How to Email Encrypted Documents in Gmail, Outlook, and Apple Mail

how to email encrypted guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook 365 Business Premium sends encrypted mail in three clicks: Options, Encrypt, pick policy.
  • Gmail S/MIME rides on Enterprise and Education tiers; Business Standard skips the lock icon.
  • Apple Mail S/MIME works once the certificate lands in Keychain; MDM pushes it to iPhones fast.
  • Encrypted attachments need their own layer if the mail client does not wrap them in the envelope.
  • Portal encryption solves the patient certificate problem; test the flow on iOS and Android.

Sending an encrypted email looks simple in a marketing screenshot. In real practice it depends on which mail platform the sender uses, which platform the recipient uses, and whether both sides have the right certificates or the right portal experience.

This guide covers the three main paths. Native encryption in Outlook, Gmail, and Apple Mail. Portal-based gateway services that layer encryption on top of any mailbox. And attachment-level encryption for cases where the message envelope does not carry the protection. A HIPAA-ready encrypted email service covers the second path in one plan.

The goal is a workflow the practice staff will actually use. Encryption that requires ten steps loses the race against the encryption that requires two.

Outlook 365 Business Premium sends encrypted email in three clicks

Open a new message in Outlook. Click Options in the ribbon. Click Encrypt. A dropdown appears with policies like Do Not Forward, Encrypt-Only, and Confidential.

Pick the policy that matches the sensitivity level of the message. Encrypt-Only is the standard choice for general PHI. Do Not Forward adds a restriction that prevents the recipient from forwarding or copying the message content.

External recipients receive a portal link. They sign in with Microsoft, Google, or a one-time passcode sent to the recipient inbox. Microsoft Purview Message Encryption handles the cryptographic work.

The Encrypt button is missing on free Outlook.com accounts and on Microsoft 365 Business Basic. For those tiers a gateway service adds the encryption layer. For more depth on the how to send encrypted email workflow across Outlook plans, review the linked tutorial.

how to email encrypted in article illustration one

Gmail encrypted send depends on the Google Workspace plan

Google Workspace Enterprise and Education plans support hosted S/MIME. Administrators upload user certificates to the admin console, and the Encrypt lock icon appears in Gmail compose. Users click the lock and pick a level.

Business Standard and Business Plus plans do not include S/MIME. The Encrypt option is grayed out or missing entirely. Confidential mode is available on every plan and adds passcode gating and expiration.

Confidential mode is not end-to-end encryption. Google can still read the message. For HIPAA workflows on plans without S/MIME, add a gateway service that encrypts outbound messages at the mail server layer.

For a step-by-step tutorial on the Gmail send flow, review the linked how to send encrypted email Gmail guide with plan-by-plan screenshots.

Apple Mail supports S/MIME on macOS and iOS with certificate provisioning

Apple Mail is often overlooked, but it supports S/MIME cleanly. Install the user certificate in the macOS keychain or the iOS device profile. The Mail app auto-detects the certificate.

Compose a new message. If a valid public key exists for the recipient, a blue lock icon appears next to the recipient field. Click the lock and the message goes out encrypted.

Mobile device management profiles can push certificates automatically to staff iPhones. This removes the burden of manual certificate installation. Apple documents the profile format at support.apple.com/deployment.

The main limitation is recipient support. If the recipient does not have a valid S/MIME certificate, the message cannot be encrypted with this method. Portal-based services fill that gap.

Example

A six-provider urology practice runs Outlook 365 Business Premium and averages 40 encrypted messages per week to patients and referring physicians. The compliance officer runs a quarterly test at the end of each quarter. She sends a message from her practice mailbox to a personal iCloud address, opens the portal link on an iPhone, and confirms the one-time passcode arrives within 30 seconds. She documents the pass or fail in the HIPAA risk analysis alongside a screenshot of the Received headers showing TLS 1.3 negotiation.

Portal-based gateway services fit HIPAA workflows best

A gateway service sits between the practice mail server and the internet. Staff send email normally through Gmail or Outlook. The gateway inspects each message against a policy list.

Messages that match a trigger, like a subject line keyword or a recipient on the encryption list, divert to a secure portal. The recipient receives a notification email with a link.

The recipient clicks the link, verifies identity with a one-time passcode, and reads the message in a browser. No certificate, no plugin, no keypair. This works for patients on any device.

Portal services also produce audit logs that show when the message was opened, when the link expired, and whether the recipient forwarded the content. Those logs feed the HIPAA risk analysis process directly.

how to email encrypted in article illustration two

Encrypting attachments as a second layer

Password-protected PDFs add attachment-level encryption. Adobe Acrobat, Preview on macOS, and free tools like PDFsam all support the format. The recipient enters a password to open the file.

ZIP files encrypted with AES-256 offer the same layer for other document types. Windows Explorer, macOS Terminal, and free tools like 7-Zip all support the format. Use AES-256 rather than the older ZipCrypto standard.

The password must travel through a channel separate from the email itself. A phone call, a text message, or a secure messaging app all work. If both the file and the password go through the same mailbox, an attacker with mailbox access gets both.

For sending encrypted documents that need to survive across mail platforms, this dual-layer approach is a reliable fallback. Review the linked how to send encrypted documents via email guide for a detailed walkthrough.

Method comparison across three common scenarios

The table below shows which method fits which scenario. Practices should map their real mail flows against the categories rather than picking a single method for all sends.

Scenario Best method Recipient action
Internal staff email carrying PHI Native S/MIME or Purview Open in mail client
Patient communication Portal-based gateway Click link and verify with passcode
Referral to another clinic Portal or S/MIME if certificate available Portal login or auto-decrypt
Sensitive attachment across mixed platforms Password-protected PDF plus TLS Open file with password

Practices with mixed platforms usually settle on the portal model as the default because it works everywhere. Native S/MIME stays useful for internal mail between staff who all have certificates.

๐Ÿ’กPro Tip: Test the encryption flow on mobile every quarter

Portal login flows that work on desktop sometimes break on iOS or Android because of pop-up blockers, browser policy differences, or MDM restrictions. Once per quarter, send a test message from the practice mailbox to a personal address on a different provider. Open the portal link on both an iPhone and an Android phone. Confirm the one-time passcode arrives and the message renders correctly. This catches issues before a patient hits them on a time-sensitive prescription authorization or lab result.

Testing the encryption flow before high-stakes sends

Every practice should test the encryption flow at least once a quarter. Send a test message to a personal address on a different mail provider. Open the message in the recipient inbox.

Check the message headers. TLS negotiation appears as TLS=version in the Received line. S/MIME shows a lock icon in the mail client. Portal services show a login page.

Test on both desktop and mobile. Portal login flows that work on desktop sometimes break on iOS or Android because of pop-up blockers or browser policy differences. The test catches these issues before a patient hits them.

  • Send a quarterly test to a personal address on a different provider
  • Verify TLS in the message headers
  • Test the portal login on desktop and mobile
  • Document the test result in the risk analysis
  • Retrain staff on any workflow changes

Common mistakes that break the encryption flow

Staff often paste PHI into the subject line and forget the body is where the encryption applies. S/MIME and OpenPGP leave the subject unencrypted. Portal services often replace the subject with a generic notification, but the practice should train staff to keep the subject vague.

Free consumer accounts get used for PHI during on-call rotations. Personal Gmail or Outlook.com accounts do not qualify for a Business Associate Agreement. Staff should have a documented backup path for after-hours PHI sends.

Recipient certificates expire silently. The next S/MIME message to that address fails to encrypt, and the sender may not notice until the recipient reports the problem. Regular certificate audits catch expired public keys.

Practices that align email encryption with strong healthcare website security features close common gaps in patient intake forms where the same PHI often flows through both channels.

Ongoing training keeps the workflow tight

Training is not a one-time event. New hires, platform changes, and new patient portals all reset the baseline. Practices should include encryption training in the onboarding checklist and revisit it annually.

Focus training on the practical scenarios. A referral letter to another clinic. A claim to a billing partner. An intake form sent back to a patient. Each is a moment where the staff member decides to encrypt.

Policy-based gateway services reduce the training burden by making the decision automatic. If the message goes to a specific domain or contains a policy keyword, the gateway encrypts without a manual click.

Practices that pair training with strong healthcare website maintenance keep the patient communication stack aligned. For a single-vendor solution that covers the BAA, the portal, and the audit trail, a HIPAA-ready secure email service removes most of the setup work.

Frequently Asked Questions

What is the fastest way to send an encrypted email? +

For Outlook 365 Business Premium users, click Options, click Encrypt, and pick Encrypt-Only. The message goes through Microsoft Purview Message Encryption and reaches the recipient with a secure portal link. For Gmail on Google Workspace Enterprise, click the lock icon in compose after S/MIME is configured. For every other plan, use a gateway service that layers encryption on top of the existing mailbox. Gateway services require no client setup and produce a consistent recipient experience across sender platforms.

Can I encrypt an email attachment separately from the message body? +

Yes. Password-protected PDFs and ZIP files add attachment-level encryption on top of any message-level protection. This is useful when the sender and recipient use different mail clients. The password should travel through a channel separate from the email itself, like a phone call or text message. If both the encrypted attachment and the password travel through the same compromised mailbox, an attacker gets access to both. Sharing the password through a different channel is a small step that meaningfully raises the effort required for a breach.

Does Gmail confidential mode count as encryption? +

Confidential mode adds passcode gating, message expiration, and controls that disable forwarding, copying, and printing. It does not add end-to-end encryption. Google can still read the message. For HIPAA workflows this is not sufficient by itself. Confidential mode is useful for internal Gmail-to-Gmail messages where extra recipient controls are helpful. For external mail carrying PHI, use S/MIME on the Enterprise plan or a gateway service. Confidential mode on a free Gmail account is not enough for any regulated data flow.

What happens if the recipient cannot open my encrypted email? +

Portal services fall back to a one-time passcode sent to the recipient inbox, which the recipient enters on the portal to open the message. S/MIME messages sent to a recipient without a valid certificate arrive as unreadable ciphertext or attachments. Practices should test the flow before high-stakes sends. Send a test message to a personal address on a different provider and confirm the login works on a phone. If the recipient hits a broken portal, the message may be a prescription authorization that misses a deadline.

How do I send an encrypted email from my phone? +

iOS Mail sends S/MIME encrypted messages after the certificate is installed in the keychain. Outlook mobile supports Encrypt on Business Premium accounts, and Gmail mobile supports S/MIME on Enterprise accounts. Portal-based gateway services work identically on desktop and mobile because the encryption happens at the mail server, not on the device. For occasional PHI sends from a personal phone during on-call rotations, the portal model is the simplest option. Free personal accounts should not be used for PHI regardless of device.

Does an encrypted email hide the subject line? +

S/MIME and OpenPGP encrypt the message body and attachments but leave the subject line, recipient address, and sender address unencrypted. Portal-based services often replace the subject line with a generic notification like Secure message from Practice Name. That reveals the sender but hides the topic. Practices should train staff to avoid sensitive terms in the subject line even when the body is encrypted. A subject line of Test results for Patient Smith leaks PHI on its own.

How do I verify my encrypted email actually worked? +

Send a test message to a personal address on a different mail provider. Open the message in the recipient inbox. If the sender used TLS, the Received headers show TLS=version. If the sender used S/MIME, the message shows a lock icon and requires the recipient certificate to decrypt. If the sender used a portal service, the recipient sees a login page rather than the message body inline. NIST recommends quarterly verification of encryption controls as part of the risk analysis process.

Outlook Secure Email Encryption for Healthcare and Business Users

outlook secure email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook offers three encryption paths: Purview Message Encryption, S/MIME certs, and plain TLS.
  • The Encrypt button appears only on Business Premium, E3, E5, or a Microsoft 365 Compliance add-on.
  • S/MIME delivers true end-to-end but demands certificates on both sides and per-recipient exchange.
  • Opportunistic TLS drops to plain text without warning; force TLS via mail flow rules for HIPAA.
  • Microsoft’s BAA covers Purview only on eligible plans; unlicensed tenants need a dedicated service.

Outlook secure email encryption covers three distinct mechanisms, and each one solves a different problem. Confusing them wastes IT hours and leaves protected mail exposed.

Microsoft ships Purview Message Encryption, S/MIME, and opportunistic TLS across the Microsoft 365 stack. The right choice depends on plan level, recipient environment, and whether the send touches regulated data like PHI. For teams that need a simpler layer over Outlook or Gmail, a dedicated encrypted email service handles the details in the background.

This guide walks each option, the license and setup requirements, and where Outlook secure email encryption fits inside a HIPAA compliant workflow.

The Three Encryption Layers Outlook Actually Supports

Outlook does not have a single encryption switch. It exposes three layers, and each protects a different piece of the send.

Transport Layer Security protects the connection between the sender mail server and the recipient mail server. Microsoft 365 negotiates TLS on every outbound send by default. If the receiving side supports it, the wire hop is encrypted.

Microsoft Purview Message Encryption sits on top of Exchange Online and wraps the message in a portal experience. The Encrypt button on the Outlook Options ribbon triggers it. External recipients open the message through a link and authenticate with Microsoft, Google, or a one time passcode.

S/MIME encrypts the message body with a certificate pair. The sender needs a certificate installed in the Windows certificate store. The recipient needs a matching public certificate that the sender has previously received. It is the strictest option and the most technical to run at scale.

TLS Is a Baseline, Not a Compliance Answer

TLS in Outlook covers the connection between mail servers. Exchange Online offers TLS 1.2 and TLS 1.3 depending on the negotiation with the receiving system.

The catch is that TLS is opportunistic by default. If the receiving mail server does not advertise TLS support, Exchange Online delivers over plain text unless a mail flow rule enforces the connection or blocks the send.

TLS also does nothing once the message lands. The body sits in the recipient inbox as regular mail. Anyone with access to the receiving mailbox can read it, and anyone who compromises that account reads the message too.

For HIPAA sends, TLS is the floor. Auditors expect message level encryption on top of TLS, either through Purview, S/MIME, or a third party secure email service. Force TLS on outbound connectors with mail flow rules when TLS must not fall back.

outlook secure email encryption in article illustration one

Microsoft Purview Message Encryption Explained

Microsoft Purview Message Encryption, formerly Office 365 Message Encryption, is the mechanism most Outlook users know as the Encrypt button. It builds on Azure Rights Management.

Senders click Options, then Encrypt, then pick a policy. The default policies are Encrypt Only, Do Not Forward, Confidential, and Highly Confidential. Encrypt Only lets the recipient read and reply. Do Not Forward blocks forwarding and printing.

External recipients receive a wrapper email with a link. Clicking the link opens the Microsoft encrypted message portal. They authenticate with a Microsoft account, a Google account, a Yahoo account, or a one time passcode delivered by email.

Microsoft 365 users inside the same tenant see the message inline. No portal is needed. See the Microsoft Learn Message Encryption documentation for full setup detail.

S/MIME Setup for Certificate Based Encryption

S/MIME uses a certificate pair for signing and encryption. It is the strongest form of Outlook secure email encryption in the sense that only the recipient private key decrypts the message.

Start by obtaining a valid S/MIME certificate. Public certificate authorities issue them, and enterprises with an internal PKI can issue them as well. Install the certificate in the Windows certificate store on the sender device.

In Outlook desktop, open File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings and pick the installed certificate. Set the hashing and encryption algorithms. AES-256 for content and SHA-256 for signatures are the current defaults.

Before encrypting to a recipient, send a signed message first. The signature carries the sender public certificate. The recipient client stores it and can then encrypt replies back. Both sides need this exchange to complete before message level encryption works.

Example

A 12-seat orthodontic office runs on Microsoft 365 Business Standard at $12.50 per user per month. Staff need to send treatment plans to referring dentists and patient parents. Business Standard has no Encrypt button. Upgrading all 12 seats to Business Premium at $22 raises the monthly bill by $114. Instead, the office adds a dedicated secure email service at $10 per mailbox for the four staff who send regulated mail. Total added cost is $40 per month, BAA included in the base plan.

Comparing Purview, S/MIME, and TLS at a Glance

Each Outlook encryption path fits a different use case. The table below maps the main attributes so an IT lead can pick without reading three product pages.

Attribute Purview Message Encryption S/MIME TLS
Encryption scope Message body and attachments Message body and attachments Server to server connection
License required Business Premium, E3, E5, or add on Any Microsoft 365 plan with valid certificate Included on all plans
Recipient experience Portal link with sign in or passcode Inline in S/MIME capable clients Transparent
Per recipient setup None Public certificate exchange None
Fits HIPAA sends Yes, under Microsoft BAA Yes, with proper key management Only as a supporting layer
Ease of ad hoc use High Low N/A

Purview and a third party service handle the ad hoc case cleanly. S/MIME fits fixed partner exchanges where certificates are exchanged once and reused.

Enabling the Encrypt Button in the Outlook Ribbon

Purview Message Encryption is on by default for eligible tenants. The Encrypt button appears in Outlook on the web, Outlook for Windows, Outlook for Mac, and modern mobile Outlook apps.

If the button is missing, the tenant likely lacks a qualifying license, or Azure Rights Management is not activated. In the Microsoft 365 admin center, an administrator can verify license assignment on the user and confirm the Rights Management service is active.

Administrators can also set default encryption behavior through mail flow rules in the Exchange admin center. A rule can apply Encrypt Only when a message contains the word confidential in the subject, or when the recipient domain matches a partner list.

Sensitivity labels created in Purview can bind an encryption policy to specific document types or user groups. Labels apply on the client and travel with the message. See Microsoft Learn on sensitivity labels for configuration steps.

outlook secure email encryption in article illustration two

HIPAA and Outlook Encryption in Practice

Healthcare organizations sending protected health information over email need message level encryption plus a business associate agreement with the vendor handling the mail. Microsoft signs a BAA covering Microsoft 365, Exchange Online, and Purview Message Encryption on eligible plans.

The BAA only applies to workloads that are actually enabled and licensed. A tenant without Business Premium cannot rely on the Purview coverage inside the BAA for encrypted sends.

Related reading on the compliance side sits in the Mailhippo library. See the sibling guide on hipaa secure email for a broader compliance walkthrough and the piece on office 365 hiipa compliant secure email encryption outlook for the direct Microsoft 365 configuration path.

Practices building the underlying digital estate can also review Redefine Web guidance on healthcare website security features, which covers the wider control set that pairs with encrypted email.

Purview Versus Voltage, Cisco, and Third Party Services

Purview Message Encryption is the native path. Other tools plug into Outlook and Exchange Online through connectors or transport rules.

OpenText Voltage Secure Email, formerly Voltage SecureMail, uses identity based encryption. Recipients open messages through a browser or an add in without exchanging certificates. It suits large enterprises with existing OpenText security investment.

Related sibling coverage on the Cisco side sits at the guide on secure email encryption service cisco, which walks the Cisco Secure Email Encryption Service configuration path for organizations already on the Cisco email security stack.

For a broader look at the encryption format layer, the sibling piece on secure mail email encryption covers S/MIME versus PGP tradeoffs in more depth. Third party services fit best when the goal is a BAA in the base plan and a one click recipient experience without per certificate management.

๐Ÿ’กPro Tip: Force TLS on partner connectors before assuming it works

Opportunistic TLS drops to plain text when the receiving server does not advertise support, and Exchange Online does not warn the sender. For any recurring partner exchange, build a mail flow rule that requires TLS to the specific recipient domain and blocks delivery on fallback. Message trace logs then prove TLS negotiated on every send. That evidence is what auditors ask for during a HIPAA review.

Common Outlook Encryption Errors and How to Fix Them

Users hit a small set of predictable errors. Most are license or certificate mismatches rather than product defects.

  • Encrypt button is grayed out. The user account is not licensed for Business Premium, E3, E5, or a compliance add on. Assign the license or route through a third party service.
  • Recipient cannot open the message. The portal link expired or the recipient blocked the sign in email. Resend with a one time passcode option enabled in the mail flow rule.
  • S/MIME message shows Signature not valid. The sender certificate expired or was not issued by a trusted root the recipient client recognizes. Renew the certificate and confirm the root chain.
  • Message drops to plain text on send. The receiving server did not offer TLS. Configure a partner connector with force TLS and TLS certificate verification.
  • Encrypted attachment cannot be opened. The recipient client stripped the wrapper. Use the Encrypt Only policy rather than Do Not Forward for external partners on non Microsoft clients.

Log message trace results in the Exchange admin center to confirm what actually happened on the send. Trace results show whether TLS negotiated and which mail flow rule applied.

When a Dedicated Secure Email Service Fits Better

Native Outlook encryption works well on Business Premium and above with a stable IT team. Smaller practices and mixed environments hit friction on license cost, certificate management, and recipient support.

A dedicated secure email service like Mailhippo layers on top of the existing Outlook or Gmail mailbox. The sender workflow does not change. A short button sends the message through the encrypted channel, and the recipient opens it with a one click link. A BAA is included in the base plan.

The tradeoff sits between native platform integration and simplified operations. Purview is deeply tied into the Microsoft 365 admin experience. A dedicated service is faster to deploy across a small team, cheaper per seat below the Business Premium line, and does not require certificate management.

Rollout Checklist for a Clean Outlook Encryption Setup

A tidy rollout avoids the two common failure modes: users cannot find the Encrypt button, and receivers cannot open the message. Both trace back to preparation.

  • Audit Microsoft 365 licenses. Confirm the seats that need to send encrypted mail are on Business Premium, E3, E5, or a compliance add on.
  • Verify Azure Rights Management is active in the Microsoft 365 admin center.
  • Sign the Microsoft BAA and archive it with compliance records. Confirm the covered workloads.
  • Build mail flow rules that apply Encrypt Only for messages tagged confidential in the subject or sent to a defined partner list.
  • Publish an internal one page guide with the exact steps to click Encrypt, plus a screenshot of the recipient portal.
  • Test end to end with a personal Gmail address and a personal Yahoo address before the first live send.

Practices that need a BAA at a lower price point or that run mixed Gmail and Outlook environments should evaluate Mailhippo alongside the native path. The HIPAA Journal encryption reference gives the compliance backdrop for either choice.

Sibling reading for teams still building the compliance stack sits at the guides on hipaa secure email and secure encrypted email. The right Outlook secure email encryption setup is the one that matches license reality, recipient behavior, and the audit trail the compliance team needs.

Frequently Asked Questions

Is Outlook email encrypted by default? +

Outlook connections to Microsoft 365 use TLS, so mail moves encrypted between the client and Exchange Online. Delivery between Exchange Online and external mail servers uses opportunistic TLS when both sides support it. That is transport encryption only. The message itself is not encrypted at rest in the recipient inbox unless the sender applied Microsoft Purview Message Encryption, S/MIME, or a third party encryption service. Confidential business mail and any protected health information need one of those explicit layers on top of default TLS.

What license do I need to use the Encrypt button in Outlook? +

The Encrypt button on the Options ribbon requires Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, or an add on Microsoft 365 E5 Compliance license. Business Basic and Business Standard do not include Purview Message Encryption. Home and personal plans do not include it either. If the tenant is licensed, the button is available in Outlook on the web, the Windows desktop client, and the Mac desktop client. Administrators may also expose it inside mobile Outlook apps.

How does S/MIME differ from Microsoft Purview Message Encryption? +

S/MIME encrypts the message body with a certificate pair, so only the recipient with the matching private key can read it. Purview Message Encryption wraps the message in a portal experience where external recipients authenticate to view it. S/MIME needs certificates on both sides and does not require a portal. Purview needs a licensed Microsoft 365 tenant and works with any recipient email address. S/MIME fits fixed partner exchanges. Purview fits ad hoc secure sends to patients, clients, or unknown external parties.

Can I encrypt a Gmail message from Outlook? +

Outlook can send to any Gmail address. Whether the message is encrypted depends on the mechanism the sender applied. TLS covers the server hop when both Microsoft and Google negotiate it, which they do by default. If the sender used Purview Message Encryption, the Gmail recipient gets a portal link and signs in with Google. If the sender used S/MIME, the Gmail recipient needs S/MIME support and a matching certificate. Third party secure email services handle Gmail delivery with no setup on the recipient side.

Does TLS meet HIPAA email requirements on its own? +

TLS alone does not satisfy HIPAA in most audit reviews. The HHS guidance treats email as an addressable specification, which means covered entities must implement encryption or document why a different safeguard fits. Opportunistic TLS can drop to plain text if the receiving server does not support it, and messages sit unencrypted at rest in the recipient mailbox. Purview Message Encryption, S/MIME, or a dedicated secure email service provides message level protection that fits the standard cleanly and is easier to defend during an audit.

How do I turn on S/MIME in Outlook? +

Obtain a valid S/MIME certificate from a public certificate authority or internal PKI and install it in the Windows certificate store. In Outlook desktop, open File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, select the certificate and set the algorithms. Exchange public certificates with each recipient by sending a signed message first. On future outbound mail, click the Sign or Encrypt icon on the Options tab. Outlook on the web supports S/MIME through a browser extension distributed by Microsoft.

What if I need to send secure email but do not have Business Premium? +

The two practical paths are upgrading to a licensed plan or adding a dedicated encrypted email service. Upgrading applies across the seat, which raises cost linearly with headcount. A dedicated service like Mailhippo layers on top of the existing Outlook or Gmail mailbox, includes a BAA in the base plan, and does not require the sender to change clients. Recipients open messages through a one click portal or receive an encrypted PDF, depending on the delivery preference set by the sender.

Email Encryption Services Compared for HIPAA and Business Use

email encryption services guide featured image

๐Ÿ”‘ Key Takeaways

  • Email encryption splits three ways: native platform, enterprise appliance, or dedicated service.
  • HIPAA needs a signed BAA; Microsoft, Google, and Mailhippo all offer one, free tiers do not.
  • Sender workflow beats algorithm on daily use; AES-256 is standard across every serious service.
  • Portal sign-ins drop open rates; one-click delivery beats registration on outbound to patients.
  • Real cost is license plus seat fees plus support hours, not the sticker rate on the pricing page.

Email encryption services cover a wide field. Native platform tools sit alongside enterprise appliances and dedicated third party services. Each fits a different buyer.

This guide breaks the market into three buyer categories, walks the leading services in each, and covers the practical factors that matter more than encryption algorithm names. For teams that need a simple encrypted email service with a BAA in the base plan, the last section covers what to look for.

Start by identifying the buyer profile. Platform, budget, and regulated data all narrow the choice fast.

Three Buyer Categories for Email Encryption

The market splits into three groups. Each has different requirements and different budget expectations.

Native platform buyers already run Microsoft 365 or Google Workspace and want encryption inside the platform. They pay for it inside a Business Premium or Enterprise Standard license. Adoption follows the platform admin workflow.

Enterprise appliance buyers run Cisco, Proofpoint, or Mimecast for inbound email security. They add the encryption module from the same vendor for consistency. Budgets sit at the higher end. Deployment involves security team change management.

Dedicated service buyers want a single purpose encrypted email tool that includes a BAA and a simple recipient experience. Small to mid size healthcare practices, legal firms, and financial advisors sit in this group. Deployment is fast, and the mailbox provider does not change.

Native Platform Encryption Services

Microsoft Purview Message Encryption is the native path for Microsoft 365 customers on Business Premium and higher. The Encrypt button in the Outlook ribbon triggers the encryption. External recipients open the message through a portal.

Google Workspace hosted S/MIME is the native path for Google Workspace Enterprise Standard and higher. Administrators upload user certificates. Gmail encrypts and decrypts messages inline for compatible recipients.

Both native paths carry BAA coverage under the respective vendor agreements. Microsoft covers Microsoft 365 workloads. Google covers Google Workspace core services. Confirm the exact workload list in the signed BAA before sending PHI.

Sibling reading on the pure concept side sits at email encryption and on the S/MIME format at s mime email encryption.

email encryption services in article illustration one

Enterprise Appliance Encryption Services

Cisco Secure Email Encryption Service, formerly Cisco Registered Envelope Service, encrypts outbound mail on top of the Cisco Secure Email appliance. Recipients open messages through the Cisco encrypted envelope viewer.

Proofpoint Encryption sits on top of Proofpoint Email Protection. Senders trigger encryption through a subject line keyword, a mail flow rule, or a policy match on message content. Recipients open messages through the Proofpoint Encryption Reader portal.

OpenText Voltage Secure Email uses identity based encryption. Recipients receive a link and read the message through a browser or an add in for Outlook. No certificate exchange is required, though the platform supports S/MIME as well.

Enterprise appliance services fit organizations already committed to the same vendor for inbound email security. Adding the encryption module keeps procurement and support simple. New buyers usually pick a lighter dedicated service instead.

Dedicated Encrypted Email Services

Dedicated services layer on top of an existing Gmail or Outlook mailbox. They add a send workflow for encrypted messages and a portal or link based recipient experience.

Mailhippo is a HIPAA compliant secure email service that adds a send flow through the existing Outlook or Gmail account. The BAA is included in the base plan. Recipients open messages through a one click link without account registration.

Barracuda Email Encryption offers a similar bolt on model with portal based recipient delivery. Barracuda ties the encryption into the wider Barracuda Email Protection stack for buyers who want a broader security posture from one vendor.

Example

A regional accounting firm with 45 seats runs a 14-day pilot across two candidates. Team A tests Microsoft Purview at $22 per seat bundled inside a Business Premium upgrade. Team B tests Mailhippo at $8 per seat added to their existing Business Standard tenant. Purview scores 3.2 support tickets per week from external recipients confused by the portal sign-in. Mailhippo scores 0.4 tickets thanks to one-click open links. The firm picks Mailhippo, saves $7,560 per year, and ships full deployment inside four hours.

Compare the Three Buyer Categories

The table below maps the three categories against the factors that matter on selection. Use it as a shortlist filter before deep evaluation.

Factor Native platform Enterprise appliance Dedicated service
Typical buyer Existing Microsoft 365 or Google Workspace tenant Large org with Cisco, Proofpoint, or OpenText Small to mid size healthcare, legal, or financial team
BAA in base plan Yes on eligible tiers Yes on qualifying plans Yes on Mailhippo and similar
Sender workflow Encrypt button or auto S/MIME Subject keyword or policy rule Add on button or keyword
Recipient experience Portal sign in or inline S/MIME Portal registration and sign in One click open link
Deployment time Days if licensed Weeks with change management Hours with existing mailbox
Per user cost band Bundled in platform license Quote based, higher end Flat monthly per seat

Native platform and dedicated services cover most small and mid size buyers. Enterprise appliances fit larger organizations with existing vendor commitments.

HIPAA Fit and BAA Requirements

HIPAA requires a signed BAA from any vendor that handles protected health information. Email encryption services either offer a BAA or they do not. There is no partial coverage.

Microsoft, Google, Mailhippo, Virtru, Barracuda, Cisco, and Proofpoint all offer BAA coverage on qualifying plans. Free tiers on Proton, Tuta, and Mailfence do not include a BAA. Free email encryption software like Thunderbird OpenPGP is not a service and does not sign a BAA.

The BAA covers the vendor side of the compliance boundary. The customer still owns internal access controls, workforce training, incident response, and risk assessments. HHS publishes the full requirements at the HIPAA Security Rule reference.

For a broader compliance walkthrough, the sibling piece on hipaa compliant email services covers the vendor list and evaluation criteria for regulated buyers.

email encryption services in article illustration two

Sender Workflow and Adoption Friction

The sender workflow determines whether the encryption service actually gets used. If the encrypt button is buried three menus deep, staff route around it.

Microsoft Purview places the Encrypt button on the Options ribbon in Outlook. One click applies the default policy. Staff pick it up fast because it looks like existing Outlook controls.

Google Workspace S/MIME automates the encryption when a valid recipient certificate is available. Senders do not click anything extra. That is the lowest friction option, though it depends on the recipient having a certificate too.

Dedicated services usually add a button through an Outlook add in or a Gmail extension. Some also support a subject line keyword like [encrypt] that triggers the encrypted send from any client. Choose the trigger method staff will actually use.

Recipient Experience and Open Rates

Recipient experience is the largest driver of open rate on outbound encrypted email. Portal registration costs recipients time. Some just abandon the message.

Microsoft Purview supports Sign in with Google and Sign in with Microsoft for external recipients. Users with those accounts open the message in about 15 seconds. Users without either account fall back to a one time passcode delivered by email.

Proofpoint and Zix require the recipient to register an account with the portal on first send. Registration adds two to three minutes. Return users sign in faster but still need the password stored somewhere.

Dedicated services like Mailhippo deliver a one click link that opens the message without account registration. That is the lowest friction path and produces the highest open rate on outbound to patients and clients. Sibling coverage on the concept sits at end to end encrypted email services.

๐Ÿ’กPro Tip: Run a two-week pilot with real recipients

Vendor demos hide recipient friction. Set up trial accounts for two or three staff and send encrypted mail to real external addresses across Gmail, Outlook, Yahoo, and one enterprise domain. Track opens, support tickets, and time to first open. Score on four factors: BAA coverage, sender workflow, recipient open rate, and support burden. The service with the highest recipient open rate and fewest support tickets almost always wins on total cost of ownership over the license year.

Total Cost of Ownership Considerations

License cost is only one part of the total. Support hours, training time, and change management add up.

  • License cost. Bundled in the platform for native, per seat for dedicated services, quote based for enterprise appliances.
  • Deployment hours. Native paths are the fastest if the tenant is licensed. Enterprise appliances need weeks of change management.
  • Training hours. Staff need a short session on the encrypted send workflow. Simpler workflows cut training time.
  • Support tickets. Portal registration on the recipient side generates support requests. One click delivery reduces them.
  • Compliance audits. Documented workflows, audit logs, and BAA archives take less staff time when the service produces them by default.

Model the total across a year including support hours. A cheap service with heavy recipient friction often costs more than a mid priced service with a one click open flow.

Regional and Vertical Specialization

Some buyers filter services by region or vertical. California based practices sometimes ask for services with a state data residency preference. Healthcare buyers filter for HIPAA and 42 CFR Part 2 experience. Legal buyers filter for attorney client privilege support.

Most major services store customer data in US regions by default and offer EU regions on request. California based buyers looking for local vendor presence should look at Mailhippo, Virtru, and Barracuda, all with US operations. Sibling coverage on regional buyer questions sits at email encryption services for business nj.

Healthcare specific coverage sits at Redefine Web healthcare website design for the broader digital estate that pairs with encrypted email in a healthcare deployment.

The HIPAA Journal analysis of email encryption covers the compliance side of vendor selection.

Building a Shortlist and Running a Pilot

Once the buyer category is clear, shortlist two to three services and run a short pilot. A two week pilot on a live team catches problems that a demo cannot.

Set up trial accounts for two to three staff. Send encrypted mail to real external recipients across Gmail, Outlook, Yahoo, and one enterprise domain. Track opens, support questions, and time to first open.

Score on the four factors that matter: BAA coverage, sender workflow, recipient open rate, and support burden. The service with the highest recipient open rate and the fewest support tickets usually wins.

For dedicated services, Mailhippo runs a free trial that includes the BAA workflow. Sibling coverage on the free service side sits at free email encryption service. Buyers on Microsoft 365 Business Premium can pilot Purview at no incremental cost inside the existing tenant.

Frequently Asked Questions

What is the difference between an email encryption service and email encryption software? +

An email encryption service is a hosted platform that handles key management, encryption, and delivery on behalf of the customer. Email encryption software is a client side tool that runs on the sender device and encrypts locally, usually through OpenPGP or S/MIME certificates. Services scale better because the vendor handles infrastructure. Software gives the sender full control over keys and does not depend on a vendor portal. Most healthcare and business buyers pick a service for the operational simplicity and the BAA coverage.

Are email encryption services necessary if my platform already includes encryption? +

Not always. Microsoft 365 Business Premium and above ship with Purview Message Encryption, and Google Workspace Enterprise Standard supports hosted S/MIME. Both cover the encryption use case for tenants already licensed. A separate email encryption service becomes necessary when the platform license does not include the encryption path, when the recipient experience is a friction point, when a BAA is missing, or when the team runs mixed Gmail and Outlook environments that need a common encrypted send workflow.

How do email encryption services handle HIPAA compliance? +

HIPAA compliant email encryption services sign a business associate agreement with the customer, encrypt messages in transit and at rest, restrict access to authorized personnel, maintain audit logs, and support retention policies. The service handles the technical safeguards for the transport layer. The customer still owns access controls, employee training, and incident response on their side. Confirm the BAA covers the specific service and workflow before sending PHI. A signed BAA is the compliance floor, not a substitute for internal policy.

How do I choose the best email encryption service for my business? +

Start with the platform. Microsoft 365 customers on Business Premium or higher can use Purview natively. Google Workspace Enterprise customers can use hosted S/MIME. Teams outside those license tiers should evaluate dedicated services on four factors: BAA coverage, sender workflow, recipient experience, and total cost including seats and support hours. Do a two week pilot with the top two candidates. Measure open rates on outbound and support tickets from recipients. The service with fewer tickets wins in most cases.

What is the difference between end to end encryption and transport encryption on email services? +

End to end encryption means the message is encrypted on the sender device and decrypted only on the recipient device. The service provider cannot read the message. Transport encryption means the message is encrypted only on the connection between mail servers using TLS. The service reads the message during processing. End to end is stronger but often adds recipient friction. Transport is transparent but leaves the message readable at rest on the receiver side. Most services combine both layers for regulated workflows.

Do email encryption services work across Gmail, Outlook, and Apple Mail? +

Portal based encryption services like Mailhippo, Virtru, and Zix work across any inbox because the recipient opens the message through a browser. S/MIME works in Outlook, Apple Mail, and Google Workspace with hosted S/MIME. Microsoft Purview works cleanly for outbound to any inbox but requires a Microsoft 365 sender. OpenPGP works across Thunderbird and browser extensions like Mailvelope but requires per recipient key exchange. Check both the sender platform and the recipient environment before committing to a service.

How much do enterprise email encryption services cost? +

Pricing varies widely. Microsoft Purview is bundled in Business Premium at 22 dollars per user per month. Cisco Secure Email Encryption Service is usually quoted per user per year on top of an existing Cisco email security appliance. Proofpoint Encryption pricing is quote based and depends on user count and features. Dedicated services like Mailhippo publish flat per user monthly pricing that includes the BAA. Add support hours and change management to reach the total cost of ownership. Larger deployments often negotiate volume discounts.

Email Encryption Best Practices That Balance Security and Workflow

email encryption best practices guide featured image

๐Ÿ”‘ Key Takeaways

  • Encryption best practices start with clean account naming, not algorithm choice or key length.
  • Policy-based triggers beat manual clicks; audits find 15 to 30 percent unencrypted PHI otherwise.
  • MFA on sender and recipient accounts blocks the credential attacks that drive most real breaches.
  • Audit logs must cover sender, recipient, timestamp, method, delivery, and access for six years.
  • Locked signatures and short disclaimers reinforce the workflow; length adds no legal weight.

Email encryption best practices sit at the intersection of cryptographic choice, operational discipline, and audit posture. The three areas reinforce each other or fall together.

This guide covers the practices that hold up under regulatory scrutiny, workflow pressure, and staff turnover. For teams evaluating an encrypted email service, the practices below shape which vendor features actually matter.

Read the sections in order. Each layer builds on the one before.

Account Naming Sets the Foundation for Every Downstream Control

Sender account structure decides whether audit logs read cleanly and whether recipient trust holds. Best practice standardizes names before configuring encryption.

A first.last@practice.com pattern reads as a real person and carries the least spam risk. Recipients recognize the name pattern and open the message. Auditors trace the message to a specific staff member.

Shared inboxes like info@ or admin@ complicate audit trails because multiple staff members access the same account. Best practice restricts shared inboxes to non-PHI content and routes clinical email through named accounts.

Personal accounts used for business purposes fall outside every encryption control the practice buys. A staff member forwarding PHI to gmail.com creates an immediate compliance gap that no vendor can fix.

Account cleanup before encryption deployment saves the compliance team from months of gap remediation later.

Policy-Based Encryption Beats Manual Encryption at Scale

Manual encryption where staff click Encrypt on each message produces inconsistent coverage. Policy-based encryption applies automatically based on content rules.

The policy engine scans outbound messages for regulated content markers. Common markers include patient identifiers, social security numbers, credit card patterns, and keywords like PHI or CUI in the subject.

Matching messages trigger encryption without staff action. Staff can still click Encrypt manually for edge cases the policy engine does not catch.

Best practice combines both. Policy handles the bulk of consistent coverage. Manual triggers cover the twenty percent of messages where policy detection is ambiguous.

Practices without policy-based encryption typically show fifteen to thirty percent unencrypted PHI messages in a random audit sample. The gap is not staff carelessness. It is the human error rate for any repeated decision under workflow pressure.

email encryption best practices in article illustration one

Multi-Factor Authentication Protects the Weakest Endpoint

Encryption protects the message in transit and at rest. The credential that unlocks the mailbox is the actual attack surface for most breaches.

Multi-factor authentication on every sender account is the single highest-return security control. The CISA guidance on MFA lists it as a baseline requirement.

SMS-based MFA is better than nothing but weaker than authenticator apps or hardware keys. Scattered Spider and similar groups routinely bypass SMS through SIM swapping.

Best practice uses authenticator apps like Microsoft Authenticator, Google Authenticator, or Authy on all sender accounts. Hardware keys like YubiKey add another layer for high-privilege accounts.

Recipient authentication also matters. Portal-based encryption where the recipient signs in with a weak password provides marginal real protection. Best practice enforces MFA on recipient portals or delivers directly to authenticated business email addresses only.

Transport and Content Encryption Both Belong in the Stack

Best practice layers TLS transport with content encryption. Each layer covers different threats and neither substitutes for the other.

TLS 1.3 between mail servers protects messages against interception on the network path. TLS 1.2 with strong cipher suites is acceptable where 1.3 is not yet supported end to end.

Content encryption using S/MIME, PGP, or a hosted portal protects the message body itself. Content encryption survives at the recipient mail provider and defends against inbox compromise or provider-side access.

MTA-STS on the sending domain forces receiving servers to use TLS. Missing MTA-STS leaves the door open to downgrade attacks that revert to unencrypted transport.

DANE and BIMI on the sending domain add authentication that helps recipient servers verify the sender before delivery. These records reduce spoofing that undermines every downstream trust decision.

Example

A twenty-provider orthopedic group runs a random audit sample of 200 outbound messages before rolling out policy-based encryption. Staff had been using a manual Encrypt button for six months. The audit finds 47 messages with PHI sent unencrypted, or 23.5 percent. After the group deploys a content-scanning rule with a manual override, the next quarterly audit finds 4 unencrypted PHI messages out of 250 sampled, or 1.6 percent. The policy engine catches the volume. The manual button covers the edge cases.

Audit Logging Is Where Compliance Investigations Land

Encryption tools produce audit logs. Whether those logs meet compliance requirements depends on retention, field coverage, and tamper resistance.

Baseline fields include sender identity, recipient identity, timestamp, encryption method, delivery status, and recipient access events. Missing any field creates a gap.

Best practice exports logs from the vendor console to a separate storage system. The separation prevents a compromised vendor account from erasing evidence.

Retention windows depend on the applicable regulation. HIPAA requires six years for the accounting of disclosures. HITRUST requires evidence going back through the certification period. SOX and PCI have their own retention rules.

Monthly log review catches configuration drift early. Practices that only look at logs during audit season find gaps that developed over months and cannot easily reconstruct the record.

Disclaimers and Signatures Reinforce or Undermine the Workflow

Confidentiality disclaimers and signature templates carry independent HIPAA implications alongside encryption. Best practice treats them as reinforcing controls, not as substitutes for encryption.

A concise disclaimer at the message footer notes that the message may contain PHI, states that unauthorized use is prohibited, and provides instructions if the message was received in error. Under one hundred fifty words. Below the signature block.

Long disclaimers reduce readability without adding legal value. Recipients skip past them. Practices should focus disclaimer effort on clarity rather than length.

Signature templates should be locked at the admin level to prevent staff variation. Standard fields include sender name, credential, practice name, direct phone, general practice phone, secure fax number for PHI, and NPI where applicable.

A locked template prevents staff from creating custom signatures that omit required contact routing information. Recipients who need to send PHI back have a clear channel that is not the standard email reply.

email encryption best practices in article illustration two

Comparison of Common Encryption Best Practice Controls

The table below compares four common encryption control approaches across the fields that decide day-to-day compliance posture.

Control Coverage Staff Burden Audit Strength Best Fit
Manual Encrypt button Only messages staff mark High Weak Small teams with strict discipline
Subject line keyword trigger Only messages staff tag Medium Weak Individual power users
Policy-based content scanning All matching content Low Strong Regulated healthcare and finance teams
Blanket encryption on outbound All outbound mail None Strong Practices with sensitive-only workflows

Best practice combines policy-based scanning with a manual override button. The policy handles the volume. The button covers edge cases.

Recipient Verification Reduces Wrong-Delivery Risk

An encrypted message sent to the wrong recipient is still a breach. Best practice adds recipient verification steps before sensitive content leaves the sender.

Address autocomplete in Outlook and Gmail suggests recent recipients. Staff sometimes accept the wrong suggestion under time pressure. A momentary pause to verify the domain matches the intended recipient prevents most autocomplete errors.

External recipient warnings that trigger on messages to non-domain addresses add another pause. Microsoft 365 and Google Workspace both support external tags.

High-sensitivity messages benefit from a delay-send window where the sender has ninety seconds to catch a wrong address. Both Microsoft and Google support delayed delivery natively.

Practices with high patient turnover should also audit the practice management system contact export against the mail platform address book quarterly. Stale contacts route messages to former patients or providers.

Key Management Discipline Across S/MIME and PGP Deployments

Practices running S/MIME or PGP handle cryptographic material directly. Key management discipline decides whether the deployment stays secure over time.

Certificate renewal dates need calendar tracking. Expired S/MIME certificates fail silently for the sender and produce confusing errors for recipients.

Private keys should never travel over unencrypted channels or by email. A staff member switching devices should generate a new key pair rather than copying the old private key.

Public key exchange should happen through signed messages or a trusted directory. Sending a public key from a personal address to a work address opens spoofing risk.

Practices without a full-time IT team usually find hosted encryption services easier to operate than S/MIME or PGP. The vendor handles the key management burden that trips up direct deployments.

๐Ÿ’กPro Tip: Combine policy scanning with a manual override

Manual encryption where staff click a button on each sensitive message produces 15 to 30 percent unencrypted PHI in random audit samples. Policy-based encryption that scans outbound content for regulated markers catches the bulk automatically. Keep the manual button available for edge cases the policy engine misses. Review the policy match log monthly and tune the rules against actual send patterns. The combined model gives the tightest coverage without adding staff burden or triggering workarounds under deadline pressure.

CUI and Regulated Content Add Specific Requirements

Federal contractors handling Controlled Unclassified Information follow NIST SP 800-171. The requirement adds specific cryptographic module validation on top of general encryption practices.

FIPS 140-2 or 140-3 validated modules must handle CUI transmission. Practices verify vendor documentation lists validation status before using the service for CUI.

DFARS 252.204-7012 enforces the requirement in defense contracts. Contractors failing the requirement risk contract cancellation and False Claims Act exposure.

Healthcare practices handling PHI follow HIPAA under HHS. Financial services follow GLBA and PCI DSS. Each regulation has its own encryption specificity that best practices should map explicitly.

Practices with multiple regulatory contexts benefit from a control matrix that maps each control to each regulation. The mapping surfaces gaps and prevents double work.

Related Reading for Deeper Coverage

Email encryption best practices touch several adjacent topics. Practices building the full stack benefit from the companion guides below.

Practices evaluating vendors can review best encrypted email comparisons for shortlist candidates. Vendor fit shapes which practices are achievable in daily operation.

HIPAA-specific detail lives in the HIPAA compliant email foundation and the best HIPAA compliant email comparison. Both cover the BAA, audit, and workforce training requirements.

Practices choosing platforms can review HIPAA compliant email platforms for larger vendor coverage. The platform comparison broadens the shortlist beyond the encryption-only vendors.

Practices starting from the foundational encryption topic can read encryption for email for background. The technical layer sharpens the vendor conversation.

Where Redefine Web Fits the Practice Communication Stack

Email encryption best practices apply to messages that reach the email pipeline. Website forms, patient portals, and marketing automation carry PHI that must reach the same encryption controls.

A contact form on the practice website that emails PHI to a generic Gmail address bypasses every encryption control the practice buys. The submission arrives unencrypted and the audit trail does not exist.

Redefine Web builds HIPAA-aware websites and integrates the forms with encrypted delivery paths. Details on healthcare website security features cover the surface area that sits alongside encrypted email.

A closed-loop review across website, forms, email, and portal reduces the probability that a PHI leak lands in an unencrypted channel by mistake. Best practices reinforce each other only when the surrounding systems align.

Mailhippo fits practices that want strong encryption defaults, policy-based triggers, BAA coverage, and audit logs in one product. The service integrates with existing Gmail or Outlook accounts and covers the practical best practices covered above without adding operational burden.

Frequently Asked Questions

What are the core email encryption best practices for 2026? +

The core practices cover six areas. First, standardize sender account naming so audit trails read cleanly. Second, apply policy-based encryption that triggers on regulated content rather than relying on staff decisions. Third, require multi-factor authentication on all sender accounts and preferably on recipient portals. Fourth, use TLS 1.3 for transport and AES-256 for content encryption. Fifth, export audit logs to tamper-evident storage with retention that meets the applicable regulation. Sixth, review the encryption stack quarterly against current threat intelligence and vendor updates.

How should staff handle disclaimers in HIPAA-compliant email? +

A confidentiality disclaimer at the message footer serves as legal notice but does not create compliance. Best practices for HIPAA disclaimers include a brief statement that the message may contain PHI, a note that unauthorized use is prohibited, and instructions for the recipient if the message was received in error. Long disclaimers reduce readability without adding legal value. The disclaimer should sit below the signature block and stay under one hundred fifty words. Encryption, BAA coverage, and audit logging create the actual compliance posture.

What are email signature best practices for HIPAA-compliant healthcare teams? +

Signature templates should be locked at the admin level to prevent staff variation. Standard fields include the sender name, credential, practice name, direct phone line for clinical questions, general practice phone, secure fax number for PHI, and NPI where applicable. The signature should not include personal mobile numbers unless those numbers are also covered by the encryption or messaging policy. A locked template prevents staff from creating custom signatures that omit required contact routing information for PHI.

How do I encrypt sensitive business emails as a best practice? +

Route the message through a service that encrypts content, not only transport. Options include Microsoft Purview Message Encryption on Business Premium or higher, Google Workspace client-side encryption on Enterprise Plus, or a dedicated service like Mailhippo, Virtru, or LuxSci. Trigger encryption on a policy rule matching regulated content, a subject line keyword, or an explicit Encrypt button click. Verify the recipient can access the message before sending sensitive attachments. Confirm audit logging captures the sender, recipient, timestamp, and delivery event.

What are the CUI email encryption best practices for federal contractors? +

Controlled Unclassified Information handling under NIST SP 800-171 requires FIPS 140-2 or 140-3 validated cryptographic modules for CUI transmission. Federal contractors typically use S/MIME with a certificate from an approved certificate authority, TLS 1.2 or 1.3 with strong cipher suites, and DoD-compliant email gateway configurations. Contractors should verify the encryption vendor documentation lists FIPS validation status and cipher suite support before using the service for CUI. The DFARS 252.204-7012 clause enforces the requirement in defense contracts.

How often should we audit our email encryption stack? +

A quarterly audit cadence covers most healthcare and small business threat models. The audit reviews sender account list against active staff, encryption trigger rule coverage against sending patterns, recipient portal usage against expected delivery paths, and audit log field coverage against retention requirements. Annual reviews add penetration testing and configuration review against current threat intelligence. Practices in regulated industries like healthcare, financial services, and defense contracting should also verify vendor SOC 2 or HITRUST reports have not lapsed and BAA terms remain current.

What is the biggest email encryption best practice mistake? +

The biggest mistake is treating encryption as a technical control instead of an operational discipline. A practice buys a strong encryption service, configures it once, and stops. Staff turnover, workflow changes, new EMR integrations, and vendor updates all shift the encryption coverage over time. Without a review cadence, the deployment drifts from the original design. OCR investigations regularly find practices with encryption tools in place but coverage gaps that developed over months. The best practice is treating the encryption stack as a maintained system, not a one-time purchase.

Secure Email Encryption Service Buyer Guide for 2026

secure email encryption service guide featured image

๐Ÿ”‘ Key Takeaways

  • Three questions decide a secure email vendor: BAA included, auto-trigger, and recipient friction.
  • Office 365 and Gmail bundle native encryption on higher plans, but neither ships a BAA by default.
  • Free services like Proton and Tutanota work for personal use; small clinics outgrow them fast.
  • Entry tier plans run $3 to $8 per seat; enterprise bundles with DLP and archiving hit $10 to $25.
  • Recipient experience drives adoption; portals create tickets, one-click links keep patients happy.

A secure email encryption service protects the contents of a message from the moment a sender hits send to the moment a recipient opens it. Covered entities under HIPAA, financial institutions under GLBA, and law firms handling privileged material all use these services to meet regulatory requirements.

The market splits into three groups. Native tools built into Microsoft 365 and Google Workspace, dedicated third party services like Mailhippo encrypted email, and enterprise gateways from Barracuda, Cisco, and Proofpoint. Each group solves a different problem.

This guide walks through what a secure email encryption service actually delivers, how the main providers compare, and how to test recipient experience before you sign anything.

Secure email encryption service defined

A secure email encryption service scrambles message content so only the intended recipient can read it. The service uses TLS between mail servers as the baseline layer.

On top of TLS, providers add a second layer through S/MIME certificates, PGP keys, or a portal-based delivery model. The second layer protects the message once it lands on a server the sender does not control.

Enterprise services stack more features. Data loss prevention scans outbound content for regulated data. Archiving retains messages for compliance audits. Phishing filters catch inbound threats. Administrative controls let IT enforce encryption on messages that match specific policies.

The core deliverable stays the same across every vendor. Content confidentiality, sender identity verification, and delivery proof. Everything else is packaging.

Office 365 email encryption service options

Microsoft ships Office 365 Message Encryption with Business Premium, E3, and E5 plans. The service runs on Microsoft Purview and adds the Encrypt button to the Outlook Options ribbon on desktop, web, and mobile.

Senders click Encrypt, pick a permission preset, and send. External recipients get a portal link and sign in with Microsoft, Google, or a one-time passcode. Internal recipients see the encrypted message in Outlook without extra steps.

Business Basic and Business Standard plans do not include the Encrypt button. Practices on those SKUs need to upgrade to Business Premium at $22 per user per month or add a dedicated encryption gateway.

Microsoft signs a business associate agreement with covered entities on qualifying plans. Admins need to accept the BAA in the Microsoft 365 admin center under Contracts before sending PHI. Documentation lives at Microsoft Learn Purview Message Encryption.

secure email encryption service in article illustration one

Gmail email encryption service options

Gmail encrypts every message in transit using TLS. Google Workspace paid plans add S/MIME support on Enterprise Plus, which requires certificate management for both senders and recipients.

Confidential mode adds link expiry and SMS passcode options on every Workspace tier. Confidential mode does not encrypt content end to end. The message content sits in Google servers in a readable form for the sender organization.

Google signs a business associate agreement with covered entities on paid Workspace plans configured for HIPAA. Admins accept the BAA in the Workspace admin console. The BAA covers Gmail, Drive, Calendar, Meet, and other core services.

Practices sending real PHI usually stack a dedicated encryption gateway on top of Workspace. The gateway triggers on subject line keywords, data patterns, or recipient domain rules, then routes the message through an encrypted delivery path. See Google Workspace encryption documentation for the current feature matrix.

GoDaddy email encryption service pricing

GoDaddy resells Proofpoint-powered email encryption as an add-on to its Microsoft 365 packages. The add-on runs about $7 per user per month on top of the base 365 license, so a five-seat practice pays roughly $85 per month total.

Senders trigger encryption by adding [encrypt] to the subject line or clicking a button. Recipients register a Proofpoint portal account or verify a one-time code to open messages.

GoDaddy signs a business associate agreement on qualifying plans. The BAA covers the encryption service and the underlying Microsoft 365 tenant. Practices with existing Proofpoint contracts should compare direct Proofpoint pricing at higher seat counts, which often beats the GoDaddy reseller rate.

Support quality varies. GoDaddy phone support handles billing and provisioning. Encryption configuration issues route back to Proofpoint, which adds a delay when a message fails to send. Test the escalation path before you deploy across all seats.

Example

A 20-provider urgent care group ran a 30-day pilot comparing Proofpoint via GoDaddy at $7 per user against Mailhippo at $4.95 per user. They sent 50 identical PHI messages through each service to a mix of iOS, Android, and desktop recipients. Proofpoint required 60 percent of recipients to register a portal account, generating 14 support calls in three weeks. Mailhippo delivered a one-click link that opened for 46 of 50 recipients without an account. The group signed with Mailhippo, saving $492 per month across 20 seats.

Free secure email encryption service trade offs

Free encryption services exist for personal use. ProtonMail, Tutanota, and Skiff offer end to end encrypted email between accounts on the same platform.

Messages to external recipients require the recipient to accept a link, verify a passcode, or install a certificate. Solo practitioners often use free plans for the first quarter of operation, then upgrade once patient email volume rises past 200 messages per month.

Free services rarely sign a business associate agreement. ProtonMail offers a paid Business plan that includes a BAA at $12.99 per user per month. Tutanota and Skiff do not currently offer a BAA at any tier.

Free plans also lack retention controls, audit logs, and admin tools. Compliance risk usually outweighs the license savings once real PHI enters the mailbox. Read the HHS guidance on business associate agreements before picking any free tier for regulated content.

US Bank secure email encryption service model

US Bank uses a portal-based encryption service to send account statements, wire transfer confirmations, and loan documents to customers. Recipients get a notification email with a link to the portal.

The recipient registers an account on the first message, sets a password, and opens the message inside the browser. Follow-up messages from US Bank arrive at the same portal. The model works well for high volume, low urgency correspondence.

Portal-based encryption pushes friction onto the recipient. A customer who cannot find the login page will call the bank. A customer with an expired portal password will call the bank twice.

Financial institutions accept the friction because regulatory pressure outweighs support cost. Healthcare practices with lower call center capacity often pick a zero-step model instead, which delivers the encrypted message directly to the recipient normal inbox.

secure email encryption service in article illustration two

Nonprofit 365 pricing for email encryption service

Microsoft runs a nonprofit program that discounts 365 plans by 30 to 75 percent. Business Basic drops to $0 per user per month for the first 10 seats. Business Standard runs about $3 per user per month.

Business Premium, the plan that includes Purview Message Encryption, drops to about $5.50 per user per month for verified nonprofits. A community clinic with 20 seats pays $110 per month for encrypted email plus Office desktop apps, Intune, and Defender.

Nonprofits still sign the standard business associate agreement in the admin center. The BAA does not change with nonprofit pricing. Documentation lives at the Microsoft Nonprofits portal.

Barracuda, Cisco, and Proofpoint also offer nonprofit discounts of 20 to 50 percent. The discount usually applies to the base plan and not to compliance add-ons, so a small clinic saving money on seats still pays list price for the archiving module.

Mobile and desktop email encryption service parity

The best encryption service works identically on mobile and desktop. Services that require an S/MIME certificate on each device create setup pain for both senders and recipients.

Portal-based services often break the reply flow on mobile browsers. A recipient on an iPhone taps the portal link, logs in, reads the message, then hits reply and gets bounced to a login page again.

Zero-step encryption models handle the mobile case best. The sender uses the normal Gmail or Outlook app on any device. The recipient opens the message inside a standard inbox view on any device.

Test the reply flow on iOS Safari, Android Chrome, and desktop Chrome before committing to a multi-year contract. Vendors will send a test message on request. A five-minute test saves months of user complaints later.

๐Ÿ’กPro Tip: Ask for second-year pricing in writing

Enterprise email security vendors routinely quote a discounted first-year rate that jumps 30 to 50 percent on renewal. Ask for the second-year and third-year rate in writing before signing anything longer than a monthly agreement. Confirm the renewal cap is contractual, not verbal. If the vendor refuses to commit to future pricing, price in an assumed 40 percent renewal jump when comparing total cost of ownership against services with flat published rates.

Provider comparison for secure email encryption service buyers

Buyers picking between vendors weigh four factors above everything else. BAA inclusion, delivery model, price predictability, and admin controls.

Native Microsoft and Google options work well for organizations that already pay for the higher tier plans. Dedicated services like email encryption service providers and encryption email service platforms fit organizations that need a signed BAA in the base plan without a Business Premium upgrade.

Enterprise gateways from Barracuda email encryption service and secure email encryption service cisco add DLP, phishing protection, and archiving in one bundle. The bundles fit organizations with dedicated security teams.

Key evaluation questions:

  • Does the vendor sign a BAA in the base plan or as an add-on
  • Does encryption trigger automatically on regulated content patterns
  • Does the recipient need a portal account, a certificate, or a passcode
  • Does the price stay flat on renewal or jump after year one
  • Does the admin console log every encrypted message for audit

Healthcare practices and secure email encryption service selection

Healthcare covered entities and business associates carry the highest regulatory load. HIPAA, state privacy laws, and payer contracts all require encrypted transmission of PHI.

The right service for a five-person dental practice looks nothing like the right service for a hospital system with 4000 clinicians. Practices with under 50 seats usually pick a zero-step service with a bundled BAA. Larger organizations layer an enterprise gateway on top of Microsoft 365 or Google Workspace.

Practice websites also need to match the same security posture. Patient intake forms, appointment booking, and portal login pages all handle PHI. A HIPAA compliant website design partner handles the web side while the email service handles the mail side.

Practices running healthcare website security features already have most of the operational habits needed to run an encryption service. Password rotation, MFA on admin accounts, and audit log review carry over directly.

Choosing a secure email encryption service without regret

Most buying regret traces back to two mistakes. Picking a vendor without testing the recipient experience, and signing a long contract to lock in a first-year discount that resets on renewal.

Run a 30-day pilot with a single department. Send 50 real messages. Track how many recipients open the message on the first try, how many call for help, and how many ignore the message entirely.

Mailhippo works as an alternative when HIPAA compliance and per-recipient friction both matter. The service adds a BAA in the base plan, works with existing Gmail or Outlook accounts, and delivers messages without asking the recipient to install a certificate or register a portal account. The setup takes minutes.

Whatever vendor you pick, read the renewal clause before signing. Ask for the second-year rate in writing. Confirm the BAA transfers with account transfers. A secure email service that hides its renewal pricing is a service that plans to raise the price on renewal. Reference materials from HIPAA Journal on compliant email and NIST SP 800-177 Trustworthy Email help buyers write a defensible selection memo.

Frequently Asked Questions

What is a secure email encryption service? +

A secure email encryption service scrambles the contents of an email so only the intended recipient can read it. The service uses TLS to protect the connection between mail servers, then adds a second layer with S/MIME certificates, PGP keys, or portal-based delivery. Enterprise services also add data loss prevention, phishing filters, and archiving. Healthcare, finance, legal, and government users pick these services to meet HIPAA, GLBA, or CJIS requirements. The core deliverable is content confidentiality, sender identity verification, and delivery proof.

Does Office 365 include encryption? +

Yes, Office 365 Business Premium, E3, and E5 include Microsoft Purview Message Encryption at no extra cost. Users click the Encrypt button in the Options ribbon before sending, and external recipients open the message through a secure portal after signing in with Microsoft, Google, or a one-time passcode. Basic and Standard plans do not include the Encrypt button. Practices on those plans need to upgrade or add a dedicated encrypted email service to send protected health information under a signed business associate agreement.

Is Gmail encrypted email HIPAA compliant? +

Gmail encrypts email in transit using TLS on every Workspace tier, but transit encryption alone does not meet HIPAA. A covered entity needs a signed business associate agreement with Google, which comes only with Workspace paid plans configured for HIPAA. Confidential mode adds link expiry and passcode options but does not encrypt content end to end. Practices sending real PHI usually add a dedicated encryption gateway on top of Workspace, or route sensitive messages through a third party service like Mailhippo.

How does GoDaddy Email Encryption work? +

GoDaddy sells Proofpoint-powered email encryption as an add-on to its Microsoft 365 packages. Senders trigger encryption by adding a keyword to the subject line or by clicking a button. Recipients open messages through a Proofpoint portal after registering an account or verifying a one-time code. GoDaddy signs a business associate agreement on qualifying plans, and pricing runs about $7 per user per month on top of the base 365 license. Larger practices usually negotiate direct Proofpoint pricing at higher seat counts.

What is the best encryption service for mobile and desktop use? +

The best service works identically on mobile and desktop without extra apps. Services that require an S/MIME certificate on each device create setup pain, and portal-based services often break the reply flow on mobile browsers. Zero-step encryption models handle the mobile case best because the sender uses the normal Gmail or Outlook app and the recipient opens the message in a standard inbox view. Test the reply flow on iOS Safari and Android Chrome before committing to a multi-year contract with any vendor.

Can nonprofits get discounted encrypted email? +

Yes, most major vendors run nonprofit programs. Microsoft, Google, Barracuda, and Cisco publish nonprofit pricing at 30 to 50 percent off list. Microsoft 365 Business Premium runs about $5.50 per user per month for verified nonprofits, which includes Purview Message Encryption. Discounts usually cover the base plan and not the compliance add-ons, so a small clinic saving money on seats still pays list price for the archiving module. Submit IRS 501(c)(3) documentation and a signed nonprofit attestation to activate the pricing.

What features matter most when comparing providers? +

BAA in the base plan, zero-step delivery, mobile-friendly recipient experience, archiving, admin controls, and pricing predictability. Practices sending regulated content should not settle for a vendor that treats the BAA as an upsell. Zero-step delivery keeps staff from forgetting to encrypt. Archiving and audit logs matter when a HIPAA auditor asks for six years of message history. Predictable pricing avoids the trap of a low first-year deal that jumps 40 percent on renewal, which happens often in the enterprise email security market.

Encrypted Emails in Outlook Sending Guide and Troubleshooting Fixes

encrypted emails outlook guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook offers three encryption paths: Purview, native S/MIME, and third-party add-ins like Virtru.
  • Purview encryption is four clicks: Options, Encrypt, pick policy, Send. External users get a portal.
  • No Encrypt button usually means the wrong Microsoft 365 plan, not an Outlook bug.
  • S/MIME needs an X.509 cert on both sides, which clusters use in orgs with central PKI.
  • HIPAA practices need a Microsoft BAA plus Purview or S/MIME before routing any PHI through Outlook.

Sending encrypted emails in Outlook is straightforward once the correct license and configuration are in place. The confusion for most users starts with which encryption method their license supports and whether the Encrypt button in the ribbon is available at all.

This guide covers the three practical routes for encrypted email in Outlook: Microsoft Purview Message Encryption, S/MIME through certificates, and third-party add-ins. Each section includes step-by-step instructions and the license or setup requirement.

A dedicated troubleshooting section addresses the “cant send encrypted emails Outlook” errors that generate the most support tickets. Every fix is based on Microsoft’s current documentation and typical production configurations.

Three Encryption Routes in Outlook

Outlook supports encrypted email through three separate mechanisms. The right choice depends on the Microsoft 365 license, the recipient population, and whether the organization needs certificate-based zero-knowledge encryption.

Microsoft Purview Message Encryption is the most common route. It ships with Microsoft 365 Business Premium and Enterprise E3, E5, A3, and A5 licenses. Users encrypt messages with a single click in the Options ribbon.

S/MIME is the second route. It requires an X.509 certificate installed on the sender’s device and prior key exchange with the recipient. S/MIME is standards-based and interoperable across mail clients that support it, but the setup burden limits adoption.

Third-party add-ins are the third route. Virtru, Mailhippo, and Barracuda all publish Outlook add-ins that add encryption capability to Outlook regardless of the underlying Microsoft license. These add-ins fit tenants on lower license tiers or workflows that need features Microsoft native encryption does not cover.

Sending an Encrypted Email with Purview Message Encryption

Purview Message Encryption is the fastest route to encrypted email in Outlook for tenants with an eligible license. The sending workflow takes four steps.

Compose a new message in Outlook Desktop or Outlook on the web. Click the Options tab in the ribbon at the top of the compose window. Click the Encrypt button in the Options ribbon. Choose the encryption policy from the dropdown: Encrypt-Only for content encryption or Do Not Forward for encryption plus forwarding restrictions.

  • Compose the message as normal (recipient, subject, body, attachments)
  • Click Options in the ribbon
  • Click Encrypt, then select the policy
  • Click Send

Recipients on Microsoft 365 read the message inline in their inbox with no additional steps. External recipients receive a notification email with a link to Microsoft’s Message Encryption portal. They sign in with a Microsoft account, Google account, or a one-time passcode to read the message.

encrypted emails outlook in article illustration one

Sending an Encrypted Email with S/MIME in Outlook Desktop

S/MIME encryption in Outlook Desktop requires an X.509 certificate installed in the Windows certificate store on the sender’s machine. The certificate can be issued by an internal certificate authority or a commercial CA.

Once the certificate is installed, configure Outlook to trust it. Open Outlook, click File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings. In the Security Settings Name dropdown, name the profile. Under Signing Certificate and Encryption Certificate, click Choose and select the S/MIME certificate. Click OK.

To send an encrypted message, compose the message as normal. Click the Options tab and select Encrypt (or Sign, if digital signing only). Send. For encryption to work, Outlook needs the recipient’s public certificate. If the recipient has sent a previously signed message, Outlook captures the certificate automatically.

Our companion piece on how to send encrypted emails covers the S/MIME setup in more depth including certificate procurement from commercial CAs.

Understanding Encrypt-Only Versus Do Not Forward

The Encrypt button dropdown in Outlook offers two Purview policies: Encrypt-Only and Do Not Forward. The difference matters because it affects what recipients can do with the message after they read it.

Encrypt-Only applies message-level encryption to the content in transit and at rest. Recipients can read, reply, forward, print, and copy the content freely once decrypted. The encryption protects against server-side exposure and network interception.

Do Not Forward adds rights management restrictions on top of encryption. Recipients using compliant clients cannot forward, print, or copy the content. The restrictions are enforced by the recipient’s mail client, so they may not hold in all environments (particularly on mobile clients or non-Microsoft mail apps).

Choose Encrypt-Only when the concern is transport and mailbox exposure and the recipient needs full flexibility to work with the content. Choose Do Not Forward for messages containing internal deliberations, confidential negotiations, or sensitive personnel information where distribution controls matter.

Example

A 12-clinician orthopedic practice on Microsoft 365 Business Standard tried to send an MRI report to a referring surgeon and found no Encrypt button in the Outlook ribbon. IT verified the plan in the admin center, upgraded three clinical mailboxes to Business Premium at $22 per seat per month, and confirmed Azure Rights Management showed Activated. The Encrypt button appeared within 45 minutes of license assignment. A test send to a Gmail address delivered a portal link that opened after a one-time passcode.

Fixing “Cannot Send Encrypted Emails” Errors in Outlook

The most common cause of the “cant send encrypted emails Outlook” error is a license mismatch. Purview Message Encryption is not included in Microsoft 365 Business Basic or Business Standard. The Encrypt button in the ribbon does not appear when the license is not eligible.

Verify the license in the Microsoft 365 admin center at admin.microsoft.com. Navigate to Billing, Licenses, and confirm the assigned license is Business Premium, E3, E5, A3, or A5. If the license is Business Basic or Business Standard, upgrade to enable Purview Message Encryption.

The second common cause is Azure Rights Management being disabled at the tenant level. In the admin center, navigate to Settings, Org settings, Services, and confirm Rights Management is set to Activated. Microsoft’s documentation at learn.microsoft.com purview ome covers the tenant-level activation steps.

The third common cause is Outlook not being fully signed in to the Microsoft 365 mailbox. Check the account status in File, Account Settings and confirm the account shows as connected. Sign out and sign back in if the account shows as offline or unauthenticated.

encrypted emails outlook in article illustration two

Encrypted Emails in Outlook on the Web

Outlook on the web (outlook.office.com) supports Purview Message Encryption with the same license eligibility as Outlook Desktop. The compose window includes an Encrypt option in the toolbar.

Click New message. Compose the message. Click the ellipsis (three dots) in the message toolbar. Select Encrypt, then choose the policy. The recipient experience matches the Desktop workflow.

Outlook on the web does not support S/MIME as fully as Outlook Desktop. Some S/MIME features require the S/MIME extension for Edge or Chrome. Organizations relying on S/MIME should standardize on Outlook Desktop or accept the reduced feature set in the web client.

For workflows where users move between Desktop and web frequently, Purview Message Encryption provides a consistent experience. S/MIME works best when the user consistently uses Outlook Desktop.

Encrypted Emails in Outlook Mobile

The Outlook mobile app for iOS and Android supports Purview Message Encryption for both sending and reading. The interface mirrors the desktop workflow with an Encrypt option in the compose menu.

To send an encrypted message on mobile, tap New Message. Compose the message. Tap the three-dot menu. Tap Encrypt and select the policy. Tap Send.

S/MIME on mobile is more limited. iOS Mail supports S/MIME natively when a certificate is provisioned through a configuration profile. Outlook mobile has limited S/MIME support and generally requires organization-specific configuration through Intune or a similar mobile device management platform.

For practices where mobile use is heavy, Purview Message Encryption provides a smoother path than S/MIME. Users who need S/MIME on mobile should plan on iOS with MDM-managed certificates rather than trying to make it work on Android or Outlook mobile.

๐Ÿ’กPro Tip: Confirm the Azure Rights Management state first

License upgrades alone do not always surface the Encrypt button. Azure Rights Management must be Activated at the tenant level under Settings, Org settings, Services. Roughly one in five license-upgrade tickets stall here because the tenant was provisioned before automatic activation became default. Activating takes two clicks in the admin center, and the button appears in Outlook after the client resyncs licenses (usually within an hour).

Encrypted Emails in Outlook for HIPAA Compliance

Healthcare practices sending PHI through Outlook need a Business Associate Agreement (BAA) covering the Microsoft 365 tenant. Microsoft signs a BAA for Business and Enterprise plans but not for free Outlook.com accounts.

The BAA plus TLS in transit plus encryption at rest satisfies the HIPAA Security Rule’s transmission and storage safeguards. Adding Purview Message Encryption or S/MIME provides additional message-level protection. HHS publishes BAA guidance at the HHS BAA reference page.

Practices should confirm the BAA is signed before sending PHI. The Microsoft 365 admin center under Compliance shows the BAA status for enterprise agreements. For Business tier agreements, the BAA is typically part of the Microsoft Products and Services Data Protection Addendum available from the Microsoft Trust Center.

Our team at Redefine Web has published guidance on healthcare website security features for practices building broader HIPAA programs beyond email.

Third-Party Encryption Add-Ins for Outlook

Tenants on Microsoft 365 Business Basic or Business Standard cannot access Purview Message Encryption. Rather than upgrading the whole tenant license, some practices add a third-party encryption product that includes an Outlook add-in.

Common options include Virtru (browser and Outlook add-in), Barracuda Email Gateway Defense (Outlook add-in through the gateway), and inbox-native services such as Mailhippo (Outlook add-in with recipient inbox delivery).

These add-ins install through Microsoft AppSource and integrate into the Outlook compose window. Users click an encryption button in the ribbon or toolbar to route the outbound message through the service.

The trade-off is that the sender manages two encryption tools if the tenant also uses Purview. For small practices, standardizing on a single add-in and skipping Purview keeps the workflow simpler. Larger organizations that already own Business Premium or higher typically standardize on Purview and use add-ins only for niche workflows.

Opening and Forwarding Encrypted Emails in Outlook

Recipients on Microsoft 365 read Purview-encrypted messages inline in Outlook Desktop, Outlook on the web, or Outlook mobile. No additional steps are required.

External recipients receive a notification email with a Read the message button. Clicking opens Microsoft’s Message Encryption portal in a browser. The recipient signs in with a Microsoft, Google, Yahoo, or one-time passcode option. The decrypted message displays. Our companion piece on how to open encrypted emails in Outlook covers this flow.

Forwarding an encrypted email depends on the policy. Encrypt-Only messages can be forwarded and remain encrypted in transit. Do Not Forward messages are blocked from forwarding in compliant clients. S/MIME messages can be forwarded, but the forwarding recipient must have the original recipient’s public certificate for the encryption to reach them successfully.

For practices where forwarding is common (referrals, care coordination), Encrypt-Only is usually the correct default policy. Do Not Forward suits legal, personnel, and executive communications where distribution controls matter more than workflow flexibility.

Frequently Asked Questions

How do I send an encrypted email in Outlook? +

Open a new message in Outlook Desktop or Outlook on the web. Click the Options tab in the ribbon. Select Encrypt and choose either Encrypt-Only or Do Not Forward from the dropdown. Compose the message and click Send. Recipients on Microsoft 365 read the message inline. External recipients receive a portal link to read through Microsoft’s Message Encryption portal. This method requires the tenant to have Microsoft 365 Business Premium or higher, or an Enterprise E3, E5, A3, or A5 license.

Why can I not send encrypted emails in Outlook? +

The most common cause is a license issue. Microsoft Purview Message Encryption is not included in Microsoft 365 Business Basic or Business Standard. Upgrading to Business Premium or higher enables the Encrypt button in the ribbon. Other causes include Azure Rights Management being disabled at the tenant level, Outlook not being connected to the Microsoft 365 mailbox, or corporate policies blocking the encryption option. Verify the plan in the Microsoft 365 admin center and confirm the correct account is signed in to Outlook.

What is the difference between Encrypt-Only and Do Not Forward in Outlook? +

Encrypt-Only encrypts the message content in transit and at rest. Recipients can read, reply, forward, print, and copy the content. Do Not Forward encrypts the message and applies rights management restrictions that prevent forwarding, printing, and copying (for recipients using clients that honor those restrictions). Do Not Forward is enforced by the recipient’s mail client, so restrictions may not hold on all clients. Choose Encrypt-Only when the concern is transport and mailbox exposure. Choose Do Not Forward for additional distribution controls.

How do I set up S/MIME encryption in Outlook Desktop? +

Obtain an S/MIME certificate from an internal certificate authority or a commercial certificate authority such as Sectigo or DigiCert. Install the certificate in the Windows certificate store on the machine running Outlook. Open Outlook, go to File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings and select the certificate. Save. To send encrypted, compose a message, go to Options in the ribbon, and select Encrypt (S/MIME option) if the recipient’s certificate is already known to Outlook.

Can external recipients read encrypted emails from Outlook? +

Yes. External recipients read Purview-encrypted messages by clicking a link in the notification email that opens Microsoft’s Message Encryption portal. They sign in with a Microsoft account, Google account, or a one-time passcode. The portal displays the decrypted message. For S/MIME encrypted messages, the external recipient must have their own S/MIME certificate and a mail client that supports S/MIME. Not all external recipients meet those requirements, so Purview is more practical for mixed audiences.

Does encrypted email in Outlook satisfy HIPAA compliance? +

Encrypted email in Outlook satisfies HIPAA when three conditions are met. The Microsoft 365 tenant must be on a plan for which Microsoft signs a BAA (Business or Enterprise, not free Outlook.com). Encryption must be applied to PHI-containing messages using Purview Message Encryption or S/MIME. The organization must have documented policies and access controls consistent with the HIPAA Security Rule. Meeting all three keeps Outlook-based email HIPAA-compliant for most healthcare workflows. Practices should verify the BAA is signed before sending PHI.

What happens if I forward an encrypted email in Outlook? +

Forwarding behavior depends on the encryption method and policy. An Encrypt-Only message can be forwarded by the recipient and remains encrypted at the transport level. A Do Not Forward message is blocked from forwarding in clients that honor the restriction. An S/MIME encrypted message can be forwarded, but the forwarding recipient must have the original recipient’s certificate or the sender re-encrypts to the new recipient. Forwarding across encryption boundaries (Purview to S/MIME or vice versa) often falls back to unencrypted or requires re-encryption at the forwarding client.

Are Emails Encrypted by Default in 2026

are emails encrypted guide featured image

๐Ÿ”‘ Key Takeaways

  • About 95% of Gmail traffic runs on TLS, but any relay refusing the handshake drops to plain SMTP.
  • Encryption at rest guards disks, not access; a court order or hijacked account still reads inboxes.
  • Internal 365 mail stays inside Microsoft’s network and never touches the public internet.
  • True end-to-end mail needs S/MIME, PGP, or a portal service like Purview or Mailhippo.
  • HIPAA won’t accept TLS alone for PHI; regulators expect message-level encryption on external sends.

Most email today rides on some form of encryption. The question is which kind, at what stage, and whether it survives long enough to matter.

Ask are emails encrypted and the honest answer is a qualified yes. Transport encryption covers the connection between mail servers when both sides support it. Message-level encryption, the kind used for encrypted email delivery, protects the content from the sender’s device to the recipient’s inbox.

The gap between those two matters for anyone sending regulated data. This guide walks through where each layer applies, which providers use which methods, and what changes when HIPAA or a business associate agreement enters the picture.

TLS in transit is the default, not end-to-end protection

TLS, or Transport Layer Security, is the standard method for encrypting the link between two mail servers. When a sending server hands a message to a receiving server, both sides negotiate a TLS session and the traffic across that hop is encrypted.

Google reports that around 95 percent of Gmail traffic uses TLS on outbound and inbound. Microsoft 365 numbers are similar. The 5 percent gap is real, and it usually reflects small receiving servers that do not support modern TLS versions.

TLS does not encrypt the message body itself. It encrypts the connection. Once the receiving server accepts the message, it stores the content in whatever form its policies dictate.

Opportunistic TLS also falls back to plain SMTP if the handshake fails. MTA-STS and DANE are the two standards that force a receiving server to require TLS, and they close that downgrade path. Most large providers publish MTA-STS records now, but many smaller domains do not.

Gmail encrypts in transit and at rest, but not end to end

Are all Gmail emails encrypted? In transit, almost all of them are, when the receiving provider supports TLS. Google publishes real-time transparency numbers on this at their Safer Email Transparency Report.

At rest, Gmail stores every message with server-side encryption using keys Google manages. That protects the mailbox from disk theft or unauthorized physical access to Google data centers.

End-to-end encryption is a different layer. Gmail supports S/MIME on Google Workspace Enterprise Plus and Education Plus, which encrypts the message body before it leaves the sender’s device. Personal Gmail accounts do not include native S/MIME.

For consumer-grade Gmail users who need to send an encrypted message once in a while, the practical options are Confidential Mode, which sets an expiration and a passcode but does not encrypt the body, or a browser extension that layers PGP over the compose window.

are emails encrypted in article illustration one

Microsoft 365 encryption depends on the license tier

Are Microsoft emails encrypted? Internal messages between two users on the same Microsoft 365 tenant stay on Microsoft’s network and are encrypted the entire way. External messages use opportunistic TLS.

Purview Message Encryption, which was previously called Office 365 Message Encryption, is Microsoft’s message-level product. It encrypts the body and attachments and delivers external recipients a portal link. Recipients sign in with a Microsoft or Google account, or with a one-time passcode.

Purview requires Business Premium, Microsoft 365 E3, or higher. Business Basic and Business Standard do not include it. Practices on lower tiers either need to upgrade the entire tenant or send outbound clinical mail through a dedicated encrypted service.

Azure Rights Management sits behind Purview and handles the actual key management. If a tenant has never activated Azure Rights Management, the Encrypt button in the Outlook ribbon does not appear even on the correct license.

Internal Office 365 traffic never leaves Microsoft infrastructure

Are internal Office 365 emails encrypted? Yes, at every layer. Internal email between two users on the same tenant traverses Microsoft’s private network and never touches the public internet.

The traffic between Exchange Online servers is TLS-protected. The mailboxes themselves are encrypted at rest with BitLocker at the storage level and additional service-level encryption in the message database.

Cross-tenant email is a different case. A message from one Microsoft 365 tenant to another still uses Microsoft infrastructure end to end, but it is treated as external and subject to standard transport encryption rules.

Administrators can enforce Modern Authentication, disable legacy protocols like POP and IMAP, and turn on Customer Key to hold their own encryption keys. Those steps harden the tenant but do not change the underlying encryption layers already in place.

Example

A cardiology group assumed their Google Workspace Business Starter setup encrypted patient lab results because Gmail showed the padlock icon on outbound messages. During a HIPAA risk assessment, the security consultant tested by sending a message to a legacy mail server at a rural referring clinic that did not support TLS. The delivery downgraded to plain SMTP silently. The group enforced MTA-STS on their domain, added Mailhippo for external PHI sends at $4.95 per user per month, and closed the finding within one week.

DocuSign notifications are not encrypted documents

Are DocuSign emails encrypted? The notification email itself is an ordinary message sent over TLS. It contains a link, a sender name, and a subject line, and none of that content is encrypted end to end.

The signed document lives inside the DocuSign platform, not in the email. When the signer clicks the link, they authenticate to DocuSign and view the document over HTTPS. The document itself is protected by DocuSign’s platform encryption and access controls.

The gap this creates is that anyone with mailbox access to the recipient can click the link and, if additional authentication is not enforced, sign the document. DocuSign offers signer authentication options like SMS codes, knowledge-based questions, and ID verification. Those are separate from the email.

Providers like Adobe Sign, Dropbox Sign, and PandaDoc all follow the same pattern. The document is protected in the platform, and the notification is a routine email.

Are emails automatically encrypted or does the sender configure it

Are emails automatically encrypted? Transport encryption is automatic when both servers support it. Message-level encryption is not automatic on any consumer email service.

The sender has to take an action. On Outlook 365, that action is clicking the Encrypt button on the message ribbon. On Gmail Enterprise, S/MIME messages are marked automatically if certificates are installed on both sides.

Some services automate the encryption trigger based on content. Data loss prevention rules can inspect outbound mail for patterns like credit card numbers, Social Security numbers, or clinical terms, then apply encryption when a rule matches.

For healthcare senders who need every message with protected health information to be encrypted without depending on user behavior, the practical approach is a gateway service that encrypts by default. Mailhippo works this way, applying encryption to every outbound message from the connected account rather than relying on a user to remember the correct button.

are emails encrypted in article illustration two

End-to-end encryption requires S/MIME, PGP, or a portal service

Three technologies deliver true end-to-end email encryption today: S/MIME, PGP, and portal-based services. Each protects the message body from the sender’s device to the recipient’s inbox or portal.

S/MIME uses X.509 certificates issued by a certificate authority. Each user has a personal certificate, and the sender needs the recipient’s public key to encrypt a message to them. Certificate management is the hardest part of running S/MIME at scale.

PGP uses a similar public-private key pair model but operates through a web of trust rather than a central authority. It is common in developer and privacy-focused circles but rare in mainstream business email.

Portal services like Purview Message Encryption and Mailhippo skip the certificate problem by delivering messages through a browser-based portal. The recipient does not need to manage keys, and the sender only needs an account.

HIPAA requires encryption when it is reasonable and appropriate

The HIPAA Security Rule lists encryption as an addressable specification for transmitting electronic protected health information. Addressable means the covered entity must implement it if it is reasonable and appropriate, or document why it is not.

In practice, HHS treats email encryption as the default expectation for any transmission of PHI outside a covered entity’s internal network. The 2013 Omnibus Rule reinforced that position by tying breach notification safe harbor to encryption of the data involved.

The HHS guidance on the Security Rule and NIST Special Publication 800-52 Rev. 2 both point to TLS 1.2 or higher for transport and AES-128 or AES-256 for content encryption. Meeting those baselines matters more than the specific product chosen.

Practices that route external clinical email through a service with a signed business associate agreement satisfy the encryption requirement and the vendor accountability requirement at the same time. Emails that carry hipaa phishing emails patterns still need employee training on top of encryption.

๐Ÿ’กPro Tip: Enforce MTA-STS to block silent TLS downgrades

Opportunistic TLS falls back to plain SMTP whenever the receiving server refuses the handshake, and the sender never sees a warning. Publish an MTA-STS policy on your domain so receiving servers know to require TLS on inbound. Configure enforced TLS on outbound to any recipient domain that regularly gets PHI. If TLS negotiation fails, the message queues instead of shipping in plaintext. This one change removes the most common HIPAA transport gap.

Free and consumer options do not include a BAA

ProtonMail sends encrypted messages to other ProtonMail users automatically. Messages to outside recipients go through a password-protected portal that the recipient opens in a browser.

Outlook.com supports Microsoft’s free encryption for consumer accounts through the same Purview infrastructure used by business tenants. The recipient experience is identical to the paid version.

Free S/MIME certificates are available from providers like Actalis for personal use. Setting them up requires installing the certificate in the operating system’s certificate store and pairing it with each mail client.

None of the free options include a business associate agreement. For a healthcare practice, that rules them out for anything involving protected health information. If a topic covers are there free tools for encrypting emails, the compliance angle is where free services fall short. Compliance requires a paid service that will sign a BAA and accept vendor liability.

Steps to confirm your email is being encrypted correctly

Gmail shows a small padlock next to the sender address on received mail. A closed padlock means TLS was used on the last hop, an open one means it was available but not enforced, and no padlock means the message arrived over plain SMTP.

Outlook shows a shield icon on S/MIME-signed or encrypted messages. A green check inside the shield means the signature validated. A red X or a missing shield means the message was not S/MIME protected.

Portal messages arrive as a link rather than an inline body. Recipients who see a Read the message button and a sender-branded landing page are receiving a message-level encrypted message.

For senders who want to confirm their outbound TLS posture, tools like the NIST SP 800-52 Rev. 2 guidelines outline the correct cipher and version baseline, and free tests like CheckTLS or the Google Postmaster Tools show the negotiated TLS status per destination domain.

What to configure for a healthcare or compliance-heavy practice

Start with a written policy that defines what qualifies as protected health information and which outbound messages need encryption. Staff cannot apply a rule they do not know exists.

Configure MTA-STS and DANE on the practice domain to prevent TLS downgrade attacks on outbound mail. Publish DMARC at reject or quarantine to stop spoofed messages from reaching patients.

Choose one encryption path and stick with it. Options include Microsoft 365 Business Premium plus Purview, Google Workspace Enterprise plus S/MIME, or a gateway service like Mailhippo that layers encryption over the existing Gmail or Outlook account without a license upgrade.

Practices that want a broader marketing and website foundation to match the security posture often work with a specialist agency. Firms that focus on healthcare marketing services understand how encryption, patient acquisition, and HIPAA-safe intake forms fit together, and how a compliant healthcare website security setup supports the practice’s digital communications.

  • Verify TLS 1.2 or higher on outbound and inbound mail flow.
  • Enable MTA-STS and DANE on the practice domain.
  • Enforce Modern Authentication and disable legacy IMAP and POP.
  • Route external PHI-bearing mail through an encrypted service with a signed BAA.
  • Train clinical and administrative staff on when encryption is required.

Answering the core question, are emails encrypted, comes down to which layer and which sender. Transport encryption is close to universal between major providers. Message-level protection is the sender’s responsibility, and it is what compliance rules actually require.

Frequently Asked Questions

Are Gmail emails encrypted end to end? +

No. Gmail encrypts messages in transit using TLS whenever the receiving server supports it, and it encrypts stored messages at rest on Google’s servers. Neither method prevents Google from reading the content, and neither protects the message once it lands in a mailbox on a provider that does not enforce TLS. For true end-to-end encryption inside Gmail, the sender needs S/MIME through Google Workspace Enterprise or an external tool that encrypts the body before the message reaches Google.

Are Microsoft 365 emails encrypted? +

Internal messages between users on the same Microsoft 365 tenant stay on Microsoft servers and are encrypted the entire way. External messages use TLS when the receiving server supports it. Microsoft 365 also offers Purview Message Encryption on Business Premium and higher, which applies message-level encryption and delivers external recipients a portal link. Encryption at rest is enabled by default on all Microsoft 365 mailboxes, but that only protects stored data on disk.

Are internal Office 365 emails encrypted? +

Yes. Internal email between two users on the same Microsoft 365 tenant never leaves Microsoft’s infrastructure, and the traffic is encrypted across every internal link. The mailbox contents are also encrypted at rest with Microsoft-managed keys. That protects the message from external interception, but it does not stop a compromised account or an administrator with the correct role from reading the content. Internal encryption is not the same as end-to-end encryption.

Are DocuSign emails encrypted? +

The notification emails DocuSign sends are ordinary messages over TLS, and they contain a link rather than the document itself. The signed document lives on DocuSign’s servers, protected by DocuSign’s platform encryption and access controls. When a signer clicks the link, they authenticate to the DocuSign platform and view the document over HTTPS. The email notification is not encrypted end to end, and anyone with mailbox access can click the link.

How can I tell if an email I received was encrypted? +

Gmail shows a small padlock icon next to the sender address that indicates the transport encryption status between servers. A green padlock means TLS was used, a gray one means TLS was available but not enforced, and a red one means no encryption at all. Outlook displays a similar shield icon for S/MIME-signed or encrypted messages. Portal-based services deliver a link rather than an inline message, which itself is a sign the sender used message-level encryption.

Is there a free way to send an encrypted email? +

Free options exist but each carries a trade-off. ProtonMail sends encrypted messages to other ProtonMail users automatically, and to outside recipients through a password-protected portal. Outlook.com supports Microsoft’s free encryption for consumer accounts. Some sender-side tools also offer free S/MIME certificates from providers like Actalis. Free tiers do not include a business associate agreement, which rules them out for healthcare use. Compliance-grade sending requires a paid service with a signed BAA.

Does encryption protect an email from being read once it arrives? +

No. Once the recipient decrypts and opens the message, the content sits in their mailbox as readable text. Anyone with access to that mailbox, including a shared inbox user, an assistant with delegated access, or a malicious actor with stolen credentials, can read the content. Encryption protects the message during transmission and, in some cases, during storage. It does not protect against account takeover, screen capture, or forwarding by the recipient after decryption.

How to Send Encrypted Email Across Any Client

how to send encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Opportunistic TLS drops to plaintext without warning; the Sent padlock lies to you.
  • S/MIME encrypts message-level in Outlook and Apple Mail but needs certs on both sides.
  • PGP does the same job with public and private keys; recipients must set up software.
  • Portal services encrypt every send and give recipients a one-click browser link.
  • HIPAA also demands a signed BAA, six-year access logs, and verified encryption proof.

Every modern mail client can send encrypted email, but the definition of encrypted varies across methods. Some protect only the connection between mail servers. Others protect the message content itself. The difference matters for compliance and for real security.

This guide covers how to send encrypted email across Gmail, Outlook, Apple Mail, and portal-based services. Each method has a specific use case, a specific setup cost, and a specific recipient experience.

The right method depends on the sensitivity of the content and the technical setup of the recipient. Match the tool to the message.

TLS Is the Default Encryption Layer for Every Modern Mail Server

Transport Layer Security, or TLS, protects the connection between two mail servers. When Gmail sends to Outlook, both servers negotiate a TLS handshake and encrypt the traffic in flight. Any observer on the network path sees only ciphertext.

TLS is on by default in Gmail, Outlook, Apple Mail, Yahoo Mail, and every other major provider. Users do not enable it. Administrators do not configure it. It happens automatically when both servers support it.

The problem is fallback. If the receiving server does not support TLS, the sending server delivers the message in plaintext by default. There is no warning. The message reaches the recipient. The sender assumes it was encrypted because their client showed a padlock.

For any content that is regulated, the opportunistic fallback rules out TLS as a standalone protection. You cannot verify that every recipient server supports TLS. According to NIST SP 800-45, verified end-to-end encryption is the required protection for sensitive email.

S/MIME Provides Message-Level Encryption in Outlook and Apple Mail

S/MIME uses X.509 certificates to encrypt the message content itself, not just the transport. Once encrypted, only the recipient with the matching private key can read it. The mail provider stores ciphertext and cannot decrypt.

Outlook supports S/MIME on all Microsoft 365 plans that include the desktop apps. Apple Mail supports S/MIME natively on macOS and iOS. Gmail supports S/MIME on Workspace Enterprise Plus, Education Standard, and Education Plus.

Setup requires a certificate for the sender and a certificate for the recipient. Both must come from a trusted certificate authority. The public key gets attached to signed emails, so correspondents can build up a keyring by receiving signed messages from each other.

S/MIME suits organizations that can deploy certificates across all their staff and partners. It does not suit external correspondents like patients, vendors, or one-off recipients who do not have a certificate installed.

how to send encrypted email in article illustration one

PGP Delivers the Same Protection with a Different Key Model

PGP, or Pretty Good Privacy, is the open-source alternative to S/MIME. It uses a public-private key pair generated locally by the user. The public key is shared. The private key is protected with a passphrase and stays on the sender machine.

Thunderbird includes PGP support by default. Mailvelope adds PGP to Gmail and Outlook Web through a browser extension. GPG Suite adds it to Apple Mail. The GNU Privacy Guard command-line tool underlies most implementations.

PGP does not require a certificate authority. Users trust each other public keys directly, either through personal verification or through a web-of-trust model where mutual acquaintances sign each other keys. This is more flexible than S/MIME but harder for non-technical users to manage.

PGP suits technical teams, security researchers, and correspondents who exchange keys manually. It does not suit a healthcare workflow where a receptionist needs to email a lab result to a patient who has never generated a key pair.

Outlook Encrypt Button Uses Microsoft Purview Message Encryption

Outlook 365 users on Business Premium, E3, E5, and comparable Education plans get an Encrypt button in the Options ribbon of the compose window. Behind the scenes, this triggers Microsoft Purview Message Encryption.

External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode. Internal recipients on the same tenant see the message inline in Outlook or Outlook on the web without the portal step.

Setup takes minutes if Azure Rights Management is already enabled on the tenant. For tenants that have not activated it, an administrator must enable Rights Management under the Microsoft 365 Admin Center before the Encrypt button appears in Outlook.

According to Microsoft documentation, Purview Message Encryption meets HIPAA transmission requirements when combined with a signed business associate agreement, available on Microsoft 365 Business plans and higher.

Example

A pain management clinic uses Microsoft 365 Business Standard with the Encrypt button unavailable. Staff send referral summaries to physicians on Yahoo, iCloud, and small hospital systems. TLS delivery drops to plaintext on roughly fifteen percent of sends because those receiving servers refuse TLS. The clinic adds a portal-based service at $9 per user monthly. Every outbound referral now enforces encryption, falls back to portal delivery when TLS fails, and produces an audit trail the compliance officer can export for annual risk assessment review.

Portal-Based Services Remove the Recipient Setup Barrier

Portal-based encrypted email services solve the biggest problem with S/MIME and PGP. The recipient does not need to install anything, configure anything, or generate any keys. They receive a notification, click a link, and read the message in a browser.

Mailhippo works as an SMTP relay. The sender continues to write and send from Gmail, Outlook, or any other client. Mailhippo intercepts the message, encrypts it, and delivers over TLS when the recipient server supports it or through a portal link when it does not.

The recipient experience is one click. They receive a notification email, click the link, authenticate with a one-time passcode sent to their phone or email, and read the message in a browser. No account creation. No software.

For HIPAA, the service includes a signed BAA in the base plan and logs every message access. Healthcare organizations use this model because patient recipients cannot be expected to manage keys or install plug-ins.

how to send encrypted email in article illustration two

Comparison Across the Main Methods

Each method has a specific fit. The table below summarizes the practical tradeoffs.

Method End-to-End Recipient Setup HIPAA Ready Best For
TLS No None No, opportunistic fallback Non-sensitive routine mail
S/MIME Yes Certificate install Yes, with BAA Internal certified teams
PGP Yes Key pair generation Yes, with process controls Technical correspondents
Purview Message Encryption Yes Portal or Microsoft login Yes, with M365 BAA Microsoft 365 users
Portal-based service Yes Click and passcode Yes, with BAA in base plan External recipients, patients

The clearest divide is recipient friction. S/MIME and PGP are excellent when both parties are set up. Portal-based services and Purview handle every recipient without setup, which matters for healthcare and any business email compliance workflow.

Gmail Encryption Steps Depend on the Workspace Tier

Personal Gmail supports TLS by default and Confidential Mode as an inbox-level access control. It does not support S/MIME. For encryption beyond TLS, personal Gmail users need a browser plug-in for PGP or a third-party service.

Workspace Business tiers support TLS and Confidential Mode. S/MIME hosted encryption is unavailable at these tiers. Healthcare organizations on Business Standard or Business Plus typically layer a HIPAA-compliant service to close the gap.

Workspace Enterprise Plus, Education Standard, and Education Plus include S/MIME hosted encryption. Administrators enable it in the Admin console under Apps, Google Workspace, Gmail, User settings.

Full step-by-step for the Gmail path is covered in the sibling guide how to send encrypted email in Gmail and the tier-specific instructions in how to send encrypted email using Gmail.

๐Ÿ’กPro Tip: Never Rely on Opportunistic TLS for PHI

TLS is opportunistic. When the receiving mail server refuses encryption, the sending server delivers the message in plaintext without alerting the sender. Your Sent folder shows the padlock because the initial hop succeeded. For any regulated content, pick a method that refuses plaintext delivery: S/MIME with verified certificates, or a portal-based service that routes to browser delivery when TLS is not available.

Outlook Encryption Steps Depend on the Microsoft 365 Plan

Outlook desktop supports S/MIME on all Microsoft 365 plans that include the desktop apps, provided the user has a certificate installed. The certificate goes into the Windows certificate store or the macOS keychain.

The Encrypt button in the Outlook ribbon requires Microsoft 365 Business Premium or Enterprise E3, E5, or higher. Lower Business tiers do not include Purview Message Encryption. This is the most common gap that surprises small-business owners after a plan upgrade.

For lower Microsoft 365 tiers, the practical path is a portal-based service that adds encryption without requiring the plan upgrade. This suits solo practitioners, small clinics, and small-business teams that need HIPAA-covered email but not the enterprise feature stack.

Verification Steps for Every Sensitive Send

Before sending regulated content, verify the method for that specific send. Do not assume. TLS may have dropped to plaintext. S/MIME may have fallen back because the recipient certificate expired. Purview may have failed to trigger because the tenant setting changed.

  • Check the encryption indicator in the compose window before sending.
  • Confirm the recipient will receive the intended experience by sending a test message with non-sensitive content.
  • For portal-based services, verify the audit log records access after the recipient opens the message.
  • For S/MIME, confirm the padlock or lock icon shows green in the sent copy.

According to HIPAA Journal, the most common documented compliance failure is a sender assuming TLS was in effect when the recipient server had disabled it. Verify per send.

Choose the Method by Recipient and Content

The decision framework is simple. Match the recipient technical setup and the content sensitivity to the encryption method with the lowest friction that still meets the security bar.

  • Internal team, routine content, no regulated data: TLS is sufficient.
  • Internal or partner team with certified users, regulated data: S/MIME or PGP.
  • Microsoft 365 users sending to external recipients: Purview Message Encryption.
  • Any recipient without technical setup, regulated data, HIPAA scope: portal-based service with a BAA.

For healthcare providers coordinating email with website and patient acquisition, encrypted email pairs with HIPAA-compliant website design as part of a broader compliance stack.

The last practical point is that the wrong method causes friction for the recipient, and friction becomes a security risk. Recipients who cannot open an encrypted message will ask for it in plaintext. Pick the method that removes that pressure.

Frequently Asked Questions

What is the difference between encryption in transit and end-to-end encryption? +

Encryption in transit protects the connection between two mail servers using TLS. Once the message reaches the destination server, TLS no longer applies and the mail provider can read the content. End-to-end encryption protects the message content from the moment the sender clicks Send until the recipient opens it. Only the sender and the recipient can read the content, not the mail provider in between. S/MIME and PGP provide end-to-end encryption. TLS alone does not.

Do I need special software to send encrypted email? +

It depends on the method. TLS is automatic in every modern mail client and requires no user setup. Confidential Mode in Gmail and Encrypt in Outlook are built into the compose interface. S/MIME needs a certificate installed in the mail client. PGP needs a key pair generated and shared. Portal-based services either install a browser plug-in or route mail through an SMTP relay, and the sender continues to use their existing client. Recipients on portal-based services need no software at all.

Can I send encrypted email to someone who does not use encryption? +

Yes, but the method matters. S/MIME and PGP will not work because both parties need matching keys or certificates. TLS covers the transport but drops to plaintext if the recipient server does not support TLS. Portal-based services solve this because the recipient does not need to configure anything. They receive a notification, click a link, enter a one-time code, and read the message in a browser. Any recipient with an email address and a web browser can open portal-encrypted messages.

Is Gmail Confidential Mode enough for HIPAA? +

No. Confidential Mode does not use end-to-end encryption. Google can read the message content, and the business associate agreement Google signs for Workspace does not extend Confidential Mode into a HIPAA-safe transmission method. Confidential Mode blocks forwarding, copying, and downloading, which are useful controls, but does not meet the transmission encryption standard HIPAA requires for PHI. Use a HIPAA-focused service with a signed BAA that provides verified encryption for every send.

How do S/MIME certificates get issued and renewed? +

S/MIME certificates come from a trusted certificate authority such as DigiCert, Sectigo, or IdenTrust. The user or administrator submits a certificate signing request, verifies identity, and receives the certificate for install in the mail client. Certificates typically expire after one to three years. Renewal repeats the request-and-verify process. Departing employees should have their certificates revoked so their prior encrypted messages cannot be decrypted after they leave. Enterprise deployments automate the process through a managed PKI.

What happens if I send an encrypted email to the wrong person? +

With TLS, the message reaches the wrong recipient and they read it because TLS does not restrict access at the mailbox level. With S/MIME or PGP, the wrong recipient cannot decrypt unless they somehow hold the intended recipient private key, which is very unlikely. With portal-based services, most providers let the sender revoke access at any time from their outbox. The recipient link stops working immediately. This is one of the practical reasons portal-based services are the healthcare default.

Does my mail provider store copies of encrypted messages? +

Yes, in almost every case. Even with S/MIME or PGP, the mail provider stores the encrypted ciphertext in the sender Sent folder and the recipient inbox. Neither the provider nor anyone else can decrypt it without the private key, but the encrypted copy remains stored. This is why HIPAA archive requirements are satisfied by encrypted copies retained for six years. Portal-based services store the content on their own servers and use enforced access controls with logging on every read.

How to Send Encrypted Email in Gmail

how to send encrypted email gmail guide featured image

๐Ÿ”‘ Key Takeaways

  • Gmail TLS protects the connection, not the copy sitting in your Sent folder or inbox.
  • Confidential Mode blocks forwarding but Google reads the message; skip it for PHI.
  • Hosted S/MIME ships only on Workspace Enterprise Plus at $30 per user per month.
  • A portal service over Gmail adds a BAA and one-click delivery without cert setup.
  • Green padlock means S/MIME; a red or missing padlock means the send goes plaintext.

Gmail handles more than 1.8 billion active accounts, and a large share of business email in North America runs through Workspace. Every one of those messages travels over TLS by default when the receiving server supports it. TLS is not the same as message-level encryption.

Learning how to send encrypted email in Gmail means picking the right method for the recipient and the sensitivity of the content. Gmail offers three options built in: TLS transport encryption, Confidential Mode, and S/MIME on Enterprise plans.

For healthcare organizations and any team handling regulated data, native Gmail options often fall short of HIPAA requirements. This guide walks through each method and when to use it.

Gmail Uses TLS for Every Message by Default

Every Gmail message leaves Google servers over Transport Layer Security whenever the receiving mail server supports it. TLS encrypts the connection between the two servers. Nobody sitting on the network path in between can read the message.

The padlock icon in the top-right corner of an open Gmail message shows the transport status. A gray padlock means TLS is active. A red padlock means the recipient server does not support TLS and the message will travel unencrypted.

TLS protects the connection, not the stored copy. Once the message lands in the Sent folder or the recipient inbox, TLS no longer applies. Google can read the message content on its servers, and so can the recipient mail provider.

According to Google documentation, TLS is opportunistic. If a recipient server does not accept encrypted connections, Gmail sends the message in plaintext by default. That behavior alone disqualifies TLS as a standalone compliance method for protected health information.

Confidential Mode Adds Access Controls but Not End-to-End Encryption

Gmail Confidential Mode is available on every personal Gmail account and every Workspace edition. To use it, click Compose, then click the padlock and clock icon at the bottom of the compose window. A menu appears with an expiration date and an optional SMS passcode.

Confidential Mode disables forwarding, copying, printing, and downloading for the recipient. When the expiration date passes, the message becomes unreadable. Senders can revoke access before expiration from the Sent folder.

The mode does not use end-to-end encryption. Google can read the message content. Screenshots defeat the copy and print restrictions because the recipient still sees the message on screen. SMS passcodes rely on phone carrier security, which SIM-swap attacks routinely bypass.

Confidential Mode suits casual privacy needs such as sending a temporary access code or a document link that should expire. It does not meet HIPAA transmission standards, and Google does not extend its business associate agreement to cover Confidential Mode as a compliant PHI transmission method.

how to send encrypted email gmail in article illustration one

S/MIME Hosted Encryption Requires Workspace Enterprise

S/MIME is the built-in Gmail option for true message-level encryption. It is available only on Google Workspace Enterprise Plus, Education Standard, and Education Plus editions. Workspace Business tiers do not include it.

Enabling S/MIME starts in the Admin console. Navigate to Apps, then Google Workspace, then Gmail, then User settings. Toggle S/MIME encryption for sending and receiving. Save the change and wait up to 24 hours for it to propagate.

Each user then uploads a personal S/MIME certificate under Gmail settings, Accounts and Import, Upload your public certificate. The certificate must come from a trusted certificate authority. Both sender and recipient need valid certificates.

When the setup is complete, the padlock icon in a compose window turns green for messages that will send with S/MIME encryption. If the recipient does not have a valid certificate installed, the padlock stays gray and the message sends over TLS only.

Confidential Mode Setup Takes Under a Minute

Open Gmail and click Compose. Fill in the recipient, subject, and body as usual. At the bottom of the compose window, find the icon that looks like a padlock with a clock overlay and click it.

Select an expiration date from the dropdown. Options range from one day to five years. Choose whether to require an SMS passcode. If SMS is selected, enter the recipient phone number in the field that appears.

Click Save. Send the message. The recipient receives an email with a link to view the message. If SMS was enabled, they receive a text with a passcode to enter before the message loads.

  • External Gmail recipients see the message inline, gated by expiration.
  • Non-Gmail recipients click through to a Google-hosted page.
  • Sender can revoke access at any time from the Sent folder by clicking Remove Access.
Example

A three-provider therapy practice on personal Gmail needs to send session summaries to referring physicians. Personal Gmail has no BAA and does not support S/MIME. They cannot upgrade to Workspace Enterprise Plus for hosted S/MIME at $30 per user. Instead, they migrate to Google Workspace Business Standard at $12 per user for the BAA, then layer a portal-based service at $10 per user monthly. Session summaries send from Gmail normally, and referring physicians open a one-click link without managing certificates.

S/MIME Certificates Need Renewal and User-Level Provisioning

S/MIME certificates expire, typically after one to three years depending on the issuing authority. Renewals require administrator action for every user account. Certificates issued to a departing employee should be revoked in the Admin console to prevent decryption of prior messages.

Certificate authorities include DigiCert, Sectigo, GlobalSign, and IdenTrust. Costs range from around $20 per user per year for basic identity validation to over $100 per user per year for extended validation with organization details.

For encrypted send to work, the recipient also needs a valid certificate from a trusted authority. External correspondents who do not use S/MIME cannot receive encrypted messages this way. Gmail falls back to TLS transport encryption for those recipients.

This is why S/MIME suits internal exchanges between staff at the same organization or between organizations that have coordinated certificate deployment. It does not suit sending sensitive content to patients or external vendors who do not manage their own certificates.

HIPAA Coverage in Google Workspace Has Boundaries

Google offers a business associate agreement to Workspace customers on Business Standard, Business Plus, and all Enterprise editions. The BAA covers Gmail, Calendar, Drive, Meet, and other core services. Personal Gmail accounts are not covered.

The BAA covers the transmission of PHI through Gmail when standard TLS encryption is in effect between servers. It does not cover Confidential Mode as a distinct HIPAA-safe transmission method. Practices assuming Confidential Mode is HIPAA-compliant are working from a mistaken reading of the BAA.

Because TLS is opportunistic and falls back to plaintext when the recipient server does not support it, Workspace admins cannot guarantee encrypted delivery to every recipient without additional controls. That gap is what drives many healthcare organizations to add a HIPAA-focused encrypted email service.

Additional HIPAA safeguards include audit logging of message access, secure archive retention for six years, and enforced encryption on any message flagged with PHI. Native Gmail provides some of these; complete coverage typically involves a purpose-built service.

how to send encrypted email gmail in article illustration two

Third-Party Services Layer HIPAA Compliance Over Gmail

Purpose-built HIPAA-compliant email services integrate with Gmail through a browser plug-in, a Gmail add-on, or SMTP relay. The sender composes and sends from Gmail without changing workflow. The service handles encryption, delivery fallback, and audit trail.

Mailhippo works this way. It sends over TLS when the recipient server supports it, falls back to a secure portal link when TLS is unavailable, includes a signed BAA in the base plan, and requires no certificate management for senders or recipients. Practices on standard Gmail or Workspace Business use it to close the HIPAA gap without switching platforms.

The recipient experience is a single click. They receive a notification email with a link, click it, authenticate with a passcode, and read the message in a browser. No account creation, no software install, no key management.

For healthcare organizations that also handle web presence and patient acquisition, coordinating email security with the broader tech stack matters. Firms offering healthcare marketing services often deploy encrypted email and HIPAA-compliant website design together.

Recipient Experience Differs Across Each Method

TLS is invisible to the recipient when it works. The message arrives in the inbox looking like any other email. No click-through, no passcode, no external portal. Nothing signals that transport encryption was applied.

Confidential Mode delivers a notification email with a View the email button. The recipient clicks and, if SMS was enabled, enters a passcode from a text message. They read the message in a Google-hosted view with copy, forward, print, and download disabled.

S/MIME delivers a locked message icon in a supported email client. Outlook, Apple Mail, and Gmail render the message inline once the recipient certificate decrypts it. In an unsupported client, the recipient sees garbled ciphertext or an attachment they cannot open.

Portal-based services deliver a notification with a link. The recipient clicks, authenticates with a one-time code, and reads in a browser. This suits patients and external contacts who do not manage certificates but expect a low-friction click.

๐Ÿ’กPro Tip: Verify the Padlock Color Before Sending PHI

Gmail displays a color-coded padlock in the compose window: green for S/MIME, gray for TLS, red or missing when the recipient server refuses encryption. For regulated content, never send when the padlock is red. TLS is opportunistic and drops to plaintext without warning. Layer a portal-based service that falls back to a secure browser link rather than accepting plaintext delivery for any PHI transmission.

Common Errors When Sending Encrypted Email in Gmail

The red padlock is the most frequent warning. It means the recipient mail server does not support TLS. For non-sensitive content, the message still sends. For PHI or other regulated data, do not send when the padlock is red without a portal fallback.

S/MIME send failures often trace to a missing recipient certificate. Gmail shows a gray padlock instead of green, and the message sends over TLS. To force S/MIME, both parties must have valid certificates uploaded and the Workspace admin must have enabled the feature at the domain level.

Confidential Mode messages sometimes fail to render for recipients on strict email security gateways. The notification email arrives, but the click-through link is stripped or blocked by the recipient inbound filter. Test with the specific recipient before relying on Confidential Mode for time-sensitive delivery.

According to HIPAA Journal, the most common compliance failure is sending PHI to an external address without confirming the transmission was encrypted end to end. Assume nothing about transport; verify the method for every sensitive message.

Choose the Method by Recipient and Content Sensitivity

Match the encryption method to the message. Casual internal notes to colleagues who use Gmail can rely on TLS. Time-limited access to a document link or a temporary credential fits Confidential Mode. Regulated content going to an external recipient needs message-level encryption or portal delivery.

  • Internal team messages, no regulated content: TLS is sufficient.
  • Temporary access codes to trusted external recipients: Confidential Mode.
  • Regulated PHI, PII, or financial data to any external recipient: S/MIME or a HIPAA-compliant service.
  • Recipients on unknown email systems: portal-based delivery with fallback.

For healthcare providers, portal-based services with a BAA are the most reliable path. They handle recipients across all mail providers, provide audit logs, and remove certificate management. Setup takes minutes rather than the administrator overhead S/MIME requires.

Related reading covers how to send encrypted email across platforms, how to send an encrypted email from Outlook, and how to send encrypted email using Gmail for Workspace teams. For teams building patient-facing infrastructure, resources on healthcare website security features pair well with encrypted email deployment.

Verify Encryption for Every Sensitive Message

Before hitting Send on any message with regulated content, check the padlock icon. Green means S/MIME. Gray means TLS. Red means unencrypted, and the message should not go without a portal fallback.

For Workspace administrators, the Admin console provides an Email Log Search that shows the encryption status of every outbound and inbound message. Use it to audit compliance for a defined period, especially before signing off on a HIPAA risk assessment.

According to NIST Special Publication 800-45, verified end-to-end encryption or a portal-based delivery method is required for messages carrying sensitive personally identifiable information across public networks. Assumed TLS is not the same as verified TLS.

The final rule is straightforward. Do not send regulated content over Gmail unless you have picked and verified a method that meets the transmission standard. Pick S/MIME for internal certified users, or add a HIPAA-compliant service for everyone else.

Frequently Asked Questions

Is Gmail encrypted by default? +

Gmail encrypts messages in transit with TLS whenever both the sending and receiving mail servers support it, and the padlock icon in the message header shows when TLS is active. Messages are also encrypted at rest on Google servers. Neither of those is end-to-end encryption. Google holds the keys and can access message content for spam filtering, indexing, and legal requests. For true message-level protection, use S/MIME on Workspace Enterprise, Confidential Mode for limited controls, or a third-party encrypted service.

Does Gmail Confidential Mode meet HIPAA requirements? +

No. Confidential Mode does not use end-to-end encryption, Google can read the message content, and Google does not sign a business associate agreement covering Confidential Mode messages. HIPAA requires both technical safeguards and a signed BAA with any vendor that processes protected health information. Workspace Business and Enterprise editions include a BAA covering standard Gmail delivery, but the BAA does not extend Confidential Mode into a compliant transmission method for PHI. Use a HIPAA-covered encrypted email service instead.

How do I turn on S/MIME encryption in Gmail? +

S/MIME hosted encryption is only available on Google Workspace Enterprise Plus, Education Standard, and Education Plus editions. A Workspace administrator opens the Admin console, navigates to Apps, Google Workspace, Gmail, User settings, and enables S/MIME encryption for sending and receiving. Each user then uploads a personal certificate under Gmail settings, Accounts and Import, Upload your public certificate. Both sender and recipient need valid certificates from a trusted authority for encrypted send to work.

Can I send encrypted email from a free personal Gmail account? +

A personal Gmail account can use Confidential Mode for basic privacy controls, and TLS transport encryption is on by default when the recipient server supports it. Personal Gmail does not support S/MIME, and Google does not sign a BAA for personal accounts. For message-level encryption from a free Gmail account, layer a third-party encrypted email service on top, or send messages through a browser plug-in that provides PGP or S/MIME encryption client-side. Native Gmail options are limited.

What is the difference between TLS and end-to-end encryption in Gmail? +

TLS encrypts the connection between mail servers so nobody sitting between the two servers can read the message in transit. Once the message reaches Google server or the recipient server, TLS no longer protects it, and the mail provider can read the stored content. End-to-end encryption keeps the message unreadable to everyone except the sender and the recipient, including Google. S/MIME and PGP provide end-to-end encryption. TLS and Confidential Mode do not.

Why does the Gmail padlock icon sometimes appear red or missing? +

The padlock icon uses three colors. Green indicates S/MIME encryption is in use. Gray indicates TLS is protecting the connection. Red or missing indicates the recipient server does not support TLS and the message will travel unencrypted, or the S/MIME certificate check failed. If the padlock is red, Gmail warns you before sending. For regulated data, do not send when the padlock is red; use a service that falls back to a secure portal when TLS is unavailable.

How does a third-party HIPAA-compliant service work with my existing Gmail? +

A HIPAA-compliant service integrates with a Gmail or Workspace account either through a browser plug-in, a Gmail add-on, or by routing outbound mail through the service SMTP relay. The sender writes and sends from Gmail as usual. The service encrypts the message, delivers over TLS when supported, and falls back to a secure portal link when the recipient server does not support TLS. The recipient clicks the link and reads the message in a browser. No key management on either side.

Email Encryption Explained (Methods, Standards, and Costs)

email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • TLS transport runs server to server. Content encryption via S/MIME, PGP, or portal locks the body.
  • S/MIME wins in enterprise Outlook and Apple Mail but small practices abandon key exchange in months.
  • Hosted encryption from Purview, Confidential Mode, or vendor gateways skips certs but adds friction.
  • HIPAA needs a signed BAA, audit logs, workforce training, and policy above any working algorithm.
  • A ten-seat practice pays about $1,200 a year on a gateway vs $3,600 on Workspace Enterprise Plus.

Email encryption sounds like one feature. It is actually a stack of choices about transport, content, keys, licensing, and recipient experience. Getting the stack wrong leaves gaps that compliance auditors find.

This guide covers email encryption methods, the standards that back them, the platforms that implement each one, and the price ranges buyers see. For HIPAA senders who want to skip the license tier upgrade, a dedicated secure email service often removes the portal step and includes a BAA in the base plan.

Read the sections in order. Each layer builds on the one before it.

Transport and Content Encryption Are Different Layers

Two encryption layers cover email. Buyers often confuse them, which leads to gaps.

Transport encryption uses TLS between mail servers. When Gmail sends to Outlook, both servers negotiate TLS 1.2 or 1.3 and the message travels encrypted. Neither user takes any action.

Content encryption protects the message body and attachments themselves. S/MIME, PGP, and hosted portal encryption all fit here. The message remains encrypted at rest in the recipient mailbox until decrypted with a key or portal credential.

TLS alone leaves messages readable at the recipient provider, in server logs, and in backup snapshots. HIPAA and PCI treat that exposure as non-compliant for regulated content. Content encryption fixes it.

Every serious encryption deployment uses both layers together.

email encryption in article illustration one

S/MIME Is the Enterprise Standard for Content Encryption

S/MIME encrypts message bodies using X.509 certificates issued by a certificate authority. It is the default choice for organizations with dedicated IT.

Outlook, Apple Mail, and Google Workspace Enterprise Plus all support S/MIME natively. No plugin required. The mail client handles encryption and decryption behind the compose window.

Setup requires purchasing a personal certificate from a public CA like DigiCert, Sectigo, or GlobalSign, installing it in the local certificate store, and exchanging signed messages with each recipient to share public keys.

Certificates typically expire after twelve months. Renewal happens through the CA portal. Expired certificates block new encrypted sends until reissued.

Related guide: S/MIME email encryption covers the certificate model in detail.

OpenPGP Serves Technical and Journalism Communities

OpenPGP is the alternative content encryption standard. It uses locally generated key pairs instead of CA-issued certificates.

Users install GPG Suite on macOS, Gpg4win on Windows, or Mailvelope in the browser. The tool generates a key pair with a passphrase. The user shares the public key with recipients through a keyserver or direct email.

Trust builds through key signing rather than a central authority. Security researchers, journalists, and open source maintainers use PGP heavily because it does not depend on any CA infrastructure.

Business adoption of PGP stays limited. Recipients cannot install extensions on locked-down corporate systems. Healthcare and financial senders skip PGP for that reason.

The technical strength of PGP is not the barrier. The recipient-side friction is.

Example

A ten-person orthopedic practice compares annual encryption costs. Microsoft 365 Business Premium at $22 per seat totals $2,640 per year and includes Purview Message Encryption plus a BAA. Google Workspace Enterprise Plus at $30 per seat totals $3,600 and adds hosted S/MIME. A dedicated gateway service at $10 per seat totals $1,200 with the BAA included in the base plan, sitting on top of the existing Business Standard Google plan. The practice picks the gateway to avoid the tier upgrade cost.

Hosted Encryption Services Handle the Recipient Portal

Hosted encryption trades certificate management for a portal step at the recipient end. Microsoft Purview Message Encryption, Google Workspace Confidential Mode, and many third-party vendors follow this pattern.

The sender clicks Encrypt in the mail client. The service routes the message body to its own storage and sends the recipient a notification email with a link. The recipient signs in with an existing account or enters a one-time passcode to read the message.

Vendor gateways from Fortinet, Cisco, Trustifi, Datamotion, and others all follow the same portal pattern with different admin interfaces and reporting.

The recipient friction depends on the vendor. Some services allow one-click reading through a signed URL. Others require full account creation. Test each with a real recipient before committing.

Related guide: email encryption service compares vendor options in depth.

email encryption in article illustration two

Encryption Techniques and Algorithms in Use Today

The math behind email encryption uses proven algorithms defined in published standards.

  • AES-256 handles symmetric encryption of the message body itself. It appears in every current standard.
  • RSA-2048 or elliptic curve algorithms handle the key exchange that carries the symmetric key to the recipient.
  • SHA-256 or SHA-384 handles integrity hashing so recipients can detect tampering.
  • TLS 1.2 with strong cipher suites, or TLS 1.3 without weak fallback, handles transport between servers.
  • Message authentication codes bind sender identity to the message so recipients can verify origin.

Buyers rarely choose algorithms directly. Every modern platform defaults to combinations aligned with NIST guidance. See the NIST cryptographic guidance publications for the current recommended parameters.

Platform-by-Platform Encryption Options

Each mail platform ships different encryption features at different price tiers.

Microsoft 365 Business Premium and higher include Purview Message Encryption behind the Encrypt button. Business Basic and Business Standard do not.

Google Workspace Enterprise Plus and Education Plus include hosted S/MIME. Business Standard and Business Plus include Confidential Mode but not hosted S/MIME.

Apple Mail supports S/MIME natively on macOS and iOS provided the user installs a certificate through Keychain or MDM configuration profile.

Yahoo, AOL, and older ISP webmail platforms do not offer S/MIME or hosted encryption. Users on those platforms rely on TLS transport plus optional PGP through browser extensions.

Match the plan tier to the required feature before rolling out an encryption program.

๐Ÿ’กPro Tip: Layer content encryption on top of TLS, never in place of it

TLS transport is the required baseline that most modern providers negotiate automatically between mail servers. Buyers who focus only on TLS leave content readable at the recipient mail provider, in server logs, and in backup snapshots. HIPAA and PCI treat that exposure as non-compliant for regulated content. Deploy S/MIME or a hosted portal service on top of TLS so the body stays encrypted end to end. NIST cryptographic guidance treats layered encryption as the required baseline for regulated data.

HIPAA Compliance Requires More Than Encryption

Encryption satisfies one HIPAA Security Rule addressable specification. Full compliance requires several additional safeguards.

The covered entity signs a business associate agreement with the email provider. Microsoft and Google both offer BAAs on eligible plans. The HHS Security Rule guidance lists every safeguard.

Administrative safeguards include workforce training on PHI handling, sanction policies for violations, and periodic risk assessments. Physical safeguards include facility access controls on the workstations that send email.

Technical safeguards beyond encryption include unique user identification, automatic logoff on idle sessions, and audit controls that record message access.

Practices that clip on encryption software without addressing the surrounding safeguards are not compliant. Encryption is one piece of a larger program.

Cost Comparison Across Encryption Approaches

Price often decides the buying question more than features. A ten-person practice compares real annual numbers.

Approach Per user per month Annual cost (10 users)
Microsoft 365 Business Premium (Purview) 22 USD 2,640 USD
Google Workspace Enterprise Plus (hosted S/MIME) 30 USD 3,600 USD
Public CA S/MIME certificates (annual) 2 to 5 USD (amortized) 240 to 600 USD plus mail plan
Dedicated encrypted email service with BAA 5 to 15 USD 600 to 1,800 USD

Numbers exclude staff training, audit review time, and the recipient-side support calls that portal-based encryption generates. Practices measuring hidden costs often find dedicated services cheaper end to end.

How to Choose the Right Encryption Approach

The decision comes down to three questions about the sending organization.

First, does the organization already run Microsoft 365 Business Premium or Google Workspace Enterprise Plus? If yes, native S/MIME or Purview cover the encryption need with no additional software.

Second, does the recipient list change frequently, as with a healthcare practice adding new patients weekly? If yes, hosted encryption or a dedicated service avoids the S/MIME public-key exchange step.

Third, is the recipient experience business-critical? If patients or referring physicians will abandon messages that require a portal sign-in, a dedicated service like Mailhippo delivers encrypted email that opens in one click without a portal.

Practices running healthcare marketing sites pair encrypted email with a compliant patient-facing web presence. See healthcare website security features for the site-side controls.

Related guides: email encryption software, secure email encryption service, and encryption for email techniques.

Frequently Asked Questions

What does email encryption actually do? +

Email encryption transforms the message body and attachments into unreadable ciphertext during transit and, depending on the method, at rest inside the recipient mailbox. Only the intended recipient with the matching key or credentials can convert the ciphertext back to readable content. Encryption protects against interception on public networks, unauthorized access at intermediate mail servers, and exposure inside a compromised recipient inbox. It does not protect against phishing, malware on endpoint devices, or attacks against the sender or recipient authentication.

What are the main email encryption standards? +

The two dominant end-to-end standards are S/MIME and OpenPGP. S/MIME uses X.509 certificates issued by trusted certificate authorities and works natively in Outlook, Apple Mail, and Google Workspace Enterprise Plus. OpenPGP uses key pairs generated locally without a central authority and works through client extensions like GPG Suite, Gpg4win, and Mailvelope. TLS 1.2 or 1.3 handles transport encryption between mail servers under RFC 8446. Most business encryption stacks combine TLS with S/MIME or a hosted portal service.

Is email encryption required by HIPAA? +

HIPAA does not name encryption as a strict requirement. The Security Rule designates encryption as an addressable specification, which means the covered entity must implement it or document a reasonable alternative that achieves equivalent protection. OCR guidance and breach settlements consistently treat unencrypted PHI transmission as a compliance failure. In practice, healthcare organizations encrypt PHI email or restrict PHI to encrypted channels like patient portals. Unencrypted email carrying PHI is one of the most common findings in OCR breach investigations.

What is the difference between email encryption software and a service? +

Encryption software installs on the mail client or gateway and handles the cryptographic operations locally. Examples include Gpg4win, GPG Suite, and enterprise gateway appliances from Fortinet or Cisco. An encryption service runs in the cloud and integrates with existing Gmail or Outlook accounts through connectors, SMTP relay, or add-ons. Services handle key management, portal delivery, and BAA administration on behalf of the customer. Small and mid-sized organizations favor services for the reduced operational load.

Can email encryption be bypassed? +

Yes, under specific conditions. If an attacker compromises the sender or recipient device, they can capture plaintext before encryption or after decryption. Phishing attacks that steal mail credentials bypass encryption by giving the attacker legitimate access to the inbox. Weak recipient portal passcodes can be guessed or intercepted through SIM-swap attacks. Encryption defends against interception in transit and provider-side access, but a full security posture also requires multi-factor authentication, endpoint protection, phishing training, and incident response procedures.

How do I know if my email was actually encrypted? +

In Outlook, an encrypted sent message shows a padlock icon in the message header inside the Sent Items folder, and the message properties confirm Rights Management protection. In Gmail with S/MIME, the compose window displays a green padlock next to the recipient before sending. In Confidential Mode, the sent message header shows the expiration date and access restrictions. Recipient-side confirmation appears as either a padlock icon in the received message or a portal link that requires sign-in.

Does email encryption slow down message delivery? +

End-to-end encryption adds negligible time to message delivery. S/MIME processing takes milliseconds on modern devices. TLS handshakes add a few hundred milliseconds during the server-to-server connection setup. Portal-based encryption slows recipient access, since the recipient must click a link and sign in before reading. That step adds seconds to minutes depending on network speed and authentication method. Sender workflow speed is essentially unaffected on any modern platform.