๐ Key Takeaways
- Four opening paths cover encrypted email: Purview portal, Gmail link, gateway login, or S/MIME.
- Purview messages open in a browser tab after a Microsoft, Google, or passcode sign-in step.
- Gmail Confidential Mode expires on a set date and may text a passcode to outside recipients.
- Portal services like Proofpoint and Cisco need a password on first read, reused on later mail.
- S/MIME decrypts inline once the recipient certificate is installed and current in the mail client.
Opening an encrypted email looks different depending on the platform the sender used. The recipient sees a notification message, clicks a button or link, and completes one of four verification paths to view the content.
This guide covers how to open an encrypted email in Outlook, Gmail, Office 365, and the major portal-based services. Each path takes about a minute and works in any modern browser.
The right steps depend on the notification. Read the sender name and the from address on the notification message before clicking. That identifies the platform and the correct opening path.
Microsoft Purview Messages Open Through outlook.office365.com
Microsoft Purview Message Encryption is the default encryption service for Outlook and Microsoft 365. Recipients see a notification email with a Read the message button and a From address that reads something like microsoft@example.com or a service address from the sender organization.
Click the Read the message button. A browser tab opens on outlook.office365.com. The tab shows three sign-in options: sign in with a Microsoft account, sign in with a Google account, or request a one-time passcode.
Choose the option that matches the recipient address. Microsoft accounts work for Outlook.com, Hotmail, Live, and any Microsoft 365 tenant address. Google accounts work for Gmail and Google Workspace addresses. The one-time passcode option works for any address, including personal accounts on other providers.
Once signed in or after entering the passcode, the message body displays inline. Attachments appear below with download buttons. The reply button at the top opens a compose window that encrypts the reply back to the sender. Detailed steps are in the Microsoft support guide for opening protected messages.
Gmail Confidential Mode Uses a View the Email Link
Gmail Confidential Mode messages arrive with a body that reads something like “The sender has sent you a message” and a View the email link. The link opens the message inside Gmail for Google users or on a Google-hosted page for recipients on other providers.
The sender can require SMS verification. If enabled, the recipient receives a passcode by text message. Enter the passcode in the browser to view the message. The verification adds a second factor beyond the mailbox access.
Confidential Mode messages carry an expiration date set by the sender. The View link stops working after the expiration. Reply, forward, print, and download may be blocked depending on the sender configuration. The message content remains on Google servers and can be recalled by the sender at any time before expiration.
Recipients do not need a Google account for one-off Confidential Mode messages. The Google-hosted page shows the content after the SMS or link verification. For business use with HIPAA-regulated content, Confidential Mode is not a sufficient control on its own.

Proofpoint Portal Requires First-Time Registration
Proofpoint Encryption sends a notification email with a Click here to read your secure message button. The From address shows the sending organization plus a Proofpoint service address. The button opens the Proofpoint Encryption portal in a browser.
First-time recipients register with the email address and set a password. The registration screen asks for a first name, a last name, and a password meeting the length and character rules the sending organization configured. Registration completes in under a minute.
Repeat recipients sign in with the existing password. The portal shows a message list similar to a webmail inbox. Click a message to read the body and any attachments. Attachments download inside the portal. Reply from the reply button at the top of the message.
The portal maintains a session cookie so repeat access does not require sign-in during the same browser session. Sign-out ends the session. Password reset works from a Forgot password link on the sign-in page and sends a reset link to the recipient email.
S/MIME Messages Open Automatically in the Mail Client
S/MIME encrypted messages open automatically inside a mail client that has the recipient certificate installed. Outlook, Apple Mail, and Thunderbird all support S/MIME. The client uses the private key stored with the certificate to decrypt the message on receipt.
The recipient does not click a portal link. The message displays as any other email, with an added lock icon in the message header showing that the content was encrypted in transit and decrypted on the client. Attachments open normally after decryption.
If the certificate is missing or expired, the message displays as unreadable ciphertext or as a security warning. The IT team or the individual user needs to install or renew the certificate. Prior encrypted messages need the original certificate stored in escrow for later decryption.
S/MIME works well inside organizations with a managed PKI deployment. It is less common between organizations because both parties need matching certificates from trusted authorities.
A patient at a cardiology practice receives an encrypted lab summary from her Outlook-based physician. The notification email from microsoft@office365.com carries a Read the message button. She clicks it, a browser tab opens on outlook.office365.com, and she picks the one-time passcode option because she uses Yahoo. The passcode arrives in her Yahoo inbox 40 seconds later. She pastes it in the tab, the four-page summary decrypts inline, and she downloads the attached ECG PDF for her records.
Cisco Registered Envelope Uses a Similar Portal Flow
Cisco Registered Envelope Service is another portal-based encrypted email platform used across healthcare, finance, and government. The recipient sees a notification email with an attached file called securedoc.html or a Register button.
Opening the attached HTML file loads the Cisco Registered Envelope portal in the browser. First-time recipients register with the email address, a name, and a password. Repeat recipients sign in with the existing password. The portal shows the decrypted message body and any attachments.
The reply button inside the portal encrypts the reply back to the sender. Registered Envelope maintains the account across all messages from any sender using the same platform, so a single password unlocks messages from multiple sending organizations.
Password reset works from the Forgot password link on the sign-in page. The reset link goes to the recipient email. Registered Envelope also supports single sign-on with Microsoft or Google accounts if the sending organization enabled that option.
One-Time Passcodes Work as the Universal Fallback
The one-time passcode option is available across every major encrypted email platform. Recipients who do not want to create an account or sign in with an existing account request a passcode from the browser tab.
The steps are the same across platforms:
- Click the notification button to open the browser tab
- Choose the passcode option on the sign-in screen
- Check the same email inbox for the passcode email
- Copy the passcode and paste it into the browser
- View the message body and attachments
The passcode email typically arrives within one minute. Check the spam folder if it does not appear. Some corporate mail servers quarantine mail from unfamiliar senders, and the passcode may need to be released by the IT team.
Passcodes expire after fifteen to thirty minutes depending on the platform. If the passcode expires before use, request a new one from the same browser tab. The new passcode arrives in a fresh email.

Expired Links Require a Resend from the Sender
Encrypted email notifications carry an expiration date set by the sender or the platform default. Expired links stop working. The recipient cannot reopen the message from the original notification.
Contact the sender and ask them to resend. Senders on Microsoft Purview can resend from the Sent folder in Outlook. Senders on portal platforms resend from the administrative console. Senders on Gmail Confidential Mode can extend the expiration or resend a new copy.
The message content is not lost. Only the current link stopped working. A resend creates a fresh notification with a new link that carries a new expiration. The recipient opens the new notification using the same steps as the original.
Recipients who read a message on one device and want to reopen it on another should save a local copy while the link is still valid. Most platforms allow download of the message body and attachments during the active session.
Attachments Behave Differently Across Platforms
Attachments in encrypted email arrive along with the message body but the recipient path varies. Microsoft Purview lists attachments below the message with a download button per file. Downloads open in a new browser tab and save to the default download folder.
Portal services like Proofpoint and Cisco Registered Envelope keep attachments inside the portal. Downloads work but the file may lose the encryption once saved locally. This is a critical detail for HIPAA teams. A decrypted PHI attachment on a local disk is subject to the standard HIPAA data protection rules.
Gmail Confidential Mode can disable download entirely at the sender option. If disabled, attachments show as previews inside the browser tab only. This prevents local storage of the file but limits recipient workflow if the file needs to be edited or printed.
Recipients working in a HIPAA-covered role should confirm the local file protection before saving. The healthcare website security features guide covers the wider layer stack that pairs with encrypted email.
The From address and button label identify the platform, and that decides the correct opening path. A message from microsoft@office365.com with a Read the message button means Purview. A securedoc.html attachment means Cisco Registered Envelope. A Click here to read your secure message button means Proofpoint. Matching the notification to the platform saves five minutes of guessing and prevents replying to a plaintext notification address that discards responses.
Reply From the Portal Keeps Encryption End to End
Every major encrypted email platform includes a Reply button inside the portal or the browser tab. Replies sent from the portal encrypt automatically. The response reaches the sender through the same secure channel.
Do not reply from the notification email. The notification is a plaintext email that only alerts the recipient to a message waiting in the portal. A reply from the notification goes to the platform address, not to the sender, and is often auto-discarded.
Portal replies keep the encryption end to end. The sender receives the reply through the same platform they used to send the original message. This maintains the audit trail for HIPAA and other compliance regimes that require encrypted responses to encrypted communications.
If the portal does not include a Reply button, the sender likely disabled reply as a policy setting. Contact the sender through a separate secure channel to continue the conversation.
Recipient Confusion Is the Main Adoption Barrier
The largest practical barrier to encrypted email is recipient confusion at the notification step. Elderly patients, low-technology recipients, and one-off external contacts sometimes ignore the notification because it does not look like a normal email.
Healthcare practices reduce this confusion by:
- Sending a short plaintext heads-up before the encrypted message
- Explaining the process on the patient portal welcome page
- Choosing a service with a one-click recipient path
- Training front-desk staff to answer opening questions on the phone
The Mailhippo model uses a one-click recipient link with no account creation and no password reset. Recipients click the link, enter a one-time passcode delivered to the same email address, and read the message. That reduces the confusion at the recipient step compared to full portal registrations.
Practices measuring open rates on encrypted messages should track the recipient path length. Every extra step lowers the open rate. Shorter paths raise it.
Mailhippo Removes the Portal Friction for Patients
Mailhippo secure email service works with existing Gmail or Outlook accounts and delivers encrypted messages through a one-click link with no keys, no certificates, and no account creation for the recipient. Recipients click the link, enter a one-time passcode delivered to their email, and read the message.
The signed BAA is included in the base plan. Attachments open inline. Replies encrypt automatically. The recipient never installs software and never sets a password. This is the shortest recipient path among common HIPAA email options.
For healthcare practices sending encrypted mail to patients, external providers, and vendors, the shorter recipient path directly raises the open rate on regulated messages. That translates into faster clinical response and fewer follow-up phone calls to walk patients through a portal.
Compare the recipient experience side by side before choosing an encrypted email platform. The HIPAA-compliant website design approach applies the same rule to patient portals. Shorter steps, fewer clicks, higher completion.
Frequently Asked Questions
Open the notification message in Outlook. If the message contains a Read the message button, click it. A browser tab opens on outlook.office365.com. Sign in with the Microsoft account tied to the email address, sign in with a Google account for Gmail addresses, or request a one-time passcode. The passcode arrives in a second email within a minute. Enter it in the browser tab. The decrypted message displays inline with attachments listed below and a reply button at the top.
Gmail messages sent through Google Workspace Confidential Mode arrive with a View the email link. Click the link to open the message inside Gmail if you use a Google account, or on a Google-hosted page if you do not. If the sender enabled SMS verification, a passcode arrives on your phone. Enter the passcode to view the message. The message shows the body and any attachments. The View link expires on the date the sender set, and reply and forward may be blocked.
Proofpoint delivers a notification email with a Click here to read your secure message button. The button opens the Proofpoint Encryption portal in a browser. First-time recipients register with an email address and a password. Repeat recipients sign in with the existing password. The portal displays the message body and any attachments. Reply from inside the portal encrypts the reply back to the sender. If the notification link expires, contact the sender to request a resend.
Office 365 encrypted messages use Microsoft Purview Message Encryption. The recipient sees the same experience whether the sender is on Office 365 Business or Microsoft 365 Enterprise. Click the Read the message button in the notification. A browser tab opens on outlook.office365.com. Sign in with a Microsoft account, sign in with a Google account, or request a one-time passcode. The passcode arrives in a second email. Enter it to decrypt and view the message and attachments in the browser.
Expired links happen when the sender set a short expiration or when the notification is very old. The recipient cannot reopen an expired message from the original link. Contact the sender and ask them to resend. Senders on Microsoft Purview can resend from the sent folder in Outlook. Senders on portal services resend from the vendor administrative console. Senders on Gmail Confidential Mode can extend the expiration or resend a new copy. The message content is not lost, only the current link.
In most cases, no software installation is required. Microsoft Purview, Gmail Confidential Mode, Proofpoint, and other portal services open in a standard browser. S/MIME encrypted messages need the recipient certificate pre-installed in the mail client, which is a one-time setup done by the IT team or the individual user. PGP encrypted messages need a PGP key pair generated in advance and the sender must have the recipient public key. Most business and healthcare encrypted email uses the portal model with no install.
The passcode email typically arrives within one minute. If it does not appear, check the spam folder first. Some corporate mail servers quarantine messages from unfamiliar senders. Wait five minutes and request a new passcode from the same browser tab. If the passcode still does not arrive, check whether the passcode message was routed to a shared inbox or delegated address. Contact the sender to confirm the recipient address they used and request a resend from the sending platform.