User Settings, S/MIME. Upload user certificates for each mailbox that needs to decrypt inbound S/MIME.

Compare the Four Wrappers Side by Side

Recognizing the wrapper is half the work. The table below maps the visible signal in Gmail to the platform and the action the recipient takes.

Wrapper Visible signal in Gmail Action to open Password model
Microsoft Purview Read the message button Sign in with Google or passcode Google account or one time passcode
Proofpoint Encryption Click here link to Proofpoint domain Register or sign in on portal Proofpoint account password
Zix Secure Email Secure Message subject with portal link Register or sign in on portal Zix account password
S/MIME smime.p7m attachment, no body Decrypt inline with certificate Certificate on Google Workspace

Portal wrappers work with any Gmail address. S/MIME only works on Google Workspace with hosted S/MIME configured by the administrator.

how to open encrypted email in gmail in article illustration two

Handle the Common Password Failures

Password prompts are the most common friction point. A few predictable failures cover almost every case.

  • One time passcode never arrives. Check the Gmail spam folder. Microsoft and Proofpoint codes sometimes trip Gmail filters. Whitelist the sender portal domain.
  • Proofpoint or Zix password forgotten. Use the Forgot Password link on the portal. The reset email lands in the same Gmail inbox.
  • Portal says account not registered. First time recipients complete a short registration on Proofpoint and Zix. Fill in the required fields and confirm through the email link.
  • Sign in with Google fails on Microsoft portal. The recipient signed into a different Google account in the browser. Sign out of other accounts or use a private window.
  • Password field appears on an unfamiliar domain. Verify the domain matches microsoft.com, proofpoint.com, or zix.com before entering credentials. Phishing kits mimic these portals.

Understand What TLS Only Means

Some senders use only TLS. The Gmail message looks normal, with regular text and no wrapper. There is nothing to open.

To confirm the sender used TLS, click the three dot menu on the message and select Show original. The Received headers list the encryption cipher used on each hop. A line with TLSv1.3 or TLSv1.2 confirms the connection was encrypted.

TLS alone is not enough for regulated mail. It protects the connection between mail servers but leaves the message readable at rest in the Gmail inbox. Anyone with access to the mailbox reads it.

Healthcare and legal senders should use message level encryption on top of TLS. The National Institute of Standards and Technology publishes guidance on email security at NIST SP 800-177r1, which covers the standard controls.

๐Ÿ’กPro Tip: Verify the portal domain before entering credentials

Phishing kits mimic Microsoft, Proofpoint, and Zix portals convincingly. Before typing a password or pasting a one-time passcode, check the browser address bar for microsoft.com, proofpoint.com, or zixport.com plus the sender known subdomain. A password field on any other domain is likely a credential trap. If unsure, contact the sender through a separate channel and confirm the portal URL matches what they issued.

Open Encrypted Email in Gmail on Mobile

Mobile Gmail on iOS and Android opens portal based encrypted mail the same way. Tap the Read the message or portal link and the phone browser loads the portal.

Microsoft Purview portals render well on mobile browsers. Sign in with Google, or paste a one time passcode. The message shows inline in the browser.

Proofpoint and Zix portals also render on mobile. Password entry is the main friction. Store credentials in a mobile password manager to speed up return visits.

S/MIME on mobile Gmail requires a Google Workspace account with hosted S/MIME. Personal Gmail on mobile shows the smime.p7m attachment with no way to decrypt. The sibling piece on how to open encrypted email on iphone covers the mobile flow on iOS in more depth.

When Encrypted Mail Bounces or Never Arrives

Encrypted mail sometimes never lands in Gmail. Two patterns cover most cases.

The first pattern is aggressive spam filtering. Portal wrapper messages from Microsoft, Proofpoint, and Zix look similar to phishing to some filters. Search the Gmail spam folder for the sender name or the portal domain. Whitelist the portal domain in Gmail filters.

The second pattern is TLS enforcement failure. When a sender requires forced TLS and Gmail negotiation fails temporarily, the message bounces at the sender side. The sender receives a delivery failure notice. Ask the sender to retry or to send from a mail flow rule that allows opportunistic TLS.

Related sibling guides on troubleshooting sit at how to troubleshoot encrypted email and the send side coverage at how to send encrypted email. The Redefine Web guide on healthcare website security features covers the broader safeguard set for practices that rely on secure email.

Pick a Simpler Path for Regular Encrypted Sends

The four wrapper types work, but recipients on the Gmail side hit friction on every send. Password registration, portal sign in, and expired sessions cost time on both sides.

A dedicated secure email service like Mailhippo delivers encrypted mail to any inbox with a one click open. The recipient does not register an account. The sender uses the existing Gmail or Outlook mailbox, and a BAA is included in the base plan for healthcare workflows.

The tradeoff is platform coverage. Portal based services from Microsoft, Proofpoint, and Zix carry deep enterprise integration. A dedicated service is faster to deploy for small teams and lower friction on the recipient side.

Frequently Asked Questions

Why do I get a Read Message button instead of the email itself? +

The sender applied encryption that wraps the message inside a portal. Gmail cannot render the encrypted body inline because it is not the intended encryption endpoint. The Read Message button opens the portal maintained by Microsoft, Proofpoint, Zix, or another provider. Click the button, sign in with the Gmail address that received the mail, and the message renders inside the portal. The wrapper text stays in Gmail as a receipt that the encrypted send happened.

How do I open an encrypted Outlook email in Gmail? +

Outlook senders on Microsoft 365 typically use Microsoft Purview Message Encryption. Gmail recipients receive a wrapper message with a Read the message button. Click it, then choose Sign in with Google. Google authenticates with the Gmail address, redirects back to the Microsoft portal, and renders the message. If the sign in fails, the sender can request a one time passcode delivery through the Encrypt Only policy. The passcode arrives at the same Gmail inbox and unlocks the portal.

How do I open a Proofpoint encrypted email in Gmail? +

Proofpoint sends a notification with a Click here link. The link opens the Proofpoint Encryption portal at securereader.proofpoint.com or the custom subdomain the sender configured. First time users register a Proofpoint Encryption account with the Gmail address and a password. Returning users sign in with the same account. The message renders inside the portal. Save the portal password in a manager because Proofpoint accounts do not federate with Google Sign In.

How do I open a Zix encrypted email in Gmail? +

Zix messages arrive with a subject that starts Secure Message and a link that opens the Zix portal at securemail.zixport.com or the sender custom subdomain. Click the link and sign in with the Gmail address plus a Zix password. New recipients complete a short registration with a password and security questions. The Zix portal renders the message and any attachments. Zix supports password reset by email to the same Gmail inbox when the password is lost.

How do I open an encrypted email without a password? +

Ask the sender to switch to a passcode delivery option. Microsoft Purview supports a one time passcode that arrives in the same Gmail inbox and unlocks the portal without a stored account. If the sender used S/MIME to a personal Gmail address, the recipient cannot open the message without a matching certificate on a Google Workspace account. In that case, ask the sender to resend with Purview Message Encryption or a service that supports passcode based delivery.

What does smime.p7m mean in a Gmail attachment? +

The attachment is the S/MIME encrypted payload. Gmail could not decrypt it because the account does not have a matching certificate or hosted S/MIME is not enabled. Personal Gmail accounts do not support S/MIME directly. Google Workspace accounts need an administrator to enable hosted S/MIME and upload user certificates before decryption works. Ask the sender to resend using a portal based option like Microsoft Purview Message Encryption or a dedicated secure email service that does not require certificate exchange.

Is TLS encryption enough for HIPAA compliant email sent to Gmail? +

Opportunistic TLS between mail servers protects the connection but leaves the message at rest in the recipient inbox. Google supports TLS 1.2 and TLS 1.3 on inbound mail. Under HIPAA, TLS alone is treated as a supporting control rather than a complete safeguard for protected health information. Covered entities usually add message level encryption on top of TLS, either through Microsoft Purview, S/MIME, or a dedicated secure email service that includes a business associate agreement.

Virtru Email Encryption Reviewed with Pricing and Setup Details

virtru email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • Virtru adds client-side encryption to Gmail and Outlook via extension in minutes, not weeks.
  • The proprietary TDF format supports revocation and expiration that S/MIME and PGP cannot match.
  • Pricing runs free personal, Pro at about $79 per user yearly, and custom Enterprise with DLP.
  • The Pro tier BAA covers Virtru servers but not the underlying Gmail or Outlook mailbox itself.
  • Reviews praise setup speed and post-send controls; recipient Secure Reader is the top friction.

Virtru email encryption is one of the most widely adopted client-side encryption products in the small and mid-market segment. The service plugs into Gmail and Outlook through a browser extension or add-in and encrypts messages on the sender’s device before they leave the mail client.

This guide covers how virtru email encryption works, what it costs, and where it fits. Sections address pricing tiers, HIPAA coverage, the proprietary Trusted Data Format, review sentiment, and honest deployment trade-offs.

The material is aimed at IT decision makers evaluating Virtru against alternatives. Every section reflects Virtru documentation, published pricing on the Virtru site, and aggregated review sentiment from Gartner Peer Insights, G2, and TrustRadius.

How Virtru Email Encryption Works

Virtru installs as a browser extension for Gmail and as an add-in for Outlook. Once installed, the compose window in either application displays a Virtru toggle above the message body.

Enabling the toggle before Send encrypts the outbound message using Virtru’s Trusted Data Format. The message body and attachments are wrapped in a TDF container that includes policy metadata and references to encryption keys held on Virtru servers.

The recipient receives an email with a Secure Reader link. Clicking the link opens the Virtru Secure Reader in a browser and displays the decrypted content. First-time recipients complete a short verification flow. Returning recipients read directly.

The sender can also enable post-send controls at the time of encryption: message expiration, disable forwarding, disable printing, watermarking, and read receipt visibility. Those controls are enforced by the Secure Reader when the recipient opens the message.

Virtru Email Encryption Pricing Tiers

Virtru publishes three pricing tiers on its site. The tiers scale from free personal use to enterprise deployments with custom pricing.

The free personal tier supports encrypted send and receive on personal Gmail accounts. Basic post-send controls are included. The tier does not include a BAA and is not suitable for HIPAA-covered content.

  • Free tier: personal Gmail encryption, basic controls, no BAA
  • Pro tier: approximately $79 per user annually, BAA included, full post-send controls
  • Enterprise tier: custom pricing, adds DLP, key management options, advanced integrations
  • Volume discounts: apply above ~100 seats on the Enterprise tier

The Pro tier at $79 per user per year sits above the Zixcorp base tier ($30 to $50) and roughly comparable to portal-based products such as Barracuda Email Gateway Defense at the small business scale. Enterprise negotiations often move on volume and add-on scope.

virtru email encryption in article illustration one

Downloading and Installing Virtru

Installation is one of the shorter paths in encrypted email deployment. The Virtru extension for Chrome installs from the Chrome Web Store in under a minute. Firefox and Edge extensions install through their respective add-on stores.

The Outlook add-in installs through Microsoft AppSource for Outlook 2016 and later, Outlook for Mac, and Outlook on the web. Enterprise administrators can deploy the add-in centrally through the Microsoft 365 admin center for all users at once.

After installation, the user signs in to Virtru with their existing Gmail or Microsoft 365 credentials through OAuth. That step links the mail account to the Virtru service. No new mailbox or address is created.

Total time from installation to sending the first encrypted message is typically under five minutes. That contrasts with the 30 to 90 day tuning cycle common for gateway policy products such as Zixcorp or Proofpoint.

The Trusted Data Format and Its Trade-Offs

Trusted Data Format (TDF) is Virtru’s proprietary encryption container. It wraps content in a package that includes both the ciphertext and policy metadata such as expiration dates, forwarding restrictions, and watermark instructions.

The design gives senders post-send controls that neither S/MIME nor PGP provide. A sender can revoke access to a message after delivery, change the expiration date, or add a watermark. Those features rely on the Secure Reader enforcing the policy at open time.

The trade-off is interoperability. TDF is not an open standard supported by native mail clients. Recipients read TDF messages through the Virtru Secure Reader, not through Outlook’s or Apple Mail’s S/MIME support. That dependency ties recipient access to Virtru infrastructure remaining operational.

Organizations that need standards-based encryption for interoperability with S/MIME or PGP users need a different tool. Our guide to S/MIME email encryption signature covers the standard-based approach.

Example

A boutique law firm with eight attorneys picks Virtru Pro at $79 per user annually for client communication involving privileged material. Setup finishes in under an hour on a Tuesday morning. Within two weeks, attorneys use post-send revocation four times to pull back messages sent to wrong recipients from autocomplete errors. Clients on Gmail open messages through the Secure Reader with a verification code on first read. The firm accepts the modest recipient friction because revocation and expiration controls justify the pricing above simpler portal options.

Virtru Email Encryption and HIPAA

Healthcare practices use Virtru on the Pro and Enterprise tiers to send HIPAA-covered PHI through Gmail or Outlook. The BAA covers Virtru’s services under HIPAA’s business associate rules.

The BAA scope includes Virtru servers, the Secure Reader portal, and the TDF encryption process. Practices should confirm the signed BAA is in force before routing PHI. HHS publishes sample provisions at the HHS BAA reference page.

The Virtru BAA does not extend to the underlying Gmail or Outlook mailbox. For full HIPAA coverage across the mail path, the practice needs Google Workspace on a BAA-eligible plan or Microsoft 365 on a business plan with a BAA. Free consumer Gmail does not qualify. Our companion piece on HIPAA compliant email Gmail covers the Workspace plan requirements.

Practices building broader HIPAA compliance often pair encrypted email with hardening on the web side. Our team at Redefine Web has published guidance on healthcare website security features.

virtru email encryption in article illustration two

Virtru Review Notes from Peer Sources

Aggregated reviews from Gartner Peer Insights, G2, and TrustRadius cluster around consistent themes. Positive scores focus on ease of setup, Gmail and Outlook integration quality, and the post-send controls.

The setup speed is a common highlight. Reviewers frequently note that a small practice can be sending encrypted email within an hour of purchasing. That contrasts with 30 to 90 day gateway deployments and drives adoption in the small business segment.

Negative scores focus on the proprietary TDF model, the recipient Secure Reader experience (which has improved but historically drew complaints), and pricing above budget-conscious small practices. Reviewers also occasionally cite the OAuth reauthentication cycle in Gmail as a friction point after Google credential rotation events.

Deliverability and the sender experience rarely draw complaints. The integration into the existing mail client keeps sender workflow essentially unchanged. That is a real strength compared to portal-based products where the sender must remember to route sensitive mail through a separate compose interface.

Post-Send Controls in Virtru

Post-send controls are one of the strongest Virtru differentiators. The sender can enforce policy on a message after it has already left the outbox by adjusting metadata stored on Virtru servers.

Message expiration lets the sender set a date after which the Secure Reader refuses to display the content. Useful for time-limited offers, contract negotiations, and clinical results with a documented review window.

Revocation lets the sender cut off access to a specific message even before expiration. Useful when a message was sent to the wrong recipient or when a situation changes after send.

Disable forwarding, disable printing, and watermarking add friction against internal or accidental redistribution. None of these controls are cryptographically enforceable in the strict sense, since a determined recipient can screenshot or transcribe. They act as policy signals and legal deterrents rather than technical guarantees.

๐Ÿ’กPro Tip: Verify post-send controls fit your actual workflow

Virtru's revocation, expiration, and disable-forwarding controls are its strongest differentiator. Before signing, list the last twenty sensitive messages the team sent and ask whether any of them would have benefited from those controls. A workflow of routine patient reminders rarely uses revocation. A workflow of contract negotiations, clinical results with review windows, or attorney-client documents uses them weekly. Match the tier to actual usage patterns, not to the theoretical value of features that sit unused.

The Recipient Experience with Virtru

Recipients of Virtru-encrypted messages receive a normal-looking email with a Secure Reader link. Clicking the link opens the Secure Reader in a browser tab and displays the decrypted content.

First-time recipients complete a short verification flow. Virtru typically sends a verification code to the recipient’s email address to confirm identity. That step reduces phishing risk but adds a small friction to the first read.

Returning recipients read directly through the Secure Reader with a shorter session flow. Recipients who receive frequent messages from the same sender often find the Secure Reader workflow acceptable. Recipients who receive occasional messages find the extra click and verification step noticeable.

For senders whose recipients want no portal or Secure Reader step at all, inbox-native services such as Mailhippo deliver decrypted content directly to the recipient’s regular inbox with a one-click experience.

Virtru Compared to Alternatives

Virtru competes with three categories of alternatives: gateway policy products (Zixcorp, Barracuda, Proofpoint), Microsoft-native encryption (Purview Message Encryption), and inbox-native services.

Against gateway policy products, Virtru wins on setup speed and loses on policy-based enforcement. A Virtru sender must remember to enable the toggle. A Zixcorp gateway scans every outbound message automatically. For high-volume regulated senders, that enforcement gap matters.

Against Microsoft Purview Message Encryption, Virtru offers more granular post-send controls and works with both Google Workspace and Microsoft 365. Purview is bundled with M365 E3 and E5 and works transparently between M365 tenants without additional cost for licensed users. Purview documentation lives at learn.microsoft.com purview ome.

Against inbox-native services, Virtru offers more post-send controls and a longer feature list. Inbox-native services offer a smoother recipient experience and often a lower price point. Our companion piece on email encryption service covers the category comparison.

When Virtru Fits and When It Does Not

Virtru fits small to mid-size teams that use Gmail or Outlook, need HIPAA-compliant email quickly, and value post-send controls such as revocation and expiration. Legal firms, healthcare practices, and financial advisors are common Virtru customers.

Virtru does not fit large enterprises with heavy regulated content flow that need policy-based automatic enforcement across thousands of users. The user-triggered toggle model depends on the sender remembering to encrypt, which introduces enforcement gaps at scale.

Virtru also fits less well for organizations that need cryptographic zero-knowledge encryption with recipient-held keys. TDF holds encryption keys on Virtru servers, so Virtru servers can decrypt if compelled by legal process. Organizations with true zero-knowledge requirements need S/MIME or PGP.

For a broader view, our companion articles on secure email encryption service and email encryption cover the category landscape and help match tool to workflow.

Frequently Asked Questions

What does Virtru email encryption cost? +

Virtru offers a free personal tier for individual users. The Pro tier for business users is priced around $79 per user annually and includes the BAA for HIPAA coverage. The Enterprise tier is custom-priced and adds data loss prevention, key management options, and integration features. Volume discounts apply at higher seat counts. Small practices under 10 seats pay approximately full list. Enterprises above 500 seats typically negotiate below list. Confirm current pricing on the Virtru site because published rates are updated periodically.

Is Virtru email encryption free for personal use? +

Yes. Virtru offers a free tier for personal Gmail users that supports encrypted send and receive with basic controls. The free tier does not include a BAA and is not suitable for HIPAA-covered PHI. It also lacks the DLP integrations and advanced management features of the Pro and Enterprise tiers. The free tier works well as an evaluation environment or for individual privacy-focused users who want client-side encryption on a personal Gmail account without paying for a business plan.

How does Virtru email encryption work in Gmail and Outlook? +

Virtru installs as a browser extension for Gmail (Chrome, Firefox, Edge) and as an Outlook add-in for Outlook desktop and Outlook web. Once installed, the compose window shows a Virtru toggle. Enabling the toggle encrypts the outbound message using Virtru’s Trusted Data Format. The recipient receives a normal-looking email with a Secure Reader link that opens the decrypted content in a browser. The sender can also enable post-send controls such as expiration, disable forwarding, and watermarking through the same interface.

What is the Virtru Trusted Data Format? +

Trusted Data Format (TDF) is Virtru’s proprietary encryption container. It wraps message content and attachments in a package that includes policy metadata and references to encryption keys held by Virtru servers. TDF supports features that S/MIME and PGP do not, such as post-send revocation, expiration, disable forwarding, and watermarking. The trade-off is that TDF is not an interoperable open standard. Recipients read TDF-wrapped content through Virtru’s Secure Reader rather than through their normal mail client’s native encryption support.

Does Virtru email encryption include a BAA for HIPAA? +

The Pro and Enterprise tiers include a Business Associate Agreement covering Virtru’s services under HIPAA. The free personal tier does not include a BAA and is not suitable for PHI. The BAA covers the Virtru servers, the Secure Reader portal, and the TDF encryption process. Healthcare organizations should confirm the signed BAA is in force before routing PHI. The BAA does not extend to the underlying Gmail or Outlook account, so the mail platform must also be on a BAA-eligible plan for full path coverage.

How does Virtru compare to Zixcorp email encryption? +

Virtru and Zixcorp target different segments. Virtru fits small to mid-size teams that want quick setup on existing Gmail or Outlook accounts. Zixcorp fits enterprises with heavy regulated content flow, mature IT teams, and a need for policy-based enforcement across large user populations. Pricing overlaps in the middle. Virtru at $79 per user is competitive with the Zix base tier at $30 to $50 per user, though Zix drops with volume. Our companion piece on Zixcorp email encryption covers Zix in detail.

Can Virtru email encryption prevent phishing? +

Virtru is an outbound encryption product. It does not scan inbound mail for phishing. Preventing phishing requires a separate inbound email security product such as those offered by Microsoft Defender for Office 365, Google Workspace advanced security, Barracuda Email Gateway Defense, or a dedicated anti-phishing service. Virtru complements those products by protecting outbound content but does not replace them. Practices should treat encryption and phishing defense as separate categories of protection and evaluate each independently.

How Do You Encrypt an Email in Outlook, Gmail, and Office 365

how do you encrypt an email guide featured image

๐Ÿ”‘ Key Takeaways

  • Modern Outlook uses Purview from the Encrypt ribbon. Outlook 2013 and older still route via S/MIME.
  • Personal Gmail has only Confidential Mode. Workspace Enterprise adds hosted S/MIME for true E2E.
  • Attachments inherit message encryption, or lock the file first with Acrobat, Word, or 7-Zip AES-256.
  • Office 365 Encrypt needs Business Standard or higher plus Azure Rights Management on the tenant.
  • A gateway skips per-user certs, works from Gmail or Outlook, and ships a BAA in the base plan.

Encrypting an email is a different set of steps in every mail client. Outlook has a button. Gmail has two paths that look similar but work differently. Outlook 2013 uses an older S/MIME workflow. Attachment encryption is its own separate topic.

This guide covers each of them in order. It also flags the HIPAA implications for practices sending PHI. For a cross-client path that works uniformly, a gateway service delivers encrypted email to any recipient without version dependencies.

Every section stands on its own with the menu paths named directly. Skip to the client and version that matches your setup.

Encrypt an Email in Modern Outlook on Microsoft 365

Modern Outlook on Business Standard and above adds an Encrypt button to the compose window. The service is Microsoft Purview Message Encryption.

Open Outlook. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown.

Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.

Business Basic tier and free personal Outlook.com do not have the Encrypt button. Related linked topic: how do you encrypt emails for a broader coverage of alternatives.

Encrypt an Email in Outlook 2013 With S/MIME

Outlook 2013 supports S/MIME natively but has no Purview Encrypt button. The workflow uses the Trust Center and a client-installed certificate.

Install an S/MIME certificate in the Windows personal certificate store. Open Outlook. Go to File, Options, Trust Center, Trust Center Settings, Email Security.

Under Encrypted email, click Settings. Pick your signing certificate and your encryption certificate. Choose whether to sign or encrypt by default. Click OK.

To encrypt a single message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key. This workflow also applies to Outlook 2016, 2019, and Outlook LTSC 2021 when S/MIME is the chosen path.

how do you encrypt an email in article illustration one

Encrypt an Email in Gmail With Confidential Mode

Gmail confidential mode is available on all Google Workspace tiers and personal Gmail. Click the lock and clock icon at the bottom of the compose window.

Set an expiration date from the dropdown. Choose whether to require a passcode. Passcode by SMS is the higher-security option. Click Save.

Write the message and click Send. The recipient receives a link. They open it in a browser, enter the passcode if required, and read the message in a hosted view.

Confidential mode is not end-to-end encryption. Google holds the keys. The mode prevents forwarding, copying, and printing. It does not seal the content against the provider. For HIPAA-scoped mail, confidential mode alone is not sufficient.

Encrypt an Email in Gmail With Hosted S/MIME

Hosted S/MIME is the Gmail path to true end-to-end encryption. It requires Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.

The admin uploads root and intermediate CA certificates in the Google Admin console under Apps, Google Workspace, Gmail, User Settings, then S/MIME. Enable S/MIME for the organizational unit.

Each user uploads their personal certificate through Gmail settings under Accounts. Once configured, a lock icon appears next to the recipient field. Green means encryption is possible.

Recipients on personal Gmail, Business Standard, or Business Plus cannot receive hosted S/MIME messages. The encrypted content arrives as an unopenable attachment. See Google Workspace admin help for the current tier list.

Example

A physical therapy clinic on Microsoft 365 Business Premium builds an automatic DLP rule in the Purview compliance portal. The rule matches the US HIPAA template and triggers when outbound messages contain MRN patterns or SSN patterns. Action: apply Do Not Forward automatically. A new hire forgets to click Encrypt when replying to an insurance verifier and pastes a partial MRN into the body. The DLP rule fires server-side, encrypts the message, and creates an audit log entry the compliance officer reviews weekly.

Encrypt an Email Attachment for Extra Protection

The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. This is sufficient for most cases.

For extra protection, encrypt the file itself before attaching. This adds a second layer that survives even if the message encryption fails or the recipient forwards the message to an unencrypted inbox.

Common attachment encryption tools:

  • Adobe Acrobat for PDF password protection with AES-256
  • Microsoft Word, Excel, PowerPoint via File, Info, Protect Document, Encrypt with Password
  • 7-Zip for archive password protection with AES-256
  • Apple Preview for basic PDF password protection on macOS

Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password. Related linked topic: encrypt an email.

how do you encrypt an email in article illustration two

Encrypt an Email in Office 365 With Automatic DLP Rules

Office 365 supports automatic encryption through Data Loss Prevention rules on Business Premium and Enterprise tiers. This removes the human step of clicking Encrypt.

The admin opens the Microsoft Purview compliance portal. Under Data Loss Prevention, create a new policy. Choose a template for U.S. Health Insurance Act (HIPAA) or a custom policy with SSN, MRN, or ICD patterns.

Configure the action. Apply Do Not Forward, Encrypt-Only, or a custom rights template when a match is found. The policy can also block the send or require justification.

Automatic DLP encryption reduces the risk of staff forgetting to click Encrypt on a sensitive message. It also creates audit trail evidence that the covered entity applied technical safeguards under the HHS Security Rule.

Encrypt an Email With PGP Using FlowCrypt

FlowCrypt is a browser extension that adds PGP support to Gmail. It works on personal Gmail and any Google Workspace tier.

Install the extension from the Chrome or Firefox web store. Create a keypair when prompted. Back up the private key to a hardware token or an encrypted vault.

Send a secure message from the FlowCrypt compose window inside Gmail. The extension encrypts the body with the recipient public key if it is in the FlowCrypt cache. If not, the extension prompts for the recipient key or sends through the FlowCrypt password-protected fallback.

PGP is not native to any major business mail workflow. FlowCrypt fills that gap for teams that want end-to-end encryption without moving to Google Workspace Enterprise. It is not commonly used in regulated healthcare settings.

๐Ÿ’กPro Tip: Automate PHI encryption through DLP rules, never rely on manual clicks

Staff forget to click Encrypt on sensitive messages, especially during busy scheduling windows or shift handoffs. A single missed click is a HIPAA breach. Configure DLP rules in the Microsoft Purview compliance portal or Google Workspace Data Loss Prevention to match SSN, MRN, ICD-10, and custom keyword patterns. Apply Encrypt or Do Not Forward automatically when a match is found. This removes the human factor from compliance and creates audit trail evidence during OCR investigations.

Encrypted Email Options Compared

The table below compares the main paths a business considers.

Method Client Support Recipient Setup End-to-End HIPAA Fit
Outlook Encrypt (Purview) M365 Business Standard+ Passcode or SSO No, portal Yes with BAA
Outlook S/MIME Outlook 2013+ Certificate install Yes Peer traffic
Gmail confidential mode All Workspace Passcode No Not sufficient alone
Gmail hosted S/MIME Workspace Enterprise+ Certificate install Yes Yes
FlowCrypt PGP Gmail via extension PGP key exchange Yes Rare in healthcare
Gateway (Mailhippo) Any provider Passcode Portal-based Yes with base plan BAA

HIPAA Notes on Encrypting Email in Practice

Encryption is one technical safeguard among many. HIPAA requires access controls, audit logging, session timeouts, workforce training, and a signed BAA with each business associate.

Automatic DLP triggers reduce the risk of missed manual encryption. Portal delivery removes the recipient-side certificate requirement. Both are practical for a real HIPAA workflow.

Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. Document policies and train staff. See related healthcare security features context.

Retention matters. Encrypted mail counts as PHI storage. Retention policies must match state medical board rules and the six-year HIPAA administrative retention requirement.

When a Gateway Is the Better Fit

Managing S/MIME certificates across a small team is meaningful operational work. Certificate expiration, mobile provisioning, and cross-platform trust chains all take time.

A gateway service removes the certificate step. The sender writes in the normal client. A trigger word or plugin button triggers encryption. The recipient reads in a browser.

Mailhippo works this way on top of Gmail or Outlook. It includes a BAA in the base plan. It works uniformly on desktop and mobile without version dependencies. See related how to encrypt an email for the broader walkthrough. Practices building a compliant public-facing site can pair this with HIPAA-conscious website design so intake, contact, and email flows stay inside the same compliance boundary.

Frequently Asked Questions

How do you encrypt an email in Outlook? +

On Microsoft 365 Business Standard and above, open a new message and click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The recipient receives a link and authenticates with Microsoft, Google, or a one-time passcode. On older Outlook versions with S/MIME, install a certificate through the Trust Center under Email Security, then click the encrypt icon in the compose window before sending. The two paths produce different recipient experiences.

How do you encrypt an email in Gmail? +

Click the lock and clock icon at the bottom of the compose window for confidential mode. Set expiration and passcode. Write and Send. This is not end-to-end encryption. For true end-to-end on Google Workspace Enterprise, the admin configures hosted S/MIME and each user uploads a personal certificate. A lock icon then appears next to the recipient field. Green means encryption is possible. For personal Gmail, install a plugin like FlowCrypt to add PGP support. Confidential mode alone is not HIPAA-appropriate.

How do you encrypt an email attachment? +

The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. For separate protection, encrypt the file before attaching. Open the PDF in Adobe Acrobat, choose Protect, set a password. Open the docx in Word, choose File, Info, Protect Document, Encrypt with Password. For archives, use 7-Zip with AES-256. Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password.

How do you encrypt an email in Office 365? +

Open Outlook on desktop, mobile, or the web. Start a new message. Click Options in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The Encrypt button is available on Business Standard, Business Premium, Enterprise E3, Enterprise E5, and Government plans. Admins configure encryption templates in the Microsoft Purview compliance portal. Automatic encryption through DLP rules is available on Business Premium and Enterprise plans, which triggers Encrypt when messages match sensitive data patterns like SSN or MRN.

How do you encrypt an email in Outlook 2013? +

Outlook 2013 supports S/MIME but not Microsoft Purview Message Encryption. Install an S/MIME certificate in Windows through the personal certificate store. Open Outlook, go to File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings, pick your certificate, and choose to sign or encrypt by default. To encrypt a specific message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key.

How do you use encrypted email in daily workflow? +

Set a policy. Encrypt any message containing PHI, PII, or financial data. Use S/MIME for peer recipients who hold certificates. Use portal encryption or Outlook Encrypt for external recipients on any provider. Verify recipient email address before sending. Confirm identity by phone before releasing any attachment password. Log the send in the practice communication system if required by policy. Train staff on the trigger words that identify sensitive content and the correct encryption path for each recipient type.

Can you encrypt an email to a recipient without setup on their side? +

Yes, with portal-based encryption. Outlook Encrypt, Gmail confidential mode, and third-party gateways all use a portal model where the recipient receives a link, authenticates with a passcode or SSO, and reads the message in a browser. The recipient needs only a modern browser and the passcode. S/MIME and PGP require setup on both sides because the recipient client must decrypt with a private key it holds. Portal delivery is the model to use when the recipient set is variable or non-technical.

How to Encrypt Email in Outlook (2026 Complete Guide)

how to encrypt email in outlook guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook has three encryption paths: Purview Message Encryption, S/MIME, and Office Message Encrypt.
  • The Encrypt button only appears on Business Premium, E3, E5, or A3/A5. Basic and Standard hide it.
  • S/MIME needs X.509 certs on both sides plus yearly renewal. Peer clinics keep it, patients drop it.
  • External recipients open Purview mail through a portal link. Sign in with Microsoft, Google, or OTP.
  • HIPAA needs a signed BAA, training, audit logs, and policies. Encryption alone is not compliance.

Outlook offers built-in encryption on most business plans, but the button only appears when the license, tenant configuration, and client version all line up. Missing one piece leaves the sender clicking on a feature that does nothing.

This guide walks through every path for how to encrypt email in Outlook, from the Encrypt button on Microsoft 365 to S/MIME certificates and Office Message Encryption rules. Where a healthcare team needs a simpler alternative, a secure email service with a BAA in the base plan often removes the recipient-side portal friction entirely.

Each method below includes the exact ribbon path, the license requirement, and the recipient experience. Skip to the section that matches your Outlook version and plan.

Outlook Supports Three Different Encryption Methods

Outlook does not have one encryption feature. It has three, and they behave differently at the recipient end.

Microsoft Purview Message Encryption is the modern default. It sits behind the Encrypt button in the ribbon on Microsoft 365 Business Premium and higher. External recipients get a portal link.

S/MIME uses X.509 certificates installed on each sender and recipient. It works entirely inside the client and produces a message that opens directly in Outlook without a portal step. Setup and certificate maintenance limit its practical reach.

Office Message Encryption is the older brand name for what is now Purview Message Encryption. Exchange Online admins can trigger it through mail flow rules based on subject keywords, recipient domain, or content sensitivity labels.

Picking the wrong path is the top cause of failed encryption rollouts. Read the recipient experience before deciding.

License Requirements Determine Which Method You Can Use

The Encrypt button in Outlook only appears on tenants with a qualifying license. Cheaper plans block the feature at the tenant level.

Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, A3, A5, and G3/G5 all include Purview Message Encryption. Business Basic and Business Standard do not. Personal and Outlook.com accounts have no access at all.

Admins verify entitlement in the Microsoft 365 admin center under Billing, then Licenses. The full breakdown lives in the Microsoft Purview Message Encryption documentation.

S/MIME has no Microsoft license gate. It works on any Outlook client, including consumer accounts, provided each user brings a valid certificate from a public or internal certificate authority.

Practices that need HIPAA-grade encryption and do not want to upgrade all seats to Business Premium often pair a lower-cost Microsoft plan with a dedicated encrypted email service.

how to encrypt email in outlook in article illustration one

The Encrypt Button in New Outlook and Outlook 365

The most common path is the Encrypt button on the ribbon of Outlook 365 and the New Outlook client.

Compose a new message. On the ribbon, click the Options tab. Click Encrypt. A dropdown offers Encrypt-Only, Do Not Forward, and any custom sensitivity labels the admin has published.

Pick Encrypt-Only for standard transmission protection. Pick Do Not Forward when you need to block forwarding, copying, and printing on the recipient side.

Add the recipient, subject, and message body. Attachments inherit the same protection. Click Send.

Internal recipients on the same tenant open the message directly in their Outlook client. External recipients receive a notification email with a portal link.

If the Encrypt button is grayed out, the license is missing or the client has not synced. Sign out and sign back in before opening a support ticket.

Encrypting Email in Classic Outlook 2016 and 2019

Classic Outlook 2016 and 2019 support Purview Message Encryption through the same ribbon path, with one extra permission menu.

In classic Outlook, the button lives under File, Properties, Security Settings while composing. On the ribbon, click Options, then Permission. Pick Encrypt-Only or Do Not Forward from the dropdown.

Older Outlook 2013 installs need a client update patch and Azure Rights Management activated on the tenant. Without the patch, the Permission button prompts for a rights management server that does not exist.

The rest of the workflow matches the new client. Recipient portal experience, attachment inheritance, and admin logging all behave identically across versions.

Teams on Outlook 2013 should plan a client upgrade. Microsoft ended mainstream support for Office 2013 in 2018 and extended support in 2023.

Example

A three-person dermatology practice on Microsoft 365 Business Standard tries to click Encrypt on a referral message and finds the button missing from the Options ribbon. The office manager verifies licenses in the admin center, upgrades one seat to Business Premium for the referral coordinator, waits 24 hours for the license to propagate, then signs out and back in. The Encrypt button appears. The coordinator picks Do Not Forward and sends the message. The specialist receives a portal link and reads it in the browser.

S/MIME Setup for Certificate-Based Encryption

S/MIME uses public-key cryptography. Each sender and recipient holds a certificate. The sender encrypts with the recipient public key. The recipient decrypts with their private key.

Obtain an X.509 certificate from a trusted CA or internal PKI. Import the certificate to the Windows certificate store under Personal. Match the certificate email address to the Outlook account email.

In Outlook, open File, Options, Trust Center, then Trust Center Settings, then Email Security. Click Settings under Encrypted email. Point Outlook to the installed certificate.

Before sending an encrypted message, exchange signed messages with each intended recipient. Each signed message carries the sender public key, which Outlook stores in the contact record for future encryption.

S/MIME certificates expire annually. Track expiration dates in a shared calendar. An expired certificate blocks all new encrypted sends until renewal.

how to encrypt email in outlook in article illustration two

Automatic Encryption Rules in Exchange Online

Manual clicking works for individual senders. Organizations that must encrypt every message matching a policy need mail flow rules.

An admin opens the Exchange Online admin center. Under Mail flow, then Rules, they create a new rule. Conditions can include subject contains PHI, recipient domain matches an external partner, or content contains a sensitive information type like Social Security number.

Action: Apply Office 365 Message Encryption and rights protection. Select Encrypt-Only or Do Not Forward. The rule fires server-side on every matching message without any sender action.

Rules cover the compliance gap when workforce members forget to click Encrypt. They also apply to messages sent from mobile clients that lack the ribbon.

Test the rule against a monitored test mailbox before pushing to production. False positives on internal messages create friction that pushes users to send from personal accounts.

Recipient Experience Determines Adoption

Encryption succeeds only when the recipient opens the message. Portal friction kills adoption.

Purview Message Encryption sends the external recipient a notification email. The email carries a link to the message portal. The recipient clicks, chooses a sign-in method, and reads the message.

Sign-in options include Microsoft account, Google account, or one-time passcode delivered to the same inbox. The passcode option adds thirty seconds and one extra click.

Elderly patients, referring physicians on legacy email systems, and vendor billing staff sometimes stall at the portal step. They call the practice for help. That call is the hidden cost of portal-based encryption.

Services like Mailhippo deliver encrypted email that opens like a normal message on the recipient side, which removes the support call entirely. Practices weighing tradeoffs should test both flows with a real referral partner.

๐Ÿ’กPro Tip: Verify the BAA before turning on Encrypt for PHI

The Encrypt button in Outlook satisfies the HIPAA transmission safeguard, but the practice is not compliant without a signed Business Associate Agreement with Microsoft on file. Sign the BAA through the Microsoft 365 admin center at no extra cost on eligible plans, then configure audit logging and document workforce training before staff start sending PHI. OCR audits routinely find the gap between working encryption and a missing BAA during breach investigations.

HIPAA Compliance Requires More Than Encryption

Purview Message Encryption satisfies the Security Rule transmission security safeguard. It does not make a practice HIPAA compliant on its own.

The covered entity must sign a business associate agreement with Microsoft. The BAA is available at no extra cost through the Service Trust Portal. Practices without a signed BAA on file are not compliant even when the encryption works correctly.

Additional requirements include audit logging on message access, workforce training records, sanction policies, and documented procedures for PHI email. The HHS Security Rule guidance covers each safeguard in detail.

Practices that build websites handling patient data face parallel obligations. A HIPAA-compliant intake form pairs with encrypted email. See healthcare website security features for the site-side controls.

Compliance is a program, not a checkbox. Encryption is one piece.

Common Errors and How to Fix Them

Three errors account for most encryption support tickets. Each has a specific fix.

  • Encrypt button missing after license upgrade. Sign out of Outlook, close the app, wait up to 24 hours for tenant propagation, sign back in.
  • Recipient cannot open the portal. Confirm the notification email did not land in spam. Ask the recipient to request a one-time passcode instead of Microsoft or Google sign-in.
  • Attachments download without protection. Convert Word and Excel files to PDF before attaching, or apply Do Not Forward instead of Encrypt-Only.
  • S/MIME send fails with a no valid certificate error. Verify the recipient sent a signed message first so their public key is in the address book.
  • Mail flow rule fires on internal messages. Add a sender is outside the organization is false exception or scope by recipient domain.

Run each fix in order. If the error persists, capture the message header and open a Microsoft support case. Include the tenant ID, the affected user UPN, and the exact error text.

Related guides in this series cover how to encrypt email across providers, how to encrypt an email in Outlook 365, and how to encrypt email in new Outlook.

When a Dedicated Encrypted Email Service Fits Better

Outlook encryption works well for organizations already standardized on Business Premium or higher with dedicated IT staff. It creates friction elsewhere.

Small practices on Business Basic or Business Standard face a cost jump per seat to unlock Purview. Multi-provider teams running Google Workspace and Microsoft 365 side by side hit sign-in friction on the recipient portal.

Mailhippo is a HIPAA-compliant email service that works with existing Gmail and Outlook accounts, includes a business associate agreement in the base plan, and delivers messages to recipients without a separate portal login. Client-side encryption plus TLS covers the transmission security safeguard without requiring per-recipient S/MIME certificates.

Practices running healthcare marketing sites often pair encrypted email with a compliant patient-facing web presence. See healthcare marketing services for the site-side counterpart.

Pick the tool that matches the workflow. Outlook Purview for standardized enterprise tenants. S/MIME for internal certificate-managed teams. A dedicated encrypted service for practices that want one-click send and one-click open across every recipient.

Frequently Asked Questions

Which Outlook plans include the Encrypt button? +

Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, Apps for Enterprise with add-on, A3, A5, and Government G3 and G5 all include Microsoft Purview Message Encryption. Business Basic, Business Standard, and Apps for Business do not include it and cannot use the Encrypt button without an add-on license. Personal plans and Outlook.com free accounts do not include Purview at all. The Encrypt button will appear grayed out or missing in the ribbon on plans that lack the entitlement.

Can I send an encrypted email to a Gmail address from Outlook? +

Yes. When you click Encrypt in Outlook and send to a Gmail address, the recipient gets a notification email with a link to a Microsoft-hosted portal. They open the portal, sign in with their Google account or request a one-time passcode, and read the message. Replies from the portal return encrypted. The recipient never needs an Outlook or Microsoft 365 account. The experience adds one click compared to a normal email but keeps the content protected end to end.

What is the difference between Encrypt and Encrypt-Only in the Outlook ribbon? +

Encrypt applies default protection, which prevents forwarding by unauthorized users and enforces sign-in for external recipients. Encrypt-Only allows the message to be forwarded by the recipient but keeps the content encrypted in transit and at rest inside the recipient mailbox. Do Not Forward is a stricter option that blocks forward, copy, and print. Practices sending PHI typically pick Do Not Forward for records requests and Encrypt-Only for routine coordination.

Does Outlook encrypt attachments the same way as the message body? +

Attachments inherit the same encryption applied to the message when Purview Message Encryption is active. Word, Excel, PowerPoint, and PDF files stay protected inside the recipient portal and cannot be downloaded outside it when Do Not Forward is selected. Other file types download with the protection removed, so senders should convert sensitive spreadsheets or notes to PDF before attaching. Attachment size still follows the standard 25 MB Exchange Online limit unless SharePoint delivery is triggered.

How do I set up S/MIME in Outlook for internal team encryption? +

The admin obtains X.509 certificates from a trusted certificate authority or an internal PKI and deploys them to each user Windows certificate store. Each user opens File, Options, Trust Center, Trust Center Settings, then Email Security, and points Outlook to their certificate. Before the first encrypted send, users exchange signed messages so public keys populate the address book. From that point, the Sign and Encrypt buttons in the message ribbon apply S/MIME per message.

Is Microsoft 365 encryption enough for HIPAA compliance? +

The encryption meets the HIPAA Security Rule technical safeguard for transmission security, but compliance requires more. The practice signs a business associate agreement with Microsoft, configures audit logging, trains workforce members on PHI handling, and documents policies. Administrative safeguards like access controls and workforce sanctions still belong to the practice. A practice that clicks Encrypt but skips the BAA or leaves auditing off is not compliant. A signed BAA is available through the Microsoft 365 admin center at no extra cost on eligible plans.

What if the Encrypt button is missing after I upgraded my license? +

Sign out of Outlook completely, close the application, and reopen it. If the button still does not appear, wait up to 24 hours for the license to propagate across the tenant. Confirm the license assignment under Users, Active Users in the admin center. Verify Azure Rights Management is activated under Settings, Org settings, Microsoft Azure Information Protection. On the desktop client, run Get-IRMConfiguration in Exchange Online PowerShell to confirm InternalLicensingEnabled is true.

How Do I Send an Encrypted Email in Outlook, Gmail, and Yahoo

how do i send an encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook on Microsoft 365 Business Standard uses the Encrypt button in Options ribbon via Purview.
  • Gmail has Confidential Mode (weak) and hosted S/MIME on Enterprise. Personal Gmail has no real E2E.
  • Yahoo has no native encryption and no BAA. Regulated senders must migrate off or wrap in a gateway.
  • Apple Mail on macOS and iOS reads S/MIME from the keychain and shows a lock icon in the compose bar.
  • Gateways sit on top of any provider, add a trigger word or button, and ship a BAA in the base plan.

Sending an encrypted email looks different in every mail client. The button is in a different place in Outlook, Gmail, Yahoo, and Apple Mail. Some clients offer true end-to-end encryption while others offer a portal-based feature that looks similar but works differently.

This guide walks through the exact steps for each major provider. It also flags the HIPAA implications for practices sending PHI. For a gateway option that works across all of them, Mailhippo offers encrypted email as a portal service with a BAA in the base plan.

Start with the client you already use. Every section stands on its own with the buttons and menu paths named directly.

Sending Encrypted Email in Outlook 365

Outlook on Microsoft 365 Business Standard and above has an Encrypt button in the compose window. It uses Microsoft Purview Message Encryption underneath.

Open a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown menu that appears.

Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.

Business Basic and free personal Outlook.com do not have the Encrypt button. Upgrading to Business Standard or higher unlocks it. Related linked topic: how do you encrypt an email in outlook for the setup on older versions.

Sending Encrypted Email in Gmail With Confidential Mode

Gmail confidential mode is available on personal Gmail and every paid Google Workspace tier. Open a new message. Click the lock and clock icon at the bottom of the compose window.

Set an expiration date. Choose whether to require a passcode. Click Save. Write the message and click Send. The recipient receives a link and reads the message in a hosted view.

Confidential mode is not end-to-end encryption. Google holds the keys. The mode adds an extra step for the recipient and prevents forwarding, but the content is not sealed against the provider.

For a HIPAA workflow, confidential mode alone is not sufficient even with a BAA. Practices sending PHI need either hosted S/MIME on the Enterprise tier or a third-party gateway. See Google confidential mode documentation for the current feature list.

how do i send an encrypted email in article illustration one

Sending Encrypted Email in Gmail With Hosted S/MIME

Hosted S/MIME is the Gmail path to true end-to-end encryption. It requires Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.

The admin uploads root and intermediate CA certificates in the Google Admin console. They enable S/MIME for the organizational unit. Each user then uploads their personal certificate through Gmail settings under Accounts.

Once configured, a lock icon appears next to the recipient field in the compose window. Green means encryption is possible because the recipient certificate is cached. Gray means the recipient certificate is missing.

Recipients on personal Gmail, Business Standard, or Business Plus cannot receive hosted S/MIME encrypted messages. The encrypted content arrives as an unopenable attachment. This is the main operational limit of S/MIME in a mixed environment.

Sending Encrypted Email in Yahoo Mail

Yahoo Mail has no native encrypted email feature. There is no Encrypt button, no confidential mode, and no hosted S/MIME. Yahoo Mail Plus adds ad-free browsing and more storage but no encryption.

To send encrypted email from a Yahoo address, the practical options are limited. Connect the Yahoo account to Thunderbird by IMAP. Install an S/MIME certificate in Thunderbird. Send encrypted mail from Thunderbird using the Yahoo address as the From address.

The other option is a gateway service that authenticates against the Yahoo account and sends portal-delivered encrypted mail on its behalf. This is a workaround, not a supported feature.

Yahoo does not offer a Business Associate Agreement. Yahoo is not appropriate for HIPAA use. Practices on Yahoo should migrate to Google Workspace, Microsoft 365, or a dedicated healthcare mail provider before starting a real encryption program.

Example

A solo dermatologist on personal Yahoo Mail wants to send lab results to a referring internist. Yahoo has no Encrypt button, no confidential mode, no BAA. The dermatologist tries the workaround of connecting Yahoo to Thunderbird by IMAP and installing an Actalis S/MIME certificate, but the internist does not have S/MIME either. The practical resolution is migrating off Yahoo to Google Workspace Business Standard and adding a gateway service. The dermatologist then sends lab results with one click from a normal Gmail compose window.

Sending Encrypted Email in Apple Mail

Apple Mail on macOS and iOS supports S/MIME natively. The user installs an S/MIME certificate in the system keychain. Mail detects the certificate automatically.

On macOS, install the certificate through Keychain Access by opening the PKCS 12 file. On iOS, install through a configuration profile or by tapping the .p12 file in Files or Mail. Trust the certificate in Settings.

Once installed, a lock icon appears in the compose window when the recipient certificate is available. Click the lock to encrypt. A signed message from a recipient adds their public key to the local keychain automatically.

Apple Mail also opens Outlook Encrypt messages and portal-delivered messages from third-party gateways. Cross-platform S/MIME between Apple Mail and Outlook works reliably when both sides use the same certificate authority.

how do i send an encrypted email in article illustration two

Sending Encrypted Email With a Gateway Service

A gateway service sits between the sender mail client and the recipient. The sender writes the message in the normal client. A trigger word in the subject or a plugin button triggers encryption.

The service uploads the message to a hosted portal. The recipient receives a notification with a link. They authenticate with a passcode or SSO and read the message in a browser.

Gateway services work with any mail provider. They add a BAA when the underlying mail provider does not offer one. Setup takes minutes for a single user and hours for a full team.

Related linked topics: how to send an encrypted email for a broader walkthrough and how do I send encrypted email for cross-provider notes.

HIPAA Requirements for Encrypted Email Sending

Sending PHI over email requires a signed Business Associate Agreement with the mail provider and technical safeguards under the Security Rule. Encryption alone does not equal compliance.

Microsoft 365 Business Standard and above and Google Workspace Business Standard and above both offer BAAs. Personal Outlook.com, personal Gmail, personal Yahoo, and personal iCloud do not.

The HHS Security Rule requires access controls, audit logging, session timeouts, and workforce training in addition to encryption. Documentation of policies is required for a defensible program.

Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. Related: security features for healthcare websites for how email fits inside the wider stack.

๐Ÿ’กPro Tip: Verify the recipient email address before every PHI send

Encryption protects content but does not correct a wrong address. Sending PHI to the wrong recipient is a HIPAA breach even when the message is perfectly encrypted. Confirm the recipient email through a separate channel before sending, especially for new contacts. Use address book contacts rather than typing addresses each time. Practices sending PHI attachments should also verify recipient identity by phone before releasing any password shared out of band with the encrypted file.

Encrypted Email Feature Comparison Across Providers

The table below summarizes what each major mail provider offers natively.

Provider Native Encryption Feature End-to-End BAA Available Free Tier Encrypted Send
Outlook 365 Business Standard+ Encrypt button, Purview No, portal-based Yes No
Gmail Workspace Business Confidential mode No Yes on Business Standard+ Confidential mode only
Gmail Workspace Enterprise Hosted S/MIME Yes Yes Not on personal
Yahoo Mail None native No No No
Apple Mail on iCloud+ Manual S/MIME Yes with certificate No Manual setup only
ProtonMail Business Password-protected portal Yes to Proton, portal to others Yes on Business Free tier has portal send

Common Sending Problems and Their Fixes

The Encrypt button is missing in Outlook. This happens on Business Basic or free personal Outlook.com. Upgrade to Business Standard or above, or use a gateway service.

The S/MIME lock icon is gray in Gmail. This means the recipient certificate is not cached. Ask the recipient to send you a signed message first. The certificate cache populates automatically from signed inbound mail.

The recipient cannot open the encrypted message. Common causes:

  • Recipient client does not support S/MIME (personal Gmail, Business Standard Workspace)
  • Notification email landed in spam
  • Recipient failed the passcode step
  • Certificate address mismatch on the sender side
  • Corporate firewall blocks the portal domain

Related linked topic: how do I open an encrypted email in outlook for recipient-side fixes.

Picking the Right Sending Path for Your Practice

Practices already on Microsoft 365 Business Standard or above should use the native Encrypt button for external mail. Setup is minutes. The BAA is already in place.

Practices on Google Workspace Business Standard should use confidential mode for casual privacy and add a gateway service for HIPAA-scoped mail. Upgrading to Enterprise for hosted S/MIME is often costlier than the gateway approach.

Practices on Yahoo, iCloud, or free personal accounts need to migrate to a business mail provider before starting a real encrypted email program. No workaround makes those tiers HIPAA-appropriate.

Mailhippo works as the gateway option across all of these providers. It sits alongside Gmail or Outlook, includes a BAA in the base plan, and requires no per-user certificate management. Practices building a compliant public site alongside their email program can pair this with HIPAA-conscious website design so the whole intake chain stays inside the same compliance boundary.

Frequently Asked Questions

How do I send an encrypted email in Outlook 365? +

Open a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown. Write the message and click Send. The external recipient receives a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser. The Encrypt button appears on Microsoft 365 Business Standard, Business Premium, E3, E5, and Government plans. Free personal Outlook.com and Business Basic tiers do not have this feature.

How do I send an encrypted email in Gmail? +

Two options exist. For confidential mode, open a new message, click the lock icon at the bottom, set expiration and passcode, then send. Confidential mode is not end-to-end encryption. For true S/MIME encryption, the account must be on Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus. The admin uploads CA certificates and enables S/MIME, then each user uploads their personal certificate. A lock icon then appears next to the recipient field when encryption is possible.

How do I send an encrypted email with Yahoo? +

Yahoo has no native encrypted email feature. To send encrypted mail from a Yahoo address, connect the Yahoo account to Thunderbird via IMAP and install an S/MIME certificate in Thunderbird. Or connect the Yahoo account to a gateway service that handles portal delivery. Yahoo does not offer a Business Associate Agreement and is not a HIPAA-appropriate mail provider even with a workaround in place. Yahoo Mail Plus does not add encryption features. Business users should move to a provider that offers a BAA.

How do I send an encrypted email in Outlook 2013? +

Outlook 2013 supports S/MIME natively but not Microsoft Purview Message Encryption. Install an S/MIME certificate in Windows through the personal certificate store. Open Outlook, go to File then Options then Trust Center then Trust Center Settings then Email Security. Under Encrypted email, click Settings and pick your certificate. Choose to sign or encrypt outgoing messages by default. To encrypt a specific message, click the Encrypt Message Contents and Attachments button in the compose ribbon before sending.

Can I send encrypted email without buying a service? +

Yes, with limits. Free options include manual S/MIME with a free personal certificate from Actalis in Outlook or Apple Mail, PGP with a plugin like FlowCrypt in Gmail, and a personal ProtonMail account for external portal delivery. All three require setup effort and none qualifies for HIPAA on the free tier. For regulated work, a paid service with a BAA is the only defensible path. For casual privacy, the free options work well after the initial setup.

Is Outlook confidential mode the same as encryption? +

Outlook does not use the term confidential mode. Gmail uses that term. In Outlook, the equivalent feature is Encrypt or Do Not Forward inside Microsoft Purview Message Encryption. Encrypt-Only prevents unauthorized reading. Do Not Forward adds restrictions against forwarding, copying, and printing. Both use portal-based delivery for external recipients. Neither is the same as S/MIME end-to-end encryption. Outlook also supports S/MIME separately for peer-to-peer certificate-based encryption between users who both hold certificates.

How do I send an encrypted email attachment? +

The attachment inherits the encryption of the message. Attach the file to a message you encrypt through Outlook Encrypt, Gmail S/MIME, Apple Mail S/MIME, or a portal gateway. The service encrypts the message body and attachment together. For separate protection, encrypt the file itself with a password using Adobe Acrobat for PDFs or 7-Zip for other files, then share the password out of band. Practices sending PHI attachments should verify recipient identity before releasing any password.

Can I Encrypt an Email in Gmail (and Every Other Client)

can i encrypt an email in gmail guide featured image

๐Ÿ”‘ Key Takeaways

  • Gmail offers three paths: Confidential Mode, native S/MIME, or a third-party portal extension.
  • Confidential Mode is not real encryption; Google reads the body and it fails HIPAA audits.
  • Native S/MIME needs Enterprise Plus and the recipient public cert, which patients rarely have.
  • Outlook 365 Business Premium unlocks the Encrypt button; Outlook Desktop S/MIME works on any plan.
  • GoDaddy Professional Email offers no BAA; healthcare needs Microsoft 365 Business Premium or higher.

Encrypting an email should be a one-click operation. In practice it depends on which client, which plan, and which recipient the sender is dealing with.

The core question, can I encrypt an email in Gmail, has three answers. So does the same question for Outlook and GoDaddy. This guide walks through each path, when to use it, and when a hosted encrypted email service is the simpler choice.

The setup order matters. Check the client, check the plan, then choose the encryption method that matches the recipient. A method that works for a colleague on the same tenant may not work for a patient on a free consumer account.

Gmail Confidential Mode is not encryption

Confidential Mode appears in the Gmail compose window as a lock icon at the bottom of the toolbar. Clicking it opens a dialog for expiration and passcode settings.

The message body is not encrypted. Google servers store the message in the same format as any other Gmail message. The controls are behavioral, meaning they restrict what the recipient can do in the Gmail interface.

The recipient can still screenshot the message, retype it, or print the screen. The expiration setting removes access from the Gmail viewer, but any content already read is out of the sender’s control.

For casual privacy, Confidential Mode is useful. For HIPAA or any regulated data, it is not sufficient. The Security Rule requires actual encryption of the transmitted content.

Native S/MIME in Gmail requires Enterprise Plus

Google Workspace supports hosted S/MIME on Enterprise Plus, Education Standard, and Education Plus. Business Starter, Standard, Plus, and Enterprise Standard do not include native S/MIME.

To enable S/MIME, an administrator uploads each user’s S/MIME certificate through the Admin console and configures the S/MIME setting under Apps, Google Workspace, Gmail, User settings.

Sending an encrypted message to an external recipient requires the recipient’s public certificate. If Gmail does not have the certificate on file, the compose window shows the message as signed but not encrypted.

The certificate exchange problem is the reason most practices skip S/MIME even when the plan supports it. Patients and external contacts rarely have S/MIME certificates.

can i encrypt an email in gmail in article illustration one

Third-party extensions add encryption to any Gmail plan

Browser extensions like Mailhippo, Virtru, and FlowCrypt add an encryption toggle to the Gmail compose window. When the toggle is on, the extension encrypts the message before it leaves the browser.

External recipients receive a link and open the message in a portal. They authenticate with a Google, Microsoft, or email-verified passcode, depending on the extension.

The advantage over S/MIME is that recipients need no configuration. The advantage over Confidential Mode is that the encryption is real. The trade-off is a per-user monthly fee.

For healthcare senders, the extension has to come with a signed BAA. Mailhippo, Virtru, and Paubox all offer BAAs. FlowCrypt does not, which rules it out for HIPAA use. Practices weighing which extension to install often compare notes across how can i encrypt my emails and similar decision guides.

Outlook 365 has an Encrypt button that triggers Purview

Can I encrypt an email in Outlook? Yes. On Microsoft 365 Business Premium or higher, the Encrypt button appears on the Options ribbon in Outlook Desktop and in the Actions menu in Outlook on the web.

Clicking Encrypt applies Microsoft Purview Message Encryption. The message body and attachments are encrypted, and external recipients receive a portal link that they open after authenticating with Microsoft, Google, or a one-time passcode.

The Encrypt button only appears if Azure Rights Management is active on the tenant. If a super administrator has never enabled it, the button is invisible even on the correct license.

On Business Basic or Business Standard, the Encrypt button is not available. Practices on those plans need to upgrade to Business Premium or use a third-party gateway.

Example

A family law attorney on GoDaddy Professional Email started sending confidential settlement drafts to opposing counsel and clients. She assumed the padlock icon in her webmail meant messages were encrypted end-to-end. Her paralegal researched the plan and discovered GoDaddy Professional Email uses TLS in transit only, with no message-level encryption and no BAA. The firm migrated the 4 mailboxes to Microsoft 365 Business Premium through GoDaddy at $88 per month total, activated the Encrypt button, and set a mail flow rule requiring encryption on all outbound client mail.

Outlook Desktop supports S/MIME on any plan

Outlook Desktop has supported S/MIME for over 20 years. The setup runs through File, Options, Trust Center, Trust Center Settings, Email Security.

A user imports an S/MIME certificate from a certificate authority into the Windows certificate store, then binds it to their Outlook profile. Digital signing and encryption become available on the compose window.

To send an encrypted message to an external recipient, the sender needs the recipient’s public certificate. Outlook stores public certificates from previously received signed messages, which is how the exchange usually happens.

Outlook on the web has more limited S/MIME support and requires the S/MIME control installed through the browser. Outlook Mobile does not support S/MIME send at all on most versions.

can i encrypt an email in gmail in article illustration two

Consumer Outlook.com has free encryption between Microsoft accounts

Outlook.com consumer accounts include free encryption for messages between Microsoft accounts. The shield icon in the compose window toggles encryption on.

The recipient experience depends on what account they use. Other Outlook.com or Microsoft 365 users see the decrypted message natively. External recipients on Gmail, Yahoo, or similar receive a portal link.

The free encryption tier does not include a BAA. Microsoft signs BAAs on Microsoft 365 business plans, not on consumer Outlook.com. Healthcare users on Outlook.com are not compliant.

For a personal user who wants to send an encrypted message once in a while, Outlook.com’s built-in encryption is a fine free option. For a practice, it is not.

GoDaddy email splits into two products with different encryption options

GoDaddy sells two email products under two brand names. Professional Email is GoDaddy’s own product, and Microsoft 365 from GoDaddy is a rebranded Microsoft 365 tenant.

On Professional Email, transit encryption uses TLS whenever the receiving server supports it. There is no built-in body encryption. Users who need it install a third-party extension or upgrade.

On Microsoft 365 from GoDaddy, encryption works exactly like any Microsoft 365 tenant. Business Premium and higher get the Encrypt button. Lower tiers do not.

GoDaddy does not sign a BAA for its consumer-tier products. Healthcare senders on GoDaddy need to be on the Microsoft 365 Business Premium tier, activate the BAA through the Microsoft admin center, and use Purview or a third-party service for encryption.

๐Ÿ’กPro Tip: Confirm the BAA is signed before trusting any padlock icon

Every email vendor displays some security indicator, and users routinely interpret padlock icons as evidence of HIPAA compliance. The icon usually indicates only TLS-in-transit, not message-level encryption or business associate coverage. Before sending PHI through any account, verify the BAA is signed and covers the specific service in use. Google Workspace Admin console records the acceptance under Legal and compliance. Microsoft 365 records it in the Service Trust Portal. GoDaddy Professional Email offers no BAA at all.

Comparison of encryption methods across common clients

The three main methods, TLS, S/MIME, and portal-based, each have trade-offs. TLS is automatic and covers most modern receivers, but the sender has no visibility into whether a specific message actually used TLS on delivery.

S/MIME is strong when both sides have certificates, but the certificate exchange kills the workflow for most external recipients. Portal-based services solve the certificate problem but add a step for the recipient.

Method Recipient effort HIPAA-ready Included in
TLS only None Only with signed BAA plus verified TLS enforcement Every provider
Gmail Confidential Mode Passcode entry No Every Gmail plan
S/MIME Certificate install Yes, if BAA in place Enterprise Plus, Outlook Desktop, Microsoft 365
Purview Message Encryption Portal login Yes, if BAA in place Microsoft 365 Business Premium+
Third-party portal service Portal login Yes, with signed BAA Mailhippo, Virtru, Paubox

The right column matters more than the others for a healthcare practice. If the encryption method is not paired with a signed BAA, it does not meet the Security Rule requirement regardless of how strong the cryptography is.

What to choose based on the sender’s situation

A solo practitioner on Gmail should install a hosted encryption service and skip the plan-tier gymnastics. The monthly fee is smaller than the friction of managing S/MIME certificates for every recipient.

A small group practice on Microsoft 365 Business Standard should upgrade to Business Premium, activate the Encrypt button, and train staff on when to use it. That is the shortest path to compliance for a Microsoft-first shop.

A larger clinic with mixed email systems benefits from a gateway service that sits in front of every outbound path. The gateway enforces encryption regardless of which client the user sends from.

Practices that want the marketing site and patient intake to match the email compliance posture should work with an agency familiar with HIPAA-compliant website design so the intake forms, the appointment reminders, and the outbound clinical mail all share the same encryption story.

Quick setup steps for the three most common configurations

For Google Workspace Business Standard with a hosted encryption service: sign up with the vendor, connect the Gmail account through OAuth, install the browser extension, and send a test message to a personal address on a non-compliant server. Confirm the recipient sees a portal link.

For Microsoft 365 Business Premium: activate Azure Rights Management under Settings, Org settings, Services, Microsoft Azure Information Protection. Confirm the Encrypt button appears in the Outlook ribbon. Send a test message.

For Outlook Desktop with S/MIME: purchase a certificate from a certificate authority, install it in the Windows certificate store, bind it under Trust Center, Email Security, and exchange a signed message with the intended recipient to swap public certificates.

The Google Confidential Mode help page and the Microsoft Purview documentation both walk through the client-side steps for reference.

  • Check the plan tier before choosing an encryption method.
  • Skip Confidential Mode for any regulated data.
  • Use a third-party hosted service if S/MIME certificate exchange is not practical.
  • Confirm a signed BAA is in place before sending PHI over any channel.
  • Test with a real external recipient before rolling out to staff.

Answering can i encrypt an email in gmail is the easy part. The harder question is which method fits the sender’s plan, the recipient’s setup, and the compliance requirements attached to the content. The right combination changes the moment any of those three factors change.

Frequently Asked Questions

Can I encrypt an email in Gmail without upgrading my plan? +

Yes. Confidential Mode is available on every Gmail plan, though it is not real encryption. For actual body encryption on a Business Starter, Standard, or Plus plan, install a third-party extension like Mailhippo, Virtru, or FlowCrypt. The extension encrypts the message before it leaves the browser and delivers external recipients a portal link. Native S/MIME requires Enterprise Plus. The extension route is the simplest way to add real encryption to a Gmail account without changing the plan tier.

How can I encrypt an email for free? +

Free options exist but each has a limit. ProtonMail encrypts messages to other ProtonMail users automatically and delivers messages to outside recipients through a password-protected portal. FlowCrypt adds free PGP encryption to Gmail through a browser extension. Outlook.com sends free encrypted messages between consumer Microsoft accounts. None of the free options include a business associate agreement, so they are unsuitable for healthcare use. Compliance-grade sending requires a paid service with a signed BAA.

Can I encrypt an email in Outlook? +

Yes. On Microsoft 365 Business Premium or higher, click the Encrypt button on the message ribbon to trigger Purview Message Encryption. On any plan with S/MIME certificates installed, click the security icon and choose Encrypt Message Contents. On Outlook.com consumer, click the shield icon in the compose window to send a message with Microsoft encryption. Each option produces a slightly different recipient experience, but all three encrypt the message body and support external delivery.

How can I easily encrypt an email from any client? +

The easiest path across every client is a third-party encryption service that connects to the existing account. Mailhippo works this way with Gmail, Outlook, and any IMAP or SMTP account. Send from the normal compose window, and the service encrypts the message automatically before it reaches the recipient. No certificates, no toggle, no compose window changes. The recipient gets a portal link or an encrypted TLS-delivered message depending on their provider’s support.

How does GoDaddy encrypt email on its Professional Email plan? +

GoDaddy Professional Email uses TLS for transit encryption whenever the receiving server supports it. There is no built-in body encryption on the standalone Professional Email product. Users who need message-level encryption on GoDaddy Professional Email have to install a third-party extension or upgrade to the Microsoft 365 tier sold through GoDaddy. GoDaddy does not sign a BAA for its consumer or small-business tiers, so healthcare senders need to be on a Microsoft 365 plan that qualifies for the Microsoft BAA.

Does encrypting an email guarantee the recipient can read it? +

No. If the recipient does not have S/MIME certificates configured and the encryption path used S/MIME, they cannot decrypt the message. Portal-based services solve this by delivering a link the recipient opens in a browser, which works on any email client. Before sending an encrypted message to a first-time recipient, most encryption services show a preview of what the recipient will see. That preview is useful for confirming the recipient will actually be able to open the message.

What is the difference between encryption and Confidential Mode in Gmail? +

Confidential Mode adds three controls to a message. The recipient cannot forward, copy, print, or download the message from the Gmail interface. The message expires on a schedule the sender sets. The recipient must enter a passcode sent by SMS to open it. None of those controls encrypt the message content. Google can still read the body, and a determined recipient can screenshot the content. Real encryption protects the body from anyone without the decryption key.