Outlook Secure Email Encryption for Healthcare and Business Users

outlook secure email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook offers three encryption paths: Purview Message Encryption, S/MIME certs, and plain TLS.
  • The Encrypt button appears only on Business Premium, E3, E5, or a Microsoft 365 Compliance add-on.
  • S/MIME delivers true end-to-end but demands certificates on both sides and per-recipient exchange.
  • Opportunistic TLS drops to plain text without warning; force TLS via mail flow rules for HIPAA.
  • Microsoft’s BAA covers Purview only on eligible plans; unlicensed tenants need a dedicated service.

Outlook secure email encryption covers three distinct mechanisms, and each one solves a different problem. Confusing them wastes IT hours and leaves protected mail exposed.

Microsoft ships Purview Message Encryption, S/MIME, and opportunistic TLS across the Microsoft 365 stack. The right choice depends on plan level, recipient environment, and whether the send touches regulated data like PHI. For teams that need a simpler layer over Outlook or Gmail, a dedicated encrypted email service handles the details in the background.

This guide walks each option, the license and setup requirements, and where Outlook secure email encryption fits inside a HIPAA compliant workflow.

The Three Encryption Layers Outlook Actually Supports

Outlook does not have a single encryption switch. It exposes three layers, and each protects a different piece of the send.

Transport Layer Security protects the connection between the sender mail server and the recipient mail server. Microsoft 365 negotiates TLS on every outbound send by default. If the receiving side supports it, the wire hop is encrypted.

Microsoft Purview Message Encryption sits on top of Exchange Online and wraps the message in a portal experience. The Encrypt button on the Outlook Options ribbon triggers it. External recipients open the message through a link and authenticate with Microsoft, Google, or a one time passcode.

S/MIME encrypts the message body with a certificate pair. The sender needs a certificate installed in the Windows certificate store. The recipient needs a matching public certificate that the sender has previously received. It is the strictest option and the most technical to run at scale.

TLS Is a Baseline, Not a Compliance Answer

TLS in Outlook covers the connection between mail servers. Exchange Online offers TLS 1.2 and TLS 1.3 depending on the negotiation with the receiving system.

The catch is that TLS is opportunistic by default. If the receiving mail server does not advertise TLS support, Exchange Online delivers over plain text unless a mail flow rule enforces the connection or blocks the send.

TLS also does nothing once the message lands. The body sits in the recipient inbox as regular mail. Anyone with access to the receiving mailbox can read it, and anyone who compromises that account reads the message too.

For HIPAA sends, TLS is the floor. Auditors expect message level encryption on top of TLS, either through Purview, S/MIME, or a third party secure email service. Force TLS on outbound connectors with mail flow rules when TLS must not fall back.

outlook secure email encryption in article illustration one

Microsoft Purview Message Encryption Explained

Microsoft Purview Message Encryption, formerly Office 365 Message Encryption, is the mechanism most Outlook users know as the Encrypt button. It builds on Azure Rights Management.

Senders click Options, then Encrypt, then pick a policy. The default policies are Encrypt Only, Do Not Forward, Confidential, and Highly Confidential. Encrypt Only lets the recipient read and reply. Do Not Forward blocks forwarding and printing.

External recipients receive a wrapper email with a link. Clicking the link opens the Microsoft encrypted message portal. They authenticate with a Microsoft account, a Google account, a Yahoo account, or a one time passcode delivered by email.

Microsoft 365 users inside the same tenant see the message inline. No portal is needed. See the Microsoft Learn Message Encryption documentation for full setup detail.

S/MIME Setup for Certificate Based Encryption

S/MIME uses a certificate pair for signing and encryption. It is the strongest form of Outlook secure email encryption in the sense that only the recipient private key decrypts the message.

Start by obtaining a valid S/MIME certificate. Public certificate authorities issue them, and enterprises with an internal PKI can issue them as well. Install the certificate in the Windows certificate store on the sender device.

In Outlook desktop, open File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings and pick the installed certificate. Set the hashing and encryption algorithms. AES-256 for content and SHA-256 for signatures are the current defaults.

Before encrypting to a recipient, send a signed message first. The signature carries the sender public certificate. The recipient client stores it and can then encrypt replies back. Both sides need this exchange to complete before message level encryption works.

Example

A 12-seat orthodontic office runs on Microsoft 365 Business Standard at $12.50 per user per month. Staff need to send treatment plans to referring dentists and patient parents. Business Standard has no Encrypt button. Upgrading all 12 seats to Business Premium at $22 raises the monthly bill by $114. Instead, the office adds a dedicated secure email service at $10 per mailbox for the four staff who send regulated mail. Total added cost is $40 per month, BAA included in the base plan.

Comparing Purview, S/MIME, and TLS at a Glance

Each Outlook encryption path fits a different use case. The table below maps the main attributes so an IT lead can pick without reading three product pages.

Attribute Purview Message Encryption S/MIME TLS
Encryption scope Message body and attachments Message body and attachments Server to server connection
License required Business Premium, E3, E5, or add on Any Microsoft 365 plan with valid certificate Included on all plans
Recipient experience Portal link with sign in or passcode Inline in S/MIME capable clients Transparent
Per recipient setup None Public certificate exchange None
Fits HIPAA sends Yes, under Microsoft BAA Yes, with proper key management Only as a supporting layer
Ease of ad hoc use High Low N/A

Purview and a third party service handle the ad hoc case cleanly. S/MIME fits fixed partner exchanges where certificates are exchanged once and reused.

Enabling the Encrypt Button in the Outlook Ribbon

Purview Message Encryption is on by default for eligible tenants. The Encrypt button appears in Outlook on the web, Outlook for Windows, Outlook for Mac, and modern mobile Outlook apps.

If the button is missing, the tenant likely lacks a qualifying license, or Azure Rights Management is not activated. In the Microsoft 365 admin center, an administrator can verify license assignment on the user and confirm the Rights Management service is active.

Administrators can also set default encryption behavior through mail flow rules in the Exchange admin center. A rule can apply Encrypt Only when a message contains the word confidential in the subject, or when the recipient domain matches a partner list.

Sensitivity labels created in Purview can bind an encryption policy to specific document types or user groups. Labels apply on the client and travel with the message. See Microsoft Learn on sensitivity labels for configuration steps.

outlook secure email encryption in article illustration two

HIPAA and Outlook Encryption in Practice

Healthcare organizations sending protected health information over email need message level encryption plus a business associate agreement with the vendor handling the mail. Microsoft signs a BAA covering Microsoft 365, Exchange Online, and Purview Message Encryption on eligible plans.

The BAA only applies to workloads that are actually enabled and licensed. A tenant without Business Premium cannot rely on the Purview coverage inside the BAA for encrypted sends.

Related reading on the compliance side sits in the Mailhippo library. See the sibling guide on hipaa secure email for a broader compliance walkthrough and the piece on office 365 hiipa compliant secure email encryption outlook for the direct Microsoft 365 configuration path.

Practices building the underlying digital estate can also review Redefine Web guidance on healthcare website security features, which covers the wider control set that pairs with encrypted email.

Purview Versus Voltage, Cisco, and Third Party Services

Purview Message Encryption is the native path. Other tools plug into Outlook and Exchange Online through connectors or transport rules.

OpenText Voltage Secure Email, formerly Voltage SecureMail, uses identity based encryption. Recipients open messages through a browser or an add in without exchanging certificates. It suits large enterprises with existing OpenText security investment.

Related sibling coverage on the Cisco side sits at the guide on secure email encryption service cisco, which walks the Cisco Secure Email Encryption Service configuration path for organizations already on the Cisco email security stack.

For a broader look at the encryption format layer, the sibling piece on secure mail email encryption covers S/MIME versus PGP tradeoffs in more depth. Third party services fit best when the goal is a BAA in the base plan and a one click recipient experience without per certificate management.

๐Ÿ’กPro Tip: Force TLS on partner connectors before assuming it works

Opportunistic TLS drops to plain text when the receiving server does not advertise support, and Exchange Online does not warn the sender. For any recurring partner exchange, build a mail flow rule that requires TLS to the specific recipient domain and blocks delivery on fallback. Message trace logs then prove TLS negotiated on every send. That evidence is what auditors ask for during a HIPAA review.

Common Outlook Encryption Errors and How to Fix Them

Users hit a small set of predictable errors. Most are license or certificate mismatches rather than product defects.

  • Encrypt button is grayed out. The user account is not licensed for Business Premium, E3, E5, or a compliance add on. Assign the license or route through a third party service.
  • Recipient cannot open the message. The portal link expired or the recipient blocked the sign in email. Resend with a one time passcode option enabled in the mail flow rule.
  • S/MIME message shows Signature not valid. The sender certificate expired or was not issued by a trusted root the recipient client recognizes. Renew the certificate and confirm the root chain.
  • Message drops to plain text on send. The receiving server did not offer TLS. Configure a partner connector with force TLS and TLS certificate verification.
  • Encrypted attachment cannot be opened. The recipient client stripped the wrapper. Use the Encrypt Only policy rather than Do Not Forward for external partners on non Microsoft clients.

Log message trace results in the Exchange admin center to confirm what actually happened on the send. Trace results show whether TLS negotiated and which mail flow rule applied.

When a Dedicated Secure Email Service Fits Better

Native Outlook encryption works well on Business Premium and above with a stable IT team. Smaller practices and mixed environments hit friction on license cost, certificate management, and recipient support.

A dedicated secure email service like Mailhippo layers on top of the existing Outlook or Gmail mailbox. The sender workflow does not change. A short button sends the message through the encrypted channel, and the recipient opens it with a one click link. A BAA is included in the base plan.

The tradeoff sits between native platform integration and simplified operations. Purview is deeply tied into the Microsoft 365 admin experience. A dedicated service is faster to deploy across a small team, cheaper per seat below the Business Premium line, and does not require certificate management.

Rollout Checklist for a Clean Outlook Encryption Setup

A tidy rollout avoids the two common failure modes: users cannot find the Encrypt button, and receivers cannot open the message. Both trace back to preparation.

  • Audit Microsoft 365 licenses. Confirm the seats that need to send encrypted mail are on Business Premium, E3, E5, or a compliance add on.
  • Verify Azure Rights Management is active in the Microsoft 365 admin center.
  • Sign the Microsoft BAA and archive it with compliance records. Confirm the covered workloads.
  • Build mail flow rules that apply Encrypt Only for messages tagged confidential in the subject or sent to a defined partner list.
  • Publish an internal one page guide with the exact steps to click Encrypt, plus a screenshot of the recipient portal.
  • Test end to end with a personal Gmail address and a personal Yahoo address before the first live send.

Practices that need a BAA at a lower price point or that run mixed Gmail and Outlook environments should evaluate Mailhippo alongside the native path. The HIPAA Journal encryption reference gives the compliance backdrop for either choice.

Sibling reading for teams still building the compliance stack sits at the guides on hipaa secure email and secure encrypted email. The right Outlook secure email encryption setup is the one that matches license reality, recipient behavior, and the audit trail the compliance team needs.

Frequently Asked Questions

Is Outlook email encrypted by default? +

Outlook connections to Microsoft 365 use TLS, so mail moves encrypted between the client and Exchange Online. Delivery between Exchange Online and external mail servers uses opportunistic TLS when both sides support it. That is transport encryption only. The message itself is not encrypted at rest in the recipient inbox unless the sender applied Microsoft Purview Message Encryption, S/MIME, or a third party encryption service. Confidential business mail and any protected health information need one of those explicit layers on top of default TLS.

What license do I need to use the Encrypt button in Outlook? +

The Encrypt button on the Options ribbon requires Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, or an add on Microsoft 365 E5 Compliance license. Business Basic and Business Standard do not include Purview Message Encryption. Home and personal plans do not include it either. If the tenant is licensed, the button is available in Outlook on the web, the Windows desktop client, and the Mac desktop client. Administrators may also expose it inside mobile Outlook apps.

How does S/MIME differ from Microsoft Purview Message Encryption? +

S/MIME encrypts the message body with a certificate pair, so only the recipient with the matching private key can read it. Purview Message Encryption wraps the message in a portal experience where external recipients authenticate to view it. S/MIME needs certificates on both sides and does not require a portal. Purview needs a licensed Microsoft 365 tenant and works with any recipient email address. S/MIME fits fixed partner exchanges. Purview fits ad hoc secure sends to patients, clients, or unknown external parties.

Can I encrypt a Gmail message from Outlook? +

Outlook can send to any Gmail address. Whether the message is encrypted depends on the mechanism the sender applied. TLS covers the server hop when both Microsoft and Google negotiate it, which they do by default. If the sender used Purview Message Encryption, the Gmail recipient gets a portal link and signs in with Google. If the sender used S/MIME, the Gmail recipient needs S/MIME support and a matching certificate. Third party secure email services handle Gmail delivery with no setup on the recipient side.

Does TLS meet HIPAA email requirements on its own? +

TLS alone does not satisfy HIPAA in most audit reviews. The HHS guidance treats email as an addressable specification, which means covered entities must implement encryption or document why a different safeguard fits. Opportunistic TLS can drop to plain text if the receiving server does not support it, and messages sit unencrypted at rest in the recipient mailbox. Purview Message Encryption, S/MIME, or a dedicated secure email service provides message level protection that fits the standard cleanly and is easier to defend during an audit.

How do I turn on S/MIME in Outlook? +

Obtain a valid S/MIME certificate from a public certificate authority or internal PKI and install it in the Windows certificate store. In Outlook desktop, open File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, select the certificate and set the algorithms. Exchange public certificates with each recipient by sending a signed message first. On future outbound mail, click the Sign or Encrypt icon on the Options tab. Outlook on the web supports S/MIME through a browser extension distributed by Microsoft.

What if I need to send secure email but do not have Business Premium? +

The two practical paths are upgrading to a licensed plan or adding a dedicated encrypted email service. Upgrading applies across the seat, which raises cost linearly with headcount. A dedicated service like Mailhippo layers on top of the existing Outlook or Gmail mailbox, includes a BAA in the base plan, and does not require the sender to change clients. Recipients open messages through a one click portal or receive an encrypted PDF, depending on the delivery preference set by the sender.

How to Open Encrypted Email in Gmail Step by Step

how to open encrypted email in gmail guide featured image

๐Ÿ”‘ Key Takeaways

  • Gmail sees four wrappers: Purview, Proofpoint, Zix, and S/MIME, and each opens differently.
  • Portal messages need sign-in via Google, the sender platform, or a one-time inbox passcode.
  • S/MIME works only on Google Workspace with hosted S/MIME and a matching user certificate.
  • TLS-only mail lands as normal text; Show Original headers reveal whether TLS 1.3 was used.
  • Missing passcodes usually sit in spam; never paste a code into a mismatched portal domain.

Gmail users see encrypted mail in four common formats: Microsoft Purview, Proofpoint, Zix, and S/MIME. Each one opens a different way. Confusing them causes the recipient to give up on the message.

This guide walks the exact steps to open each type inside Gmail, plus the password and certificate issues that block delivery. For teams tired of portal friction on both sides, a dedicated encrypted email service handles the delivery in one click.

Start by identifying the wrapper. The Gmail message will say Read the message, View Encrypted Message, or Secure Message. That label tells the recipient which platform sent it.

Identify the Encryption Wrapper Before Clicking

The first step is knowing what arrived. Encrypted mail in Gmail is almost always a wrapper message with a button or link. The visible body does not contain the sensitive content.

Microsoft Purview Message Encryption arrives with a Read the message button and the phrase encrypted message from a Microsoft 365 sender. The wrapper is branded with the sender organization.

Proofpoint Encryption arrives with a Click here link that points to securereader.proofpoint.com or a custom subdomain like securemail.senderdomain.com. The subject often includes the marker Secure Message.

Zix Secure Email arrives with a similar Click here link that points to a domain under zixport.com or a custom subdomain. S/MIME arrives with an smime.p7m attachment and no visible readable body.

Open a Microsoft Purview Message in Gmail

Purview is the encryption most Outlook and Microsoft 365 senders use when they click the Encrypt button. Gmail recipients open it through a portal.

Open the wrapper email and click Read the message. A browser tab opens on the Microsoft encrypted message viewer. The viewer offers two options: Sign in with Google or Sign in with a one time passcode.

Sign in with Google is the fastest path. Click it, sign into the same Gmail account that received the mail, and the message renders inside the portal. The portal supports reply and forward when the sender allowed those actions.

If Sign in with Google fails, request a one time passcode. Microsoft sends the code to the same Gmail inbox. Paste the code into the viewer and the message opens. See Google Support on encrypted mail for Gmail side detail.

how to open encrypted email in gmail in article illustration one

Open a Proofpoint Encrypted Email in Gmail

Proofpoint Encryption uses a portal called Proofpoint Encryption Reader. First time recipients register a Proofpoint account tied to the Gmail address.

Click the Click here link in the wrapper message. The Proofpoint Encryption Reader loads in a browser tab. If this is the first time, a registration form asks for a password and security questions. Complete it and confirm the email.

Returning users sign in with the Gmail address and the Proofpoint password. The message renders inside the portal. Attachments download as separate files, and reply is available from the portal itself.

Store the Proofpoint password in a password manager. Proofpoint accounts do not federate with Google Sign In, so a lost password requires the Forgot Password link, which delivers a reset link back to the Gmail inbox.

Open a Zix Encrypted Email in Gmail

Zix Secure Email uses a similar portal model. The Gmail wrapper contains a Message from and a link to the Zix portal.

Click the link. The Zix portal loads and asks for the Gmail address and a password. First time recipients complete a short registration. The password is separate from any Google or Microsoft credentials.

Once signed in, the message renders inside the Zix portal. Reply, forward, and attachment download are supported when the sender allowed them. Some senders configure Zix to send the encrypted content as an encrypted PDF attachment instead of a portal link.

If Zix delivered an encrypted PDF, open the attachment in a PDF reader and enter the password the sender shared separately. The password is usually delivered by phone or a prior secure channel.

Example

A patient at a Gmail address receives a wrapper email from her cardiologist labeled Secure Message with a link to securereader.proofpoint.com. She clicks the link, sees a Proofpoint registration form because it is her first encrypted message from the practice, sets a password, and confirms through a link sent to the same Gmail inbox. The portal then renders her ECG summary and a follow-up recommendation. She saves the Proofpoint credentials in her password manager because the practice will send future results through the same portal, which does not federate with Google Sign In.

Open an S/MIME Encrypted Email in Gmail

S/MIME is a certificate based standard that requires matching keys on both sides. Gmail supports S/MIME only through Google Workspace with hosted S/MIME enabled by the administrator.

When an S/MIME message arrives at a properly configured Google Workspace account, Gmail decrypts the message inline. The body renders normally, and a padlock icon indicates the encryption status. No portal is involved.

Personal Gmail addresses at gmail.com do not support S/MIME. The message arrives with an smime.p7m attachment and no readable body. Ask the sender to resend using Purview Message Encryption or a dedicated secure email service.

Google Workspace administrators enable hosted S/MIME under Apps, Google Workspace, Gmail, User Settings, S/MIME. Upload user certificates for each mailbox that needs to decrypt inbound S/MIME.

Compare the Four Wrappers Side by Side

Recognizing the wrapper is half the work. The table below maps the visible signal in Gmail to the platform and the action the recipient takes.

Wrapper Visible signal in Gmail Action to open Password model
Microsoft Purview Read the message button Sign in with Google or passcode Google account or one time passcode
Proofpoint Encryption Click here link to Proofpoint domain Register or sign in on portal Proofpoint account password
Zix Secure Email Secure Message subject with portal link Register or sign in on portal Zix account password
S/MIME smime.p7m attachment, no body Decrypt inline with certificate Certificate on Google Workspace

Portal wrappers work with any Gmail address. S/MIME only works on Google Workspace with hosted S/MIME configured by the administrator.

how to open encrypted email in gmail in article illustration two

Handle the Common Password Failures

Password prompts are the most common friction point. A few predictable failures cover almost every case.

  • One time passcode never arrives. Check the Gmail spam folder. Microsoft and Proofpoint codes sometimes trip Gmail filters. Whitelist the sender portal domain.
  • Proofpoint or Zix password forgotten. Use the Forgot Password link on the portal. The reset email lands in the same Gmail inbox.
  • Portal says account not registered. First time recipients complete a short registration on Proofpoint and Zix. Fill in the required fields and confirm through the email link.
  • Sign in with Google fails on Microsoft portal. The recipient signed into a different Google account in the browser. Sign out of other accounts or use a private window.
  • Password field appears on an unfamiliar domain. Verify the domain matches microsoft.com, proofpoint.com, or zix.com before entering credentials. Phishing kits mimic these portals.

Understand What TLS Only Means

Some senders use only TLS. The Gmail message looks normal, with regular text and no wrapper. There is nothing to open.

To confirm the sender used TLS, click the three dot menu on the message and select Show original. The Received headers list the encryption cipher used on each hop. A line with TLSv1.3 or TLSv1.2 confirms the connection was encrypted.

TLS alone is not enough for regulated mail. It protects the connection between mail servers but leaves the message readable at rest in the Gmail inbox. Anyone with access to the mailbox reads it.

Healthcare and legal senders should use message level encryption on top of TLS. The National Institute of Standards and Technology publishes guidance on email security at NIST SP 800-177r1, which covers the standard controls.

๐Ÿ’กPro Tip: Verify the portal domain before entering credentials

Phishing kits mimic Microsoft, Proofpoint, and Zix portals convincingly. Before typing a password or pasting a one-time passcode, check the browser address bar for microsoft.com, proofpoint.com, or zixport.com plus the sender known subdomain. A password field on any other domain is likely a credential trap. If unsure, contact the sender through a separate channel and confirm the portal URL matches what they issued.

Open Encrypted Email in Gmail on Mobile

Mobile Gmail on iOS and Android opens portal based encrypted mail the same way. Tap the Read the message or portal link and the phone browser loads the portal.

Microsoft Purview portals render well on mobile browsers. Sign in with Google, or paste a one time passcode. The message shows inline in the browser.

Proofpoint and Zix portals also render on mobile. Password entry is the main friction. Store credentials in a mobile password manager to speed up return visits.

S/MIME on mobile Gmail requires a Google Workspace account with hosted S/MIME. Personal Gmail on mobile shows the smime.p7m attachment with no way to decrypt. The sibling piece on how to open encrypted email on iphone covers the mobile flow on iOS in more depth.

When Encrypted Mail Bounces or Never Arrives

Encrypted mail sometimes never lands in Gmail. Two patterns cover most cases.

The first pattern is aggressive spam filtering. Portal wrapper messages from Microsoft, Proofpoint, and Zix look similar to phishing to some filters. Search the Gmail spam folder for the sender name or the portal domain. Whitelist the portal domain in Gmail filters.

The second pattern is TLS enforcement failure. When a sender requires forced TLS and Gmail negotiation fails temporarily, the message bounces at the sender side. The sender receives a delivery failure notice. Ask the sender to retry or to send from a mail flow rule that allows opportunistic TLS.

Related sibling guides on troubleshooting sit at how to troubleshoot encrypted email and the send side coverage at how to send encrypted email. The Redefine Web guide on healthcare website security features covers the broader safeguard set for practices that rely on secure email.

Pick a Simpler Path for Regular Encrypted Sends

The four wrapper types work, but recipients on the Gmail side hit friction on every send. Password registration, portal sign in, and expired sessions cost time on both sides.

A dedicated secure email service like Mailhippo delivers encrypted mail to any inbox with a one click open. The recipient does not register an account. The sender uses the existing Gmail or Outlook mailbox, and a BAA is included in the base plan for healthcare workflows.

The tradeoff is platform coverage. Portal based services from Microsoft, Proofpoint, and Zix carry deep enterprise integration. A dedicated service is faster to deploy for small teams and lower friction on the recipient side.

Frequently Asked Questions

Why do I get a Read Message button instead of the email itself? +

The sender applied encryption that wraps the message inside a portal. Gmail cannot render the encrypted body inline because it is not the intended encryption endpoint. The Read Message button opens the portal maintained by Microsoft, Proofpoint, Zix, or another provider. Click the button, sign in with the Gmail address that received the mail, and the message renders inside the portal. The wrapper text stays in Gmail as a receipt that the encrypted send happened.

How do I open an encrypted Outlook email in Gmail? +

Outlook senders on Microsoft 365 typically use Microsoft Purview Message Encryption. Gmail recipients receive a wrapper message with a Read the message button. Click it, then choose Sign in with Google. Google authenticates with the Gmail address, redirects back to the Microsoft portal, and renders the message. If the sign in fails, the sender can request a one time passcode delivery through the Encrypt Only policy. The passcode arrives at the same Gmail inbox and unlocks the portal.

How do I open a Proofpoint encrypted email in Gmail? +

Proofpoint sends a notification with a Click here link. The link opens the Proofpoint Encryption portal at securereader.proofpoint.com or the custom subdomain the sender configured. First time users register a Proofpoint Encryption account with the Gmail address and a password. Returning users sign in with the same account. The message renders inside the portal. Save the portal password in a manager because Proofpoint accounts do not federate with Google Sign In.

How do I open a Zix encrypted email in Gmail? +

Zix messages arrive with a subject that starts Secure Message and a link that opens the Zix portal at securemail.zixport.com or the sender custom subdomain. Click the link and sign in with the Gmail address plus a Zix password. New recipients complete a short registration with a password and security questions. The Zix portal renders the message and any attachments. Zix supports password reset by email to the same Gmail inbox when the password is lost.

How do I open an encrypted email without a password? +

Ask the sender to switch to a passcode delivery option. Microsoft Purview supports a one time passcode that arrives in the same Gmail inbox and unlocks the portal without a stored account. If the sender used S/MIME to a personal Gmail address, the recipient cannot open the message without a matching certificate on a Google Workspace account. In that case, ask the sender to resend with Purview Message Encryption or a service that supports passcode based delivery.

What does smime.p7m mean in a Gmail attachment? +

The attachment is the S/MIME encrypted payload. Gmail could not decrypt it because the account does not have a matching certificate or hosted S/MIME is not enabled. Personal Gmail accounts do not support S/MIME directly. Google Workspace accounts need an administrator to enable hosted S/MIME and upload user certificates before decryption works. Ask the sender to resend using a portal based option like Microsoft Purview Message Encryption or a dedicated secure email service that does not require certificate exchange.

Is TLS encryption enough for HIPAA compliant email sent to Gmail? +

Opportunistic TLS between mail servers protects the connection but leaves the message at rest in the recipient inbox. Google supports TLS 1.2 and TLS 1.3 on inbound mail. Under HIPAA, TLS alone is treated as a supporting control rather than a complete safeguard for protected health information. Covered entities usually add message level encryption on top of TLS, either through Microsoft Purview, S/MIME, or a dedicated secure email service that includes a business associate agreement.