Zixcorp Email Encryption Guide with Pricing and Review Notes

zixcorp email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • Zixcorp (now OpenText) scans outbound mail and encrypts policy matches at the domain level.
  • Public data pegs Zix at $30 to $80 per user annually with a 25-seat floor for small buyers.
  • The engine ships 100-plus filters covering HIPAA, PCI-DSS, GLBA, and FERPA out of the box.
  • ZixDirectory delivers transparent end-to-end mail when both domains sit inside the network.
  • Reviewers praise enforcement but flag console complexity and steep small-scale total cost.

Zixcorp email encryption is one of the longest-running policy-based encryption platforms in regulated industries. The company was acquired by OpenText in 2022, but the product line still ships under the Zix brand and the ZixPort portal remains the recipient-facing experience.

This guide covers how zixcorp email encryption works, what it costs, and where it fits in the market. Sections address pricing, policy configuration, review sentiment, and comparison to Microsoft-native and inbox-native alternatives.

The material is aimed at IT decision makers evaluating Zix for a healthcare, financial services, or legal practice. Every section reflects vendor documentation, procurement data, and reviewer sentiment from Gartner Peer Insights, G2, and TrustRadius.

How Zixcorp Email Encryption Works Under the Hood

Zixcorp email encryption sits between the sender’s mail server and the outbound internet as a scanning gateway. Every outbound message passes through the gateway. The scanner evaluates the message headers, body, and attachments against active policy filters.

Matches trigger encryption. The gateway rewrites the message as a short notification and stores the original inside the ZixPort portal. Non-matching messages pass through unencrypted. The design keeps regulated content protected without slowing down routine internal communication.

When both sender and recipient domains are members of ZixDirectory, the shared directory of encrypted-mail participants, the flow changes. The message is transmitted encrypted end-to-end with no portal step, and the recipient sees a normal-looking email in their regular inbox with a Zix Secure banner.

That directory-based transparent delivery is unique to Zix among mainstream encryption products and drives adoption in verticals where two large organizations exchange regulated content frequently. Healthcare networks that share PHI across Zix-using systems benefit most from that path.

Zixcorp Email Encryption Pricing Tiers

OpenText does not publish list pricing for Zix on the product page. All quotes go through the sales team. Third-party procurement data provides a working estimate for planning purposes.

The typical pricing structure has three tiers. The base tier covers policy-based encryption and portal delivery. The middle tier adds data loss prevention and message archiving. The top tier adds inbound threat protection, brand impersonation defense, and advanced reporting.

Tier Estimated annual per-user Included
Base encryption $30 to $50 Policy scanning, ZixPort, ZixDirectory
Encryption plus DLP $50 to $75 Base plus DLP filters, archiving
Full stack $75 to $120 All above plus inbound protection, reporting

Volume discounts apply above 500 seats. Minimum-seat pricing (usually 25 or 50 seats) means small practices pay the full minimum even for smaller user counts. That floor is a common reason small healthcare offices look at alternatives.

zixcorp email encryption in article illustration one

Policy Filter Configuration in the Zix Admin Console

The Zix policy engine ships with over 100 pre-built filters aligned to major regulations. HIPAA covers medical record numbers, ICD-10 codes, and provider identifiers. PCI-DSS covers credit card patterns. GLBA covers financial account numbers. FERPA covers student records.

Administrators enable filters through the admin console with checkboxes and adjust sensitivity thresholds. A high-sensitivity filter triggers on partial matches, catching more content but generating more false positives. A low-sensitivity filter triggers only on confirmed patterns.

  • HIPAA filters: MRN patterns, ICD-10 codes, NPI numbers, prescription language
  • PCI-DSS filters: 15 and 16-digit card number patterns, CVV proximity
  • GLBA filters: account number formats, SSN patterns, tax ID patterns
  • Custom filters: administrator-defined regular expressions for organization-specific content

Tuning filters is the most time-intensive part of a Zix deployment. Initial rollouts typically require 30 to 90 days of adjustment as administrators identify false-positive patterns specific to their workflow. Vendor professional services help accelerate that process at additional cost.

ZixPort Recipient Experience and Friction

External recipients (those outside ZixDirectory) receive a notification email with a link when a Zix-encrypted message arrives. Clicking the link opens ZixPort in a browser tab. First-time recipients create a portal account with a password.

The portal displays the message once the recipient signs in. Attachments can be downloaded. Replies are composed inside the portal and stay encrypted end-to-end within the Zix system. The design mirrors other portal-based encryption products such as Barracuda and Proofpoint.

The friction points are standard for portal encryption. Recipients must remember portal passwords for each organization sending encrypted content. Session tokens expire after 15 to 60 minutes of inactivity. Mobile browser rendering varies by phone model.

Organizations that need portal-free delivery for external recipients often supplement Zix with an inbox-native product for a subset of use cases. Our guide to secure email service covers the trade-off between portal and inbox-native models in more detail.

Example

A 12-provider cardiology group runs Microsoft 365 Business Standard and exchanges patient records daily with a 3,000-bed regional health system that already runs Zix. The clinic considers Zix at roughly $55 per user annually plus a 25-seat minimum. Because the target hospital sits inside ZixDirectory, every outbound record would deliver encrypted end-to-end with no portal friction on the receiving clinicians. The clinic weighs that directory value against a $10-per-user inbox-native service that meets HIPAA but forces the hospital staff through a portal login on every message.

Zix Directory and Transparent Delivery

ZixDirectory is the shared directory of encrypted-mail participants that removes portal friction between two Zix-using organizations. When both sender and recipient domains are in the directory, the message is transmitted encrypted end-to-end and arrives in the recipient’s regular inbox.

The recipient sees a decrypted message with a Zix Secure header banner. No portal login is required. The experience mimics regular email except for the visible security marker.

The directory is one of the strongest Zix differentiators in healthcare because many large hospital systems, insurance carriers, and pharmacy chains use Zix. When PHI moves between two directory members, the workflow is faster than any portal-based alternative.

The value scales with directory overlap. An organization whose external contacts are also Zix customers gets substantial friction reduction. An organization whose external contacts are mostly non-Zix falls back to the portal for most messages.

zixcorp email encryption in article illustration two

Zixcorp Email Encryption Review Notes from Peer Sources

Reviews aggregated from Gartner Peer Insights, G2, and TrustRadius cluster around consistent themes. Positive review scores focus on enforcement reliability, filter accuracy after tuning, and the ZixDirectory shared-directory feature.

Negative review scores focus on admin console usability, the professional services requirement for optimal setup, and total cost of ownership at smaller seat counts. Several reviewers describe the interface as functional but visually dated, particularly in the policy filter management screens.

Deliverability and portal uptime rarely draw complaints, which suggests the operational quality is high even where the admin experience lags. Support response times score in the middle of the pack. Enterprise customers report faster response than mid-market customers, which tracks with account tier structure.

Reviewer sentiment on the OpenText acquisition is mixed. Some reviewers report improved integration with other OpenText products. Others report a shift in support experience post-acquisition that they attribute to organizational restructuring.

Zixcorp Encryption for HIPAA Compliance

Zixcorp email encryption is used across healthcare providers, payers, and business associates as the primary HIPAA-compliant email channel. The policy engine covers the standard HIPAA patterns and enforcement happens at the gateway rather than the mailbox.

OpenText (as the Zix parent) provides a Business Associate Agreement covering encryption and portal storage. The BAA scope includes ZixPort message retention, ZixDirectory transmission, and the underlying infrastructure. HHS publishes BAA sample provisions that outline the expected coverage areas.

Retention windows for ZixPort are configurable at the domain level. Common defaults are 30, 60, and 90 days. Healthcare organizations subject to state-level breach notification laws may need longer retention to support audit and investigation timelines. The vendor supports custom retention up to seven years.

Healthcare organizations rolling out Zix often coordinate with broader digital compliance programs. Our team at Redefine Web has published a companion piece on healthcare website security features that pairs encryption strategy with public-facing web hardening.

๐Ÿ’กPro Tip: Match Zix value to directory overlap first

Before signing a Zix contract, list every external organization the practice exchanges regulated content with and check how many run Zix. ZixDirectory is the single feature that justifies the premium price over cheaper alternatives. High directory overlap means friction-free delivery for most sends. Low overlap means paying enterprise rates while most recipients still hit the ZixPort portal login, which erases the workflow advantage.

Zix Versus Microsoft Purview Message Encryption

Microsoft Purview Message Encryption is bundled with Microsoft 365 E3 and E5 licenses. Organizations already paying for those license tiers get encryption at no incremental cost. That baseline makes the Zix pitch harder for pure Microsoft shops.

The Zix differentiators against Purview are the ZixDirectory shared-directory feature, the depth of pre-built policy filters, and the DLP integration. Purview supports policy rules through Exchange transport rules but lacks a shared directory equivalent to ZixDirectory.

Organizations that already have Microsoft 365 E3 or E5 and whose external contacts are mostly Microsoft-shop themselves often stick with Purview. Organizations with regulated peer networks (health systems, insurance groups) frequently prefer Zix specifically for the directory. The email encryption landscape has consolidated around a few architectural choices, and this pairing represents two of them.

Cost comparison favors Purview inside E3/E5 tenants. Cost comparison shifts if the organization would need to upgrade its Microsoft licenses purely to get Purview, in which case Zix at $30-50 per user often beats a license upgrade.

When Zix Fits and When It Does Not

Zix fits organizations with 100 or more users, heavy regulated content flow, and frequent external exchange with other Zix-using organizations. Healthcare systems, regional banks, and mid-size legal firms are common Zix customers.

Zix does not fit small practices under 25 users well. Minimum-seat pricing pushes per-user cost high and the operational overhead of policy tuning is substantial for a small IT team. Smaller organizations often see better economics from inbox-native encrypted email services such as Mailhippo, which include a BAA in the base plan and require no gateway configuration.

Zix also fits less well for organizations that need message-level end-to-end encryption using recipient-controlled keys. Zix is a gateway model with organization-controlled encryption. Organizations that need cryptographic zero-knowledge encryption should look at S/MIME or PGP-based products instead. Our guide to S/MIME email encryption signature covers that model.

Between those extremes sits the middle market where the decision depends on directory overlap, existing Microsoft licenses, and IT team capacity. That is where evaluators spend the most time weighing Zix against alternatives.

Setup and Deployment Timeline for Zixcorp Email Encryption

A Zix deployment moves through four phases: procurement, gateway configuration, policy tuning, and user rollout. Total timeline for a mid-size healthcare organization runs 30 to 90 days from contract signature to full production.

Procurement takes one to three weeks depending on legal review of the BAA and master service agreement. Gateway configuration is faster, usually one to two weeks including MX record changes, TLS certificate provisioning, and integration with Microsoft 365 or Google Workspace.

Policy tuning is the longest phase. Administrators enable filters, monitor the message stream, and adjust sensitivity as false positives appear. NIST publishes guidance in Special Publication 800-177 on trustworthy email that covers the general principles applied during tuning. Vendor professional services can compress this phase but add cost.

User rollout is typically staged. IT teams enable policy enforcement for a pilot group of 20 to 50 users, monitor for two weeks, then expand to the full user base. That approach catches workflow issues before they hit the whole organization. For a broader view of the email encryption service category, our companion articles compare Zix to Cisco Secure Email Encryption Service and other secure email encryption service options.

Frequently Asked Questions

What does Zixcorp email encryption cost per user? +

Public pricing is not listed on the OpenText site. Third-party data from procurement platforms and resellers suggests the standard encryption tier runs $30 to $80 per user annually, depending on volume. Enterprises above 500 seats often negotiate below $30. Small practices under 25 seats often see quotes at or above $80 because minimum-seat pricing applies. Add-ons for archiving, DLP, and inbound protection are priced separately. Direct sales contact is required for a firm quote tied to the exact seat count and add-on mix.

How does Zixcorp email encryption compare to Microsoft Purview Message Encryption? +

Purview Message Encryption is bundled with Microsoft 365 E3 and E5 licenses, so organizations already on those plans pay no incremental fee. Zix provides more granular policy filters and a shared directory that eliminates portal friction between two Zix-using organizations. Purview lacks that shared-directory benefit outside of native TLS. The right choice depends on whether the license is already paid for and whether frequent recipients also run Zix. Healthcare networks with heavy peer-to-peer PHI exchange often prefer Zix for the directory alone.

Does Zixcorp email encryption include a BAA for HIPAA? +

Yes. Zix, as an OpenText company, offers a Business Associate Agreement covering the encryption and portal storage services. Healthcare organizations should confirm the BAA is signed and in force before sending PHI through the platform. The BAA covers the message content stored in ZixPort during retention windows and the transit path between sender, portal, and recipient. Retention windows are configurable at the domain level, with 30, 60, and 90 days as common defaults for regulated content.

What is ZixPort, and how do recipients use it? +

ZixPort is the recipient-facing portal where encrypted messages are stored and read. External recipients who receive a Zix-encrypted email get a notification with a link. Clicking the link opens ZixPort in a browser. First-time recipients create a portal account with a password. Returning recipients sign in with the same credentials. The portal displays the message and allows secure replies. The reply stays inside the Zix system and reaches the original sender as a decrypted message in their regular inbox.

How does Zix policy-based encryption differ from user-triggered encryption? +

User-triggered encryption depends on the sender remembering to click an Encrypt button before Send. Policy-based encryption scans every outbound message for regulated content and encrypts matches automatically, regardless of whether the sender remembered. That distinction matters in healthcare where a distracted clinician can miss the manual step. Zix runs primarily as policy-based, with pre-built filters for HIPAA, PCI-DSS, and other regimes. Administrators can also allow user-triggered encryption through subject-line tags for edge cases the filters do not catch.

Is Zixcorp email encryption a good fit for a small medical practice? +

For practices under 25 users, Zix is often more platform than the workload requires and pricing tends to be steep. The policy engine and directory value scale with volume. Small practices frequently get equivalent HIPAA protection from inbox-native encrypted email services with lower per-user cost and simpler setup. Practices above 100 seats or that exchange PHI heavily with other Zix-using organizations get more value from Zix. The break-even seat count depends on directory overlap and negotiated pricing.

What common issues appear in Zixcorp email encryption reviews? +

The most frequent review complaints center on admin console complexity, the need for vendor support during policy tuning, and total cost of ownership at small scale. Reviewers on Gartner Peer Insights and G2 also cite occasional false positives in the policy filters that require adjustment. Positive reviews focus on enforcement reliability, the ZixDirectory shared-directory feature, and mature support for regulated content patterns. Reviewers rarely complain about message deliverability or portal uptime, which are consistently rated well across sources.

How to Email Encrypted Documents in Gmail, Outlook, and Apple Mail

how to email encrypted guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook 365 Business Premium sends encrypted mail in three clicks: Options, Encrypt, pick policy.
  • Gmail S/MIME rides on Enterprise and Education tiers; Business Standard skips the lock icon.
  • Apple Mail S/MIME works once the certificate lands in Keychain; MDM pushes it to iPhones fast.
  • Encrypted attachments need their own layer if the mail client does not wrap them in the envelope.
  • Portal encryption solves the patient certificate problem; test the flow on iOS and Android.

Sending an encrypted email looks simple in a marketing screenshot. In real practice it depends on which mail platform the sender uses, which platform the recipient uses, and whether both sides have the right certificates or the right portal experience.

This guide covers the three main paths. Native encryption in Outlook, Gmail, and Apple Mail. Portal-based gateway services that layer encryption on top of any mailbox. And attachment-level encryption for cases where the message envelope does not carry the protection. A HIPAA-ready encrypted email service covers the second path in one plan.

The goal is a workflow the practice staff will actually use. Encryption that requires ten steps loses the race against the encryption that requires two.

Outlook 365 Business Premium sends encrypted email in three clicks

Open a new message in Outlook. Click Options in the ribbon. Click Encrypt. A dropdown appears with policies like Do Not Forward, Encrypt-Only, and Confidential.

Pick the policy that matches the sensitivity level of the message. Encrypt-Only is the standard choice for general PHI. Do Not Forward adds a restriction that prevents the recipient from forwarding or copying the message content.

External recipients receive a portal link. They sign in with Microsoft, Google, or a one-time passcode sent to the recipient inbox. Microsoft Purview Message Encryption handles the cryptographic work.

The Encrypt button is missing on free Outlook.com accounts and on Microsoft 365 Business Basic. For those tiers a gateway service adds the encryption layer. For more depth on the how to send encrypted email workflow across Outlook plans, review the linked tutorial.

how to email encrypted in article illustration one

Gmail encrypted send depends on the Google Workspace plan

Google Workspace Enterprise and Education plans support hosted S/MIME. Administrators upload user certificates to the admin console, and the Encrypt lock icon appears in Gmail compose. Users click the lock and pick a level.

Business Standard and Business Plus plans do not include S/MIME. The Encrypt option is grayed out or missing entirely. Confidential mode is available on every plan and adds passcode gating and expiration.

Confidential mode is not end-to-end encryption. Google can still read the message. For HIPAA workflows on plans without S/MIME, add a gateway service that encrypts outbound messages at the mail server layer.

For a step-by-step tutorial on the Gmail send flow, review the linked how to send encrypted email Gmail guide with plan-by-plan screenshots.

Apple Mail supports S/MIME on macOS and iOS with certificate provisioning

Apple Mail is often overlooked, but it supports S/MIME cleanly. Install the user certificate in the macOS keychain or the iOS device profile. The Mail app auto-detects the certificate.

Compose a new message. If a valid public key exists for the recipient, a blue lock icon appears next to the recipient field. Click the lock and the message goes out encrypted.

Mobile device management profiles can push certificates automatically to staff iPhones. This removes the burden of manual certificate installation. Apple documents the profile format at support.apple.com/deployment.

The main limitation is recipient support. If the recipient does not have a valid S/MIME certificate, the message cannot be encrypted with this method. Portal-based services fill that gap.

Example

A six-provider urology practice runs Outlook 365 Business Premium and averages 40 encrypted messages per week to patients and referring physicians. The compliance officer runs a quarterly test at the end of each quarter. She sends a message from her practice mailbox to a personal iCloud address, opens the portal link on an iPhone, and confirms the one-time passcode arrives within 30 seconds. She documents the pass or fail in the HIPAA risk analysis alongside a screenshot of the Received headers showing TLS 1.3 negotiation.

Portal-based gateway services fit HIPAA workflows best

A gateway service sits between the practice mail server and the internet. Staff send email normally through Gmail or Outlook. The gateway inspects each message against a policy list.

Messages that match a trigger, like a subject line keyword or a recipient on the encryption list, divert to a secure portal. The recipient receives a notification email with a link.

The recipient clicks the link, verifies identity with a one-time passcode, and reads the message in a browser. No certificate, no plugin, no keypair. This works for patients on any device.

Portal services also produce audit logs that show when the message was opened, when the link expired, and whether the recipient forwarded the content. Those logs feed the HIPAA risk analysis process directly.

how to email encrypted in article illustration two

Encrypting attachments as a second layer

Password-protected PDFs add attachment-level encryption. Adobe Acrobat, Preview on macOS, and free tools like PDFsam all support the format. The recipient enters a password to open the file.

ZIP files encrypted with AES-256 offer the same layer for other document types. Windows Explorer, macOS Terminal, and free tools like 7-Zip all support the format. Use AES-256 rather than the older ZipCrypto standard.

The password must travel through a channel separate from the email itself. A phone call, a text message, or a secure messaging app all work. If both the file and the password go through the same mailbox, an attacker with mailbox access gets both.

For sending encrypted documents that need to survive across mail platforms, this dual-layer approach is a reliable fallback. Review the linked how to send encrypted documents via email guide for a detailed walkthrough.

Method comparison across three common scenarios

The table below shows which method fits which scenario. Practices should map their real mail flows against the categories rather than picking a single method for all sends.

Scenario Best method Recipient action
Internal staff email carrying PHI Native S/MIME or Purview Open in mail client
Patient communication Portal-based gateway Click link and verify with passcode
Referral to another clinic Portal or S/MIME if certificate available Portal login or auto-decrypt
Sensitive attachment across mixed platforms Password-protected PDF plus TLS Open file with password

Practices with mixed platforms usually settle on the portal model as the default because it works everywhere. Native S/MIME stays useful for internal mail between staff who all have certificates.

๐Ÿ’กPro Tip: Test the encryption flow on mobile every quarter

Portal login flows that work on desktop sometimes break on iOS or Android because of pop-up blockers, browser policy differences, or MDM restrictions. Once per quarter, send a test message from the practice mailbox to a personal address on a different provider. Open the portal link on both an iPhone and an Android phone. Confirm the one-time passcode arrives and the message renders correctly. This catches issues before a patient hits them on a time-sensitive prescription authorization or lab result.

Testing the encryption flow before high-stakes sends

Every practice should test the encryption flow at least once a quarter. Send a test message to a personal address on a different mail provider. Open the message in the recipient inbox.

Check the message headers. TLS negotiation appears as TLS=version in the Received line. S/MIME shows a lock icon in the mail client. Portal services show a login page.

Test on both desktop and mobile. Portal login flows that work on desktop sometimes break on iOS or Android because of pop-up blockers or browser policy differences. The test catches these issues before a patient hits them.

  • Send a quarterly test to a personal address on a different provider
  • Verify TLS in the message headers
  • Test the portal login on desktop and mobile
  • Document the test result in the risk analysis
  • Retrain staff on any workflow changes

Common mistakes that break the encryption flow

Staff often paste PHI into the subject line and forget the body is where the encryption applies. S/MIME and OpenPGP leave the subject unencrypted. Portal services often replace the subject with a generic notification, but the practice should train staff to keep the subject vague.

Free consumer accounts get used for PHI during on-call rotations. Personal Gmail or Outlook.com accounts do not qualify for a Business Associate Agreement. Staff should have a documented backup path for after-hours PHI sends.

Recipient certificates expire silently. The next S/MIME message to that address fails to encrypt, and the sender may not notice until the recipient reports the problem. Regular certificate audits catch expired public keys.

Practices that align email encryption with strong healthcare website security features close common gaps in patient intake forms where the same PHI often flows through both channels.

Ongoing training keeps the workflow tight

Training is not a one-time event. New hires, platform changes, and new patient portals all reset the baseline. Practices should include encryption training in the onboarding checklist and revisit it annually.

Focus training on the practical scenarios. A referral letter to another clinic. A claim to a billing partner. An intake form sent back to a patient. Each is a moment where the staff member decides to encrypt.

Policy-based gateway services reduce the training burden by making the decision automatic. If the message goes to a specific domain or contains a policy keyword, the gateway encrypts without a manual click.

Practices that pair training with strong healthcare website maintenance keep the patient communication stack aligned. For a single-vendor solution that covers the BAA, the portal, and the audit trail, a HIPAA-ready secure email service removes most of the setup work.

Frequently Asked Questions

What is the fastest way to send an encrypted email? +

For Outlook 365 Business Premium users, click Options, click Encrypt, and pick Encrypt-Only. The message goes through Microsoft Purview Message Encryption and reaches the recipient with a secure portal link. For Gmail on Google Workspace Enterprise, click the lock icon in compose after S/MIME is configured. For every other plan, use a gateway service that layers encryption on top of the existing mailbox. Gateway services require no client setup and produce a consistent recipient experience across sender platforms.

Can I encrypt an email attachment separately from the message body? +

Yes. Password-protected PDFs and ZIP files add attachment-level encryption on top of any message-level protection. This is useful when the sender and recipient use different mail clients. The password should travel through a channel separate from the email itself, like a phone call or text message. If both the encrypted attachment and the password travel through the same compromised mailbox, an attacker gets access to both. Sharing the password through a different channel is a small step that meaningfully raises the effort required for a breach.

Does Gmail confidential mode count as encryption? +

Confidential mode adds passcode gating, message expiration, and controls that disable forwarding, copying, and printing. It does not add end-to-end encryption. Google can still read the message. For HIPAA workflows this is not sufficient by itself. Confidential mode is useful for internal Gmail-to-Gmail messages where extra recipient controls are helpful. For external mail carrying PHI, use S/MIME on the Enterprise plan or a gateway service. Confidential mode on a free Gmail account is not enough for any regulated data flow.

What happens if the recipient cannot open my encrypted email? +

Portal services fall back to a one-time passcode sent to the recipient inbox, which the recipient enters on the portal to open the message. S/MIME messages sent to a recipient without a valid certificate arrive as unreadable ciphertext or attachments. Practices should test the flow before high-stakes sends. Send a test message to a personal address on a different provider and confirm the login works on a phone. If the recipient hits a broken portal, the message may be a prescription authorization that misses a deadline.

How do I send an encrypted email from my phone? +

iOS Mail sends S/MIME encrypted messages after the certificate is installed in the keychain. Outlook mobile supports Encrypt on Business Premium accounts, and Gmail mobile supports S/MIME on Enterprise accounts. Portal-based gateway services work identically on desktop and mobile because the encryption happens at the mail server, not on the device. For occasional PHI sends from a personal phone during on-call rotations, the portal model is the simplest option. Free personal accounts should not be used for PHI regardless of device.

Does an encrypted email hide the subject line? +

S/MIME and OpenPGP encrypt the message body and attachments but leave the subject line, recipient address, and sender address unencrypted. Portal-based services often replace the subject line with a generic notification like Secure message from Practice Name. That reveals the sender but hides the topic. Practices should train staff to avoid sensitive terms in the subject line even when the body is encrypted. A subject line of Test results for Patient Smith leaks PHI on its own.

How do I verify my encrypted email actually worked? +

Send a test message to a personal address on a different mail provider. Open the message in the recipient inbox. If the sender used TLS, the Received headers show TLS=version. If the sender used S/MIME, the message shows a lock icon and requires the recipient certificate to decrypt. If the sender used a portal service, the recipient sees a login page rather than the message body inline. NIST recommends quarterly verification of encryption controls as part of the risk analysis process.

Email Encryption Best Practices That Balance Security and Workflow

email encryption best practices guide featured image

๐Ÿ”‘ Key Takeaways

  • Encryption best practices start with clean account naming, not algorithm choice or key length.
  • Policy-based triggers beat manual clicks; audits find 15 to 30 percent unencrypted PHI otherwise.
  • MFA on sender and recipient accounts blocks the credential attacks that drive most real breaches.
  • Audit logs must cover sender, recipient, timestamp, method, delivery, and access for six years.
  • Locked signatures and short disclaimers reinforce the workflow; length adds no legal weight.

Email encryption best practices sit at the intersection of cryptographic choice, operational discipline, and audit posture. The three areas reinforce each other or fall together.

This guide covers the practices that hold up under regulatory scrutiny, workflow pressure, and staff turnover. For teams evaluating an encrypted email service, the practices below shape which vendor features actually matter.

Read the sections in order. Each layer builds on the one before.

Account Naming Sets the Foundation for Every Downstream Control

Sender account structure decides whether audit logs read cleanly and whether recipient trust holds. Best practice standardizes names before configuring encryption.

A first.last@practice.com pattern reads as a real person and carries the least spam risk. Recipients recognize the name pattern and open the message. Auditors trace the message to a specific staff member.

Shared inboxes like info@ or admin@ complicate audit trails because multiple staff members access the same account. Best practice restricts shared inboxes to non-PHI content and routes clinical email through named accounts.

Personal accounts used for business purposes fall outside every encryption control the practice buys. A staff member forwarding PHI to gmail.com creates an immediate compliance gap that no vendor can fix.

Account cleanup before encryption deployment saves the compliance team from months of gap remediation later.

Policy-Based Encryption Beats Manual Encryption at Scale

Manual encryption where staff click Encrypt on each message produces inconsistent coverage. Policy-based encryption applies automatically based on content rules.

The policy engine scans outbound messages for regulated content markers. Common markers include patient identifiers, social security numbers, credit card patterns, and keywords like PHI or CUI in the subject.

Matching messages trigger encryption without staff action. Staff can still click Encrypt manually for edge cases the policy engine does not catch.

Best practice combines both. Policy handles the bulk of consistent coverage. Manual triggers cover the twenty percent of messages where policy detection is ambiguous.

Practices without policy-based encryption typically show fifteen to thirty percent unencrypted PHI messages in a random audit sample. The gap is not staff carelessness. It is the human error rate for any repeated decision under workflow pressure.

email encryption best practices in article illustration one

Multi-Factor Authentication Protects the Weakest Endpoint

Encryption protects the message in transit and at rest. The credential that unlocks the mailbox is the actual attack surface for most breaches.

Multi-factor authentication on every sender account is the single highest-return security control. The CISA guidance on MFA lists it as a baseline requirement.

SMS-based MFA is better than nothing but weaker than authenticator apps or hardware keys. Scattered Spider and similar groups routinely bypass SMS through SIM swapping.

Best practice uses authenticator apps like Microsoft Authenticator, Google Authenticator, or Authy on all sender accounts. Hardware keys like YubiKey add another layer for high-privilege accounts.

Recipient authentication also matters. Portal-based encryption where the recipient signs in with a weak password provides marginal real protection. Best practice enforces MFA on recipient portals or delivers directly to authenticated business email addresses only.

Transport and Content Encryption Both Belong in the Stack

Best practice layers TLS transport with content encryption. Each layer covers different threats and neither substitutes for the other.

TLS 1.3 between mail servers protects messages against interception on the network path. TLS 1.2 with strong cipher suites is acceptable where 1.3 is not yet supported end to end.

Content encryption using S/MIME, PGP, or a hosted portal protects the message body itself. Content encryption survives at the recipient mail provider and defends against inbox compromise or provider-side access.

MTA-STS on the sending domain forces receiving servers to use TLS. Missing MTA-STS leaves the door open to downgrade attacks that revert to unencrypted transport.

DANE and BIMI on the sending domain add authentication that helps recipient servers verify the sender before delivery. These records reduce spoofing that undermines every downstream trust decision.

Example

A twenty-provider orthopedic group runs a random audit sample of 200 outbound messages before rolling out policy-based encryption. Staff had been using a manual Encrypt button for six months. The audit finds 47 messages with PHI sent unencrypted, or 23.5 percent. After the group deploys a content-scanning rule with a manual override, the next quarterly audit finds 4 unencrypted PHI messages out of 250 sampled, or 1.6 percent. The policy engine catches the volume. The manual button covers the edge cases.

Audit Logging Is Where Compliance Investigations Land

Encryption tools produce audit logs. Whether those logs meet compliance requirements depends on retention, field coverage, and tamper resistance.

Baseline fields include sender identity, recipient identity, timestamp, encryption method, delivery status, and recipient access events. Missing any field creates a gap.

Best practice exports logs from the vendor console to a separate storage system. The separation prevents a compromised vendor account from erasing evidence.

Retention windows depend on the applicable regulation. HIPAA requires six years for the accounting of disclosures. HITRUST requires evidence going back through the certification period. SOX and PCI have their own retention rules.

Monthly log review catches configuration drift early. Practices that only look at logs during audit season find gaps that developed over months and cannot easily reconstruct the record.

Disclaimers and Signatures Reinforce or Undermine the Workflow

Confidentiality disclaimers and signature templates carry independent HIPAA implications alongside encryption. Best practice treats them as reinforcing controls, not as substitutes for encryption.

A concise disclaimer at the message footer notes that the message may contain PHI, states that unauthorized use is prohibited, and provides instructions if the message was received in error. Under one hundred fifty words. Below the signature block.

Long disclaimers reduce readability without adding legal value. Recipients skip past them. Practices should focus disclaimer effort on clarity rather than length.

Signature templates should be locked at the admin level to prevent staff variation. Standard fields include sender name, credential, practice name, direct phone, general practice phone, secure fax number for PHI, and NPI where applicable.

A locked template prevents staff from creating custom signatures that omit required contact routing information. Recipients who need to send PHI back have a clear channel that is not the standard email reply.

email encryption best practices in article illustration two

Comparison of Common Encryption Best Practice Controls

The table below compares four common encryption control approaches across the fields that decide day-to-day compliance posture.

Control Coverage Staff Burden Audit Strength Best Fit
Manual Encrypt button Only messages staff mark High Weak Small teams with strict discipline
Subject line keyword trigger Only messages staff tag Medium Weak Individual power users
Policy-based content scanning All matching content Low Strong Regulated healthcare and finance teams
Blanket encryption on outbound All outbound mail None Strong Practices with sensitive-only workflows

Best practice combines policy-based scanning with a manual override button. The policy handles the volume. The button covers edge cases.

Recipient Verification Reduces Wrong-Delivery Risk

An encrypted message sent to the wrong recipient is still a breach. Best practice adds recipient verification steps before sensitive content leaves the sender.

Address autocomplete in Outlook and Gmail suggests recent recipients. Staff sometimes accept the wrong suggestion under time pressure. A momentary pause to verify the domain matches the intended recipient prevents most autocomplete errors.

External recipient warnings that trigger on messages to non-domain addresses add another pause. Microsoft 365 and Google Workspace both support external tags.

High-sensitivity messages benefit from a delay-send window where the sender has ninety seconds to catch a wrong address. Both Microsoft and Google support delayed delivery natively.

Practices with high patient turnover should also audit the practice management system contact export against the mail platform address book quarterly. Stale contacts route messages to former patients or providers.

Key Management Discipline Across S/MIME and PGP Deployments

Practices running S/MIME or PGP handle cryptographic material directly. Key management discipline decides whether the deployment stays secure over time.

Certificate renewal dates need calendar tracking. Expired S/MIME certificates fail silently for the sender and produce confusing errors for recipients.

Private keys should never travel over unencrypted channels or by email. A staff member switching devices should generate a new key pair rather than copying the old private key.

Public key exchange should happen through signed messages or a trusted directory. Sending a public key from a personal address to a work address opens spoofing risk.

Practices without a full-time IT team usually find hosted encryption services easier to operate than S/MIME or PGP. The vendor handles the key management burden that trips up direct deployments.

๐Ÿ’กPro Tip: Combine policy scanning with a manual override

Manual encryption where staff click a button on each sensitive message produces 15 to 30 percent unencrypted PHI in random audit samples. Policy-based encryption that scans outbound content for regulated markers catches the bulk automatically. Keep the manual button available for edge cases the policy engine misses. Review the policy match log monthly and tune the rules against actual send patterns. The combined model gives the tightest coverage without adding staff burden or triggering workarounds under deadline pressure.

CUI and Regulated Content Add Specific Requirements

Federal contractors handling Controlled Unclassified Information follow NIST SP 800-171. The requirement adds specific cryptographic module validation on top of general encryption practices.

FIPS 140-2 or 140-3 validated modules must handle CUI transmission. Practices verify vendor documentation lists validation status before using the service for CUI.

DFARS 252.204-7012 enforces the requirement in defense contracts. Contractors failing the requirement risk contract cancellation and False Claims Act exposure.

Healthcare practices handling PHI follow HIPAA under HHS. Financial services follow GLBA and PCI DSS. Each regulation has its own encryption specificity that best practices should map explicitly.

Practices with multiple regulatory contexts benefit from a control matrix that maps each control to each regulation. The mapping surfaces gaps and prevents double work.

Related Reading for Deeper Coverage

Email encryption best practices touch several adjacent topics. Practices building the full stack benefit from the companion guides below.

Practices evaluating vendors can review best encrypted email comparisons for shortlist candidates. Vendor fit shapes which practices are achievable in daily operation.

HIPAA-specific detail lives in the HIPAA compliant email foundation and the best HIPAA compliant email comparison. Both cover the BAA, audit, and workforce training requirements.

Practices choosing platforms can review HIPAA compliant email platforms for larger vendor coverage. The platform comparison broadens the shortlist beyond the encryption-only vendors.

Practices starting from the foundational encryption topic can read encryption for email for background. The technical layer sharpens the vendor conversation.

Where Redefine Web Fits the Practice Communication Stack

Email encryption best practices apply to messages that reach the email pipeline. Website forms, patient portals, and marketing automation carry PHI that must reach the same encryption controls.

A contact form on the practice website that emails PHI to a generic Gmail address bypasses every encryption control the practice buys. The submission arrives unencrypted and the audit trail does not exist.

Redefine Web builds HIPAA-aware websites and integrates the forms with encrypted delivery paths. Details on healthcare website security features cover the surface area that sits alongside encrypted email.

A closed-loop review across website, forms, email, and portal reduces the probability that a PHI leak lands in an unencrypted channel by mistake. Best practices reinforce each other only when the surrounding systems align.

Mailhippo fits practices that want strong encryption defaults, policy-based triggers, BAA coverage, and audit logs in one product. The service integrates with existing Gmail or Outlook accounts and covers the practical best practices covered above without adding operational burden.

Frequently Asked Questions

What are the core email encryption best practices for 2026? +

The core practices cover six areas. First, standardize sender account naming so audit trails read cleanly. Second, apply policy-based encryption that triggers on regulated content rather than relying on staff decisions. Third, require multi-factor authentication on all sender accounts and preferably on recipient portals. Fourth, use TLS 1.3 for transport and AES-256 for content encryption. Fifth, export audit logs to tamper-evident storage with retention that meets the applicable regulation. Sixth, review the encryption stack quarterly against current threat intelligence and vendor updates.

How should staff handle disclaimers in HIPAA-compliant email? +

A confidentiality disclaimer at the message footer serves as legal notice but does not create compliance. Best practices for HIPAA disclaimers include a brief statement that the message may contain PHI, a note that unauthorized use is prohibited, and instructions for the recipient if the message was received in error. Long disclaimers reduce readability without adding legal value. The disclaimer should sit below the signature block and stay under one hundred fifty words. Encryption, BAA coverage, and audit logging create the actual compliance posture.

What are email signature best practices for HIPAA-compliant healthcare teams? +

Signature templates should be locked at the admin level to prevent staff variation. Standard fields include the sender name, credential, practice name, direct phone line for clinical questions, general practice phone, secure fax number for PHI, and NPI where applicable. The signature should not include personal mobile numbers unless those numbers are also covered by the encryption or messaging policy. A locked template prevents staff from creating custom signatures that omit required contact routing information for PHI.

How do I encrypt sensitive business emails as a best practice? +

Route the message through a service that encrypts content, not only transport. Options include Microsoft Purview Message Encryption on Business Premium or higher, Google Workspace client-side encryption on Enterprise Plus, or a dedicated service like Mailhippo, Virtru, or LuxSci. Trigger encryption on a policy rule matching regulated content, a subject line keyword, or an explicit Encrypt button click. Verify the recipient can access the message before sending sensitive attachments. Confirm audit logging captures the sender, recipient, timestamp, and delivery event.

What are the CUI email encryption best practices for federal contractors? +

Controlled Unclassified Information handling under NIST SP 800-171 requires FIPS 140-2 or 140-3 validated cryptographic modules for CUI transmission. Federal contractors typically use S/MIME with a certificate from an approved certificate authority, TLS 1.2 or 1.3 with strong cipher suites, and DoD-compliant email gateway configurations. Contractors should verify the encryption vendor documentation lists FIPS validation status and cipher suite support before using the service for CUI. The DFARS 252.204-7012 clause enforces the requirement in defense contracts.

How often should we audit our email encryption stack? +

A quarterly audit cadence covers most healthcare and small business threat models. The audit reviews sender account list against active staff, encryption trigger rule coverage against sending patterns, recipient portal usage against expected delivery paths, and audit log field coverage against retention requirements. Annual reviews add penetration testing and configuration review against current threat intelligence. Practices in regulated industries like healthcare, financial services, and defense contracting should also verify vendor SOC 2 or HITRUST reports have not lapsed and BAA terms remain current.

What is the biggest email encryption best practice mistake? +

The biggest mistake is treating encryption as a technical control instead of an operational discipline. A practice buys a strong encryption service, configures it once, and stops. Staff turnover, workflow changes, new EMR integrations, and vendor updates all shift the encryption coverage over time. Without a review cadence, the deployment drifts from the original design. OCR investigations regularly find practices with encryption tools in place but coverage gaps that developed over months. The best practice is treating the encryption stack as a maintained system, not a one-time purchase.

Secure Email Encryption Service Buyer Guide for 2026

secure email encryption service guide featured image

๐Ÿ”‘ Key Takeaways

  • Three questions decide a secure email vendor: BAA included, auto-trigger, and recipient friction.
  • Office 365 and Gmail bundle native encryption on higher plans, but neither ships a BAA by default.
  • Free services like Proton and Tutanota work for personal use; small clinics outgrow them fast.
  • Entry tier plans run $3 to $8 per seat; enterprise bundles with DLP and archiving hit $10 to $25.
  • Recipient experience drives adoption; portals create tickets, one-click links keep patients happy.

A secure email encryption service protects the contents of a message from the moment a sender hits send to the moment a recipient opens it. Covered entities under HIPAA, financial institutions under GLBA, and law firms handling privileged material all use these services to meet regulatory requirements.

The market splits into three groups. Native tools built into Microsoft 365 and Google Workspace, dedicated third party services like Mailhippo encrypted email, and enterprise gateways from Barracuda, Cisco, and Proofpoint. Each group solves a different problem.

This guide walks through what a secure email encryption service actually delivers, how the main providers compare, and how to test recipient experience before you sign anything.

Secure email encryption service defined

A secure email encryption service scrambles message content so only the intended recipient can read it. The service uses TLS between mail servers as the baseline layer.

On top of TLS, providers add a second layer through S/MIME certificates, PGP keys, or a portal-based delivery model. The second layer protects the message once it lands on a server the sender does not control.

Enterprise services stack more features. Data loss prevention scans outbound content for regulated data. Archiving retains messages for compliance audits. Phishing filters catch inbound threats. Administrative controls let IT enforce encryption on messages that match specific policies.

The core deliverable stays the same across every vendor. Content confidentiality, sender identity verification, and delivery proof. Everything else is packaging.

Office 365 email encryption service options

Microsoft ships Office 365 Message Encryption with Business Premium, E3, and E5 plans. The service runs on Microsoft Purview and adds the Encrypt button to the Outlook Options ribbon on desktop, web, and mobile.

Senders click Encrypt, pick a permission preset, and send. External recipients get a portal link and sign in with Microsoft, Google, or a one-time passcode. Internal recipients see the encrypted message in Outlook without extra steps.

Business Basic and Business Standard plans do not include the Encrypt button. Practices on those SKUs need to upgrade to Business Premium at $22 per user per month or add a dedicated encryption gateway.

Microsoft signs a business associate agreement with covered entities on qualifying plans. Admins need to accept the BAA in the Microsoft 365 admin center under Contracts before sending PHI. Documentation lives at Microsoft Learn Purview Message Encryption.

secure email encryption service in article illustration one

Gmail email encryption service options

Gmail encrypts every message in transit using TLS. Google Workspace paid plans add S/MIME support on Enterprise Plus, which requires certificate management for both senders and recipients.

Confidential mode adds link expiry and SMS passcode options on every Workspace tier. Confidential mode does not encrypt content end to end. The message content sits in Google servers in a readable form for the sender organization.

Google signs a business associate agreement with covered entities on paid Workspace plans configured for HIPAA. Admins accept the BAA in the Workspace admin console. The BAA covers Gmail, Drive, Calendar, Meet, and other core services.

Practices sending real PHI usually stack a dedicated encryption gateway on top of Workspace. The gateway triggers on subject line keywords, data patterns, or recipient domain rules, then routes the message through an encrypted delivery path. See Google Workspace encryption documentation for the current feature matrix.

GoDaddy email encryption service pricing

GoDaddy resells Proofpoint-powered email encryption as an add-on to its Microsoft 365 packages. The add-on runs about $7 per user per month on top of the base 365 license, so a five-seat practice pays roughly $85 per month total.

Senders trigger encryption by adding [encrypt] to the subject line or clicking a button. Recipients register a Proofpoint portal account or verify a one-time code to open messages.

GoDaddy signs a business associate agreement on qualifying plans. The BAA covers the encryption service and the underlying Microsoft 365 tenant. Practices with existing Proofpoint contracts should compare direct Proofpoint pricing at higher seat counts, which often beats the GoDaddy reseller rate.

Support quality varies. GoDaddy phone support handles billing and provisioning. Encryption configuration issues route back to Proofpoint, which adds a delay when a message fails to send. Test the escalation path before you deploy across all seats.

Example

A 20-provider urgent care group ran a 30-day pilot comparing Proofpoint via GoDaddy at $7 per user against Mailhippo at $4.95 per user. They sent 50 identical PHI messages through each service to a mix of iOS, Android, and desktop recipients. Proofpoint required 60 percent of recipients to register a portal account, generating 14 support calls in three weeks. Mailhippo delivered a one-click link that opened for 46 of 50 recipients without an account. The group signed with Mailhippo, saving $492 per month across 20 seats.

Free secure email encryption service trade offs

Free encryption services exist for personal use. ProtonMail, Tutanota, and Skiff offer end to end encrypted email between accounts on the same platform.

Messages to external recipients require the recipient to accept a link, verify a passcode, or install a certificate. Solo practitioners often use free plans for the first quarter of operation, then upgrade once patient email volume rises past 200 messages per month.

Free services rarely sign a business associate agreement. ProtonMail offers a paid Business plan that includes a BAA at $12.99 per user per month. Tutanota and Skiff do not currently offer a BAA at any tier.

Free plans also lack retention controls, audit logs, and admin tools. Compliance risk usually outweighs the license savings once real PHI enters the mailbox. Read the HHS guidance on business associate agreements before picking any free tier for regulated content.

US Bank secure email encryption service model

US Bank uses a portal-based encryption service to send account statements, wire transfer confirmations, and loan documents to customers. Recipients get a notification email with a link to the portal.

The recipient registers an account on the first message, sets a password, and opens the message inside the browser. Follow-up messages from US Bank arrive at the same portal. The model works well for high volume, low urgency correspondence.

Portal-based encryption pushes friction onto the recipient. A customer who cannot find the login page will call the bank. A customer with an expired portal password will call the bank twice.

Financial institutions accept the friction because regulatory pressure outweighs support cost. Healthcare practices with lower call center capacity often pick a zero-step model instead, which delivers the encrypted message directly to the recipient normal inbox.

secure email encryption service in article illustration two

Nonprofit 365 pricing for email encryption service

Microsoft runs a nonprofit program that discounts 365 plans by 30 to 75 percent. Business Basic drops to $0 per user per month for the first 10 seats. Business Standard runs about $3 per user per month.

Business Premium, the plan that includes Purview Message Encryption, drops to about $5.50 per user per month for verified nonprofits. A community clinic with 20 seats pays $110 per month for encrypted email plus Office desktop apps, Intune, and Defender.

Nonprofits still sign the standard business associate agreement in the admin center. The BAA does not change with nonprofit pricing. Documentation lives at the Microsoft Nonprofits portal.

Barracuda, Cisco, and Proofpoint also offer nonprofit discounts of 20 to 50 percent. The discount usually applies to the base plan and not to compliance add-ons, so a small clinic saving money on seats still pays list price for the archiving module.

Mobile and desktop email encryption service parity

The best encryption service works identically on mobile and desktop. Services that require an S/MIME certificate on each device create setup pain for both senders and recipients.

Portal-based services often break the reply flow on mobile browsers. A recipient on an iPhone taps the portal link, logs in, reads the message, then hits reply and gets bounced to a login page again.

Zero-step encryption models handle the mobile case best. The sender uses the normal Gmail or Outlook app on any device. The recipient opens the message inside a standard inbox view on any device.

Test the reply flow on iOS Safari, Android Chrome, and desktop Chrome before committing to a multi-year contract. Vendors will send a test message on request. A five-minute test saves months of user complaints later.

๐Ÿ’กPro Tip: Ask for second-year pricing in writing

Enterprise email security vendors routinely quote a discounted first-year rate that jumps 30 to 50 percent on renewal. Ask for the second-year and third-year rate in writing before signing anything longer than a monthly agreement. Confirm the renewal cap is contractual, not verbal. If the vendor refuses to commit to future pricing, price in an assumed 40 percent renewal jump when comparing total cost of ownership against services with flat published rates.

Provider comparison for secure email encryption service buyers

Buyers picking between vendors weigh four factors above everything else. BAA inclusion, delivery model, price predictability, and admin controls.

Native Microsoft and Google options work well for organizations that already pay for the higher tier plans. Dedicated services like email encryption service providers and encryption email service platforms fit organizations that need a signed BAA in the base plan without a Business Premium upgrade.

Enterprise gateways from Barracuda email encryption service and secure email encryption service cisco add DLP, phishing protection, and archiving in one bundle. The bundles fit organizations with dedicated security teams.

Key evaluation questions:

  • Does the vendor sign a BAA in the base plan or as an add-on
  • Does encryption trigger automatically on regulated content patterns
  • Does the recipient need a portal account, a certificate, or a passcode
  • Does the price stay flat on renewal or jump after year one
  • Does the admin console log every encrypted message for audit

Healthcare practices and secure email encryption service selection

Healthcare covered entities and business associates carry the highest regulatory load. HIPAA, state privacy laws, and payer contracts all require encrypted transmission of PHI.

The right service for a five-person dental practice looks nothing like the right service for a hospital system with 4000 clinicians. Practices with under 50 seats usually pick a zero-step service with a bundled BAA. Larger organizations layer an enterprise gateway on top of Microsoft 365 or Google Workspace.

Practice websites also need to match the same security posture. Patient intake forms, appointment booking, and portal login pages all handle PHI. A HIPAA compliant website design partner handles the web side while the email service handles the mail side.

Practices running healthcare website security features already have most of the operational habits needed to run an encryption service. Password rotation, MFA on admin accounts, and audit log review carry over directly.

Choosing a secure email encryption service without regret

Most buying regret traces back to two mistakes. Picking a vendor without testing the recipient experience, and signing a long contract to lock in a first-year discount that resets on renewal.

Run a 30-day pilot with a single department. Send 50 real messages. Track how many recipients open the message on the first try, how many call for help, and how many ignore the message entirely.

Mailhippo works as an alternative when HIPAA compliance and per-recipient friction both matter. The service adds a BAA in the base plan, works with existing Gmail or Outlook accounts, and delivers messages without asking the recipient to install a certificate or register a portal account. The setup takes minutes.

Whatever vendor you pick, read the renewal clause before signing. Ask for the second-year rate in writing. Confirm the BAA transfers with account transfers. A secure email service that hides its renewal pricing is a service that plans to raise the price on renewal. Reference materials from HIPAA Journal on compliant email and NIST SP 800-177 Trustworthy Email help buyers write a defensible selection memo.

Frequently Asked Questions

What is a secure email encryption service? +

A secure email encryption service scrambles the contents of an email so only the intended recipient can read it. The service uses TLS to protect the connection between mail servers, then adds a second layer with S/MIME certificates, PGP keys, or portal-based delivery. Enterprise services also add data loss prevention, phishing filters, and archiving. Healthcare, finance, legal, and government users pick these services to meet HIPAA, GLBA, or CJIS requirements. The core deliverable is content confidentiality, sender identity verification, and delivery proof.

Does Office 365 include encryption? +

Yes, Office 365 Business Premium, E3, and E5 include Microsoft Purview Message Encryption at no extra cost. Users click the Encrypt button in the Options ribbon before sending, and external recipients open the message through a secure portal after signing in with Microsoft, Google, or a one-time passcode. Basic and Standard plans do not include the Encrypt button. Practices on those plans need to upgrade or add a dedicated encrypted email service to send protected health information under a signed business associate agreement.

Is Gmail encrypted email HIPAA compliant? +

Gmail encrypts email in transit using TLS on every Workspace tier, but transit encryption alone does not meet HIPAA. A covered entity needs a signed business associate agreement with Google, which comes only with Workspace paid plans configured for HIPAA. Confidential mode adds link expiry and passcode options but does not encrypt content end to end. Practices sending real PHI usually add a dedicated encryption gateway on top of Workspace, or route sensitive messages through a third party service like Mailhippo.

How does GoDaddy Email Encryption work? +

GoDaddy sells Proofpoint-powered email encryption as an add-on to its Microsoft 365 packages. Senders trigger encryption by adding a keyword to the subject line or by clicking a button. Recipients open messages through a Proofpoint portal after registering an account or verifying a one-time code. GoDaddy signs a business associate agreement on qualifying plans, and pricing runs about $7 per user per month on top of the base 365 license. Larger practices usually negotiate direct Proofpoint pricing at higher seat counts.

What is the best encryption service for mobile and desktop use? +

The best service works identically on mobile and desktop without extra apps. Services that require an S/MIME certificate on each device create setup pain, and portal-based services often break the reply flow on mobile browsers. Zero-step encryption models handle the mobile case best because the sender uses the normal Gmail or Outlook app and the recipient opens the message in a standard inbox view. Test the reply flow on iOS Safari and Android Chrome before committing to a multi-year contract with any vendor.

Can nonprofits get discounted encrypted email? +

Yes, most major vendors run nonprofit programs. Microsoft, Google, Barracuda, and Cisco publish nonprofit pricing at 30 to 50 percent off list. Microsoft 365 Business Premium runs about $5.50 per user per month for verified nonprofits, which includes Purview Message Encryption. Discounts usually cover the base plan and not the compliance add-ons, so a small clinic saving money on seats still pays list price for the archiving module. Submit IRS 501(c)(3) documentation and a signed nonprofit attestation to activate the pricing.

What features matter most when comparing providers? +

BAA in the base plan, zero-step delivery, mobile-friendly recipient experience, archiving, admin controls, and pricing predictability. Practices sending regulated content should not settle for a vendor that treats the BAA as an upsell. Zero-step delivery keeps staff from forgetting to encrypt. Archiving and audit logs matter when a HIPAA auditor asks for six years of message history. Predictable pricing avoids the trap of a low first-year deal that jumps 40 percent on renewal, which happens often in the enterprise email security market.

Are Emails Encrypted by Default in 2026

are emails encrypted guide featured image

๐Ÿ”‘ Key Takeaways

  • About 95% of Gmail traffic runs on TLS, but any relay refusing the handshake drops to plain SMTP.
  • Encryption at rest guards disks, not access; a court order or hijacked account still reads inboxes.
  • Internal 365 mail stays inside Microsoft’s network and never touches the public internet.
  • True end-to-end mail needs S/MIME, PGP, or a portal service like Purview or Mailhippo.
  • HIPAA won’t accept TLS alone for PHI; regulators expect message-level encryption on external sends.

Most email today rides on some form of encryption. The question is which kind, at what stage, and whether it survives long enough to matter.

Ask are emails encrypted and the honest answer is a qualified yes. Transport encryption covers the connection between mail servers when both sides support it. Message-level encryption, the kind used for encrypted email delivery, protects the content from the sender’s device to the recipient’s inbox.

The gap between those two matters for anyone sending regulated data. This guide walks through where each layer applies, which providers use which methods, and what changes when HIPAA or a business associate agreement enters the picture.

TLS in transit is the default, not end-to-end protection

TLS, or Transport Layer Security, is the standard method for encrypting the link between two mail servers. When a sending server hands a message to a receiving server, both sides negotiate a TLS session and the traffic across that hop is encrypted.

Google reports that around 95 percent of Gmail traffic uses TLS on outbound and inbound. Microsoft 365 numbers are similar. The 5 percent gap is real, and it usually reflects small receiving servers that do not support modern TLS versions.

TLS does not encrypt the message body itself. It encrypts the connection. Once the receiving server accepts the message, it stores the content in whatever form its policies dictate.

Opportunistic TLS also falls back to plain SMTP if the handshake fails. MTA-STS and DANE are the two standards that force a receiving server to require TLS, and they close that downgrade path. Most large providers publish MTA-STS records now, but many smaller domains do not.

Gmail encrypts in transit and at rest, but not end to end

Are all Gmail emails encrypted? In transit, almost all of them are, when the receiving provider supports TLS. Google publishes real-time transparency numbers on this at their Safer Email Transparency Report.

At rest, Gmail stores every message with server-side encryption using keys Google manages. That protects the mailbox from disk theft or unauthorized physical access to Google data centers.

End-to-end encryption is a different layer. Gmail supports S/MIME on Google Workspace Enterprise Plus and Education Plus, which encrypts the message body before it leaves the sender’s device. Personal Gmail accounts do not include native S/MIME.

For consumer-grade Gmail users who need to send an encrypted message once in a while, the practical options are Confidential Mode, which sets an expiration and a passcode but does not encrypt the body, or a browser extension that layers PGP over the compose window.

are emails encrypted in article illustration one

Microsoft 365 encryption depends on the license tier

Are Microsoft emails encrypted? Internal messages between two users on the same Microsoft 365 tenant stay on Microsoft’s network and are encrypted the entire way. External messages use opportunistic TLS.

Purview Message Encryption, which was previously called Office 365 Message Encryption, is Microsoft’s message-level product. It encrypts the body and attachments and delivers external recipients a portal link. Recipients sign in with a Microsoft or Google account, or with a one-time passcode.

Purview requires Business Premium, Microsoft 365 E3, or higher. Business Basic and Business Standard do not include it. Practices on lower tiers either need to upgrade the entire tenant or send outbound clinical mail through a dedicated encrypted service.

Azure Rights Management sits behind Purview and handles the actual key management. If a tenant has never activated Azure Rights Management, the Encrypt button in the Outlook ribbon does not appear even on the correct license.

Internal Office 365 traffic never leaves Microsoft infrastructure

Are internal Office 365 emails encrypted? Yes, at every layer. Internal email between two users on the same tenant traverses Microsoft’s private network and never touches the public internet.

The traffic between Exchange Online servers is TLS-protected. The mailboxes themselves are encrypted at rest with BitLocker at the storage level and additional service-level encryption in the message database.

Cross-tenant email is a different case. A message from one Microsoft 365 tenant to another still uses Microsoft infrastructure end to end, but it is treated as external and subject to standard transport encryption rules.

Administrators can enforce Modern Authentication, disable legacy protocols like POP and IMAP, and turn on Customer Key to hold their own encryption keys. Those steps harden the tenant but do not change the underlying encryption layers already in place.

Example

A cardiology group assumed their Google Workspace Business Starter setup encrypted patient lab results because Gmail showed the padlock icon on outbound messages. During a HIPAA risk assessment, the security consultant tested by sending a message to a legacy mail server at a rural referring clinic that did not support TLS. The delivery downgraded to plain SMTP silently. The group enforced MTA-STS on their domain, added Mailhippo for external PHI sends at $4.95 per user per month, and closed the finding within one week.

DocuSign notifications are not encrypted documents

Are DocuSign emails encrypted? The notification email itself is an ordinary message sent over TLS. It contains a link, a sender name, and a subject line, and none of that content is encrypted end to end.

The signed document lives inside the DocuSign platform, not in the email. When the signer clicks the link, they authenticate to DocuSign and view the document over HTTPS. The document itself is protected by DocuSign’s platform encryption and access controls.

The gap this creates is that anyone with mailbox access to the recipient can click the link and, if additional authentication is not enforced, sign the document. DocuSign offers signer authentication options like SMS codes, knowledge-based questions, and ID verification. Those are separate from the email.

Providers like Adobe Sign, Dropbox Sign, and PandaDoc all follow the same pattern. The document is protected in the platform, and the notification is a routine email.

Are emails automatically encrypted or does the sender configure it

Are emails automatically encrypted? Transport encryption is automatic when both servers support it. Message-level encryption is not automatic on any consumer email service.

The sender has to take an action. On Outlook 365, that action is clicking the Encrypt button on the message ribbon. On Gmail Enterprise, S/MIME messages are marked automatically if certificates are installed on both sides.

Some services automate the encryption trigger based on content. Data loss prevention rules can inspect outbound mail for patterns like credit card numbers, Social Security numbers, or clinical terms, then apply encryption when a rule matches.

For healthcare senders who need every message with protected health information to be encrypted without depending on user behavior, the practical approach is a gateway service that encrypts by default. Mailhippo works this way, applying encryption to every outbound message from the connected account rather than relying on a user to remember the correct button.

are emails encrypted in article illustration two

End-to-end encryption requires S/MIME, PGP, or a portal service

Three technologies deliver true end-to-end email encryption today: S/MIME, PGP, and portal-based services. Each protects the message body from the sender’s device to the recipient’s inbox or portal.

S/MIME uses X.509 certificates issued by a certificate authority. Each user has a personal certificate, and the sender needs the recipient’s public key to encrypt a message to them. Certificate management is the hardest part of running S/MIME at scale.

PGP uses a similar public-private key pair model but operates through a web of trust rather than a central authority. It is common in developer and privacy-focused circles but rare in mainstream business email.

Portal services like Purview Message Encryption and Mailhippo skip the certificate problem by delivering messages through a browser-based portal. The recipient does not need to manage keys, and the sender only needs an account.

HIPAA requires encryption when it is reasonable and appropriate

The HIPAA Security Rule lists encryption as an addressable specification for transmitting electronic protected health information. Addressable means the covered entity must implement it if it is reasonable and appropriate, or document why it is not.

In practice, HHS treats email encryption as the default expectation for any transmission of PHI outside a covered entity’s internal network. The 2013 Omnibus Rule reinforced that position by tying breach notification safe harbor to encryption of the data involved.

The HHS guidance on the Security Rule and NIST Special Publication 800-52 Rev. 2 both point to TLS 1.2 or higher for transport and AES-128 or AES-256 for content encryption. Meeting those baselines matters more than the specific product chosen.

Practices that route external clinical email through a service with a signed business associate agreement satisfy the encryption requirement and the vendor accountability requirement at the same time. Emails that carry hipaa phishing emails patterns still need employee training on top of encryption.

๐Ÿ’กPro Tip: Enforce MTA-STS to block silent TLS downgrades

Opportunistic TLS falls back to plain SMTP whenever the receiving server refuses the handshake, and the sender never sees a warning. Publish an MTA-STS policy on your domain so receiving servers know to require TLS on inbound. Configure enforced TLS on outbound to any recipient domain that regularly gets PHI. If TLS negotiation fails, the message queues instead of shipping in plaintext. This one change removes the most common HIPAA transport gap.

Free and consumer options do not include a BAA

ProtonMail sends encrypted messages to other ProtonMail users automatically. Messages to outside recipients go through a password-protected portal that the recipient opens in a browser.

Outlook.com supports Microsoft’s free encryption for consumer accounts through the same Purview infrastructure used by business tenants. The recipient experience is identical to the paid version.

Free S/MIME certificates are available from providers like Actalis for personal use. Setting them up requires installing the certificate in the operating system’s certificate store and pairing it with each mail client.

None of the free options include a business associate agreement. For a healthcare practice, that rules them out for anything involving protected health information. If a topic covers are there free tools for encrypting emails, the compliance angle is where free services fall short. Compliance requires a paid service that will sign a BAA and accept vendor liability.

Steps to confirm your email is being encrypted correctly

Gmail shows a small padlock next to the sender address on received mail. A closed padlock means TLS was used on the last hop, an open one means it was available but not enforced, and no padlock means the message arrived over plain SMTP.

Outlook shows a shield icon on S/MIME-signed or encrypted messages. A green check inside the shield means the signature validated. A red X or a missing shield means the message was not S/MIME protected.

Portal messages arrive as a link rather than an inline body. Recipients who see a Read the message button and a sender-branded landing page are receiving a message-level encrypted message.

For senders who want to confirm their outbound TLS posture, tools like the NIST SP 800-52 Rev. 2 guidelines outline the correct cipher and version baseline, and free tests like CheckTLS or the Google Postmaster Tools show the negotiated TLS status per destination domain.

What to configure for a healthcare or compliance-heavy practice

Start with a written policy that defines what qualifies as protected health information and which outbound messages need encryption. Staff cannot apply a rule they do not know exists.

Configure MTA-STS and DANE on the practice domain to prevent TLS downgrade attacks on outbound mail. Publish DMARC at reject or quarantine to stop spoofed messages from reaching patients.

Choose one encryption path and stick with it. Options include Microsoft 365 Business Premium plus Purview, Google Workspace Enterprise plus S/MIME, or a gateway service like Mailhippo that layers encryption over the existing Gmail or Outlook account without a license upgrade.

Practices that want a broader marketing and website foundation to match the security posture often work with a specialist agency. Firms that focus on healthcare marketing services understand how encryption, patient acquisition, and HIPAA-safe intake forms fit together, and how a compliant healthcare website security setup supports the practice’s digital communications.

  • Verify TLS 1.2 or higher on outbound and inbound mail flow.
  • Enable MTA-STS and DANE on the practice domain.
  • Enforce Modern Authentication and disable legacy IMAP and POP.
  • Route external PHI-bearing mail through an encrypted service with a signed BAA.
  • Train clinical and administrative staff on when encryption is required.

Answering the core question, are emails encrypted, comes down to which layer and which sender. Transport encryption is close to universal between major providers. Message-level protection is the sender’s responsibility, and it is what compliance rules actually require.

Frequently Asked Questions

Are Gmail emails encrypted end to end? +

No. Gmail encrypts messages in transit using TLS whenever the receiving server supports it, and it encrypts stored messages at rest on Google’s servers. Neither method prevents Google from reading the content, and neither protects the message once it lands in a mailbox on a provider that does not enforce TLS. For true end-to-end encryption inside Gmail, the sender needs S/MIME through Google Workspace Enterprise or an external tool that encrypts the body before the message reaches Google.

Are Microsoft 365 emails encrypted? +

Internal messages between users on the same Microsoft 365 tenant stay on Microsoft servers and are encrypted the entire way. External messages use TLS when the receiving server supports it. Microsoft 365 also offers Purview Message Encryption on Business Premium and higher, which applies message-level encryption and delivers external recipients a portal link. Encryption at rest is enabled by default on all Microsoft 365 mailboxes, but that only protects stored data on disk.

Are internal Office 365 emails encrypted? +

Yes. Internal email between two users on the same Microsoft 365 tenant never leaves Microsoft’s infrastructure, and the traffic is encrypted across every internal link. The mailbox contents are also encrypted at rest with Microsoft-managed keys. That protects the message from external interception, but it does not stop a compromised account or an administrator with the correct role from reading the content. Internal encryption is not the same as end-to-end encryption.

Are DocuSign emails encrypted? +

The notification emails DocuSign sends are ordinary messages over TLS, and they contain a link rather than the document itself. The signed document lives on DocuSign’s servers, protected by DocuSign’s platform encryption and access controls. When a signer clicks the link, they authenticate to the DocuSign platform and view the document over HTTPS. The email notification is not encrypted end to end, and anyone with mailbox access can click the link.

How can I tell if an email I received was encrypted? +

Gmail shows a small padlock icon next to the sender address that indicates the transport encryption status between servers. A green padlock means TLS was used, a gray one means TLS was available but not enforced, and a red one means no encryption at all. Outlook displays a similar shield icon for S/MIME-signed or encrypted messages. Portal-based services deliver a link rather than an inline message, which itself is a sign the sender used message-level encryption.

Is there a free way to send an encrypted email? +

Free options exist but each carries a trade-off. ProtonMail sends encrypted messages to other ProtonMail users automatically, and to outside recipients through a password-protected portal. Outlook.com supports Microsoft’s free encryption for consumer accounts. Some sender-side tools also offer free S/MIME certificates from providers like Actalis. Free tiers do not include a business associate agreement, which rules them out for healthcare use. Compliance-grade sending requires a paid service with a signed BAA.

Does encryption protect an email from being read once it arrives? +

No. Once the recipient decrypts and opens the message, the content sits in their mailbox as readable text. Anyone with access to that mailbox, including a shared inbox user, an assistant with delegated access, or a malicious actor with stolen credentials, can read the content. Encryption protects the message during transmission and, in some cases, during storage. It does not protect against account takeover, screen capture, or forwarding by the recipient after decryption.

How to Send Encrypted Email Across Any Client

how to send encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Opportunistic TLS drops to plaintext without warning; the Sent padlock lies to you.
  • S/MIME encrypts message-level in Outlook and Apple Mail but needs certs on both sides.
  • PGP does the same job with public and private keys; recipients must set up software.
  • Portal services encrypt every send and give recipients a one-click browser link.
  • HIPAA also demands a signed BAA, six-year access logs, and verified encryption proof.

Every modern mail client can send encrypted email, but the definition of encrypted varies across methods. Some protect only the connection between mail servers. Others protect the message content itself. The difference matters for compliance and for real security.

This guide covers how to send encrypted email across Gmail, Outlook, Apple Mail, and portal-based services. Each method has a specific use case, a specific setup cost, and a specific recipient experience.

The right method depends on the sensitivity of the content and the technical setup of the recipient. Match the tool to the message.

TLS Is the Default Encryption Layer for Every Modern Mail Server

Transport Layer Security, or TLS, protects the connection between two mail servers. When Gmail sends to Outlook, both servers negotiate a TLS handshake and encrypt the traffic in flight. Any observer on the network path sees only ciphertext.

TLS is on by default in Gmail, Outlook, Apple Mail, Yahoo Mail, and every other major provider. Users do not enable it. Administrators do not configure it. It happens automatically when both servers support it.

The problem is fallback. If the receiving server does not support TLS, the sending server delivers the message in plaintext by default. There is no warning. The message reaches the recipient. The sender assumes it was encrypted because their client showed a padlock.

For any content that is regulated, the opportunistic fallback rules out TLS as a standalone protection. You cannot verify that every recipient server supports TLS. According to NIST SP 800-45, verified end-to-end encryption is the required protection for sensitive email.

S/MIME Provides Message-Level Encryption in Outlook and Apple Mail

S/MIME uses X.509 certificates to encrypt the message content itself, not just the transport. Once encrypted, only the recipient with the matching private key can read it. The mail provider stores ciphertext and cannot decrypt.

Outlook supports S/MIME on all Microsoft 365 plans that include the desktop apps. Apple Mail supports S/MIME natively on macOS and iOS. Gmail supports S/MIME on Workspace Enterprise Plus, Education Standard, and Education Plus.

Setup requires a certificate for the sender and a certificate for the recipient. Both must come from a trusted certificate authority. The public key gets attached to signed emails, so correspondents can build up a keyring by receiving signed messages from each other.

S/MIME suits organizations that can deploy certificates across all their staff and partners. It does not suit external correspondents like patients, vendors, or one-off recipients who do not have a certificate installed.

how to send encrypted email in article illustration one

PGP Delivers the Same Protection with a Different Key Model

PGP, or Pretty Good Privacy, is the open-source alternative to S/MIME. It uses a public-private key pair generated locally by the user. The public key is shared. The private key is protected with a passphrase and stays on the sender machine.

Thunderbird includes PGP support by default. Mailvelope adds PGP to Gmail and Outlook Web through a browser extension. GPG Suite adds it to Apple Mail. The GNU Privacy Guard command-line tool underlies most implementations.

PGP does not require a certificate authority. Users trust each other public keys directly, either through personal verification or through a web-of-trust model where mutual acquaintances sign each other keys. This is more flexible than S/MIME but harder for non-technical users to manage.

PGP suits technical teams, security researchers, and correspondents who exchange keys manually. It does not suit a healthcare workflow where a receptionist needs to email a lab result to a patient who has never generated a key pair.

Outlook Encrypt Button Uses Microsoft Purview Message Encryption

Outlook 365 users on Business Premium, E3, E5, and comparable Education plans get an Encrypt button in the Options ribbon of the compose window. Behind the scenes, this triggers Microsoft Purview Message Encryption.

External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode. Internal recipients on the same tenant see the message inline in Outlook or Outlook on the web without the portal step.

Setup takes minutes if Azure Rights Management is already enabled on the tenant. For tenants that have not activated it, an administrator must enable Rights Management under the Microsoft 365 Admin Center before the Encrypt button appears in Outlook.

According to Microsoft documentation, Purview Message Encryption meets HIPAA transmission requirements when combined with a signed business associate agreement, available on Microsoft 365 Business plans and higher.

Example

A pain management clinic uses Microsoft 365 Business Standard with the Encrypt button unavailable. Staff send referral summaries to physicians on Yahoo, iCloud, and small hospital systems. TLS delivery drops to plaintext on roughly fifteen percent of sends because those receiving servers refuse TLS. The clinic adds a portal-based service at $9 per user monthly. Every outbound referral now enforces encryption, falls back to portal delivery when TLS fails, and produces an audit trail the compliance officer can export for annual risk assessment review.

Portal-Based Services Remove the Recipient Setup Barrier

Portal-based encrypted email services solve the biggest problem with S/MIME and PGP. The recipient does not need to install anything, configure anything, or generate any keys. They receive a notification, click a link, and read the message in a browser.

Mailhippo works as an SMTP relay. The sender continues to write and send from Gmail, Outlook, or any other client. Mailhippo intercepts the message, encrypts it, and delivers over TLS when the recipient server supports it or through a portal link when it does not.

The recipient experience is one click. They receive a notification email, click the link, authenticate with a one-time passcode sent to their phone or email, and read the message in a browser. No account creation. No software.

For HIPAA, the service includes a signed BAA in the base plan and logs every message access. Healthcare organizations use this model because patient recipients cannot be expected to manage keys or install plug-ins.

how to send encrypted email in article illustration two

Comparison Across the Main Methods

Each method has a specific fit. The table below summarizes the practical tradeoffs.

Method End-to-End Recipient Setup HIPAA Ready Best For
TLS No None No, opportunistic fallback Non-sensitive routine mail
S/MIME Yes Certificate install Yes, with BAA Internal certified teams
PGP Yes Key pair generation Yes, with process controls Technical correspondents
Purview Message Encryption Yes Portal or Microsoft login Yes, with M365 BAA Microsoft 365 users
Portal-based service Yes Click and passcode Yes, with BAA in base plan External recipients, patients

The clearest divide is recipient friction. S/MIME and PGP are excellent when both parties are set up. Portal-based services and Purview handle every recipient without setup, which matters for healthcare and any business email compliance workflow.

Gmail Encryption Steps Depend on the Workspace Tier

Personal Gmail supports TLS by default and Confidential Mode as an inbox-level access control. It does not support S/MIME. For encryption beyond TLS, personal Gmail users need a browser plug-in for PGP or a third-party service.

Workspace Business tiers support TLS and Confidential Mode. S/MIME hosted encryption is unavailable at these tiers. Healthcare organizations on Business Standard or Business Plus typically layer a HIPAA-compliant service to close the gap.

Workspace Enterprise Plus, Education Standard, and Education Plus include S/MIME hosted encryption. Administrators enable it in the Admin console under Apps, Google Workspace, Gmail, User settings.

Full step-by-step for the Gmail path is covered in the sibling guide how to send encrypted email in Gmail and the tier-specific instructions in how to send encrypted email using Gmail.

๐Ÿ’กPro Tip: Never Rely on Opportunistic TLS for PHI

TLS is opportunistic. When the receiving mail server refuses encryption, the sending server delivers the message in plaintext without alerting the sender. Your Sent folder shows the padlock because the initial hop succeeded. For any regulated content, pick a method that refuses plaintext delivery: S/MIME with verified certificates, or a portal-based service that routes to browser delivery when TLS is not available.

Outlook Encryption Steps Depend on the Microsoft 365 Plan

Outlook desktop supports S/MIME on all Microsoft 365 plans that include the desktop apps, provided the user has a certificate installed. The certificate goes into the Windows certificate store or the macOS keychain.

The Encrypt button in the Outlook ribbon requires Microsoft 365 Business Premium or Enterprise E3, E5, or higher. Lower Business tiers do not include Purview Message Encryption. This is the most common gap that surprises small-business owners after a plan upgrade.

For lower Microsoft 365 tiers, the practical path is a portal-based service that adds encryption without requiring the plan upgrade. This suits solo practitioners, small clinics, and small-business teams that need HIPAA-covered email but not the enterprise feature stack.

Verification Steps for Every Sensitive Send

Before sending regulated content, verify the method for that specific send. Do not assume. TLS may have dropped to plaintext. S/MIME may have fallen back because the recipient certificate expired. Purview may have failed to trigger because the tenant setting changed.

  • Check the encryption indicator in the compose window before sending.
  • Confirm the recipient will receive the intended experience by sending a test message with non-sensitive content.
  • For portal-based services, verify the audit log records access after the recipient opens the message.
  • For S/MIME, confirm the padlock or lock icon shows green in the sent copy.

According to HIPAA Journal, the most common documented compliance failure is a sender assuming TLS was in effect when the recipient server had disabled it. Verify per send.

Choose the Method by Recipient and Content

The decision framework is simple. Match the recipient technical setup and the content sensitivity to the encryption method with the lowest friction that still meets the security bar.

  • Internal team, routine content, no regulated data: TLS is sufficient.
  • Internal or partner team with certified users, regulated data: S/MIME or PGP.
  • Microsoft 365 users sending to external recipients: Purview Message Encryption.
  • Any recipient without technical setup, regulated data, HIPAA scope: portal-based service with a BAA.

For healthcare providers coordinating email with website and patient acquisition, encrypted email pairs with HIPAA-compliant website design as part of a broader compliance stack.

The last practical point is that the wrong method causes friction for the recipient, and friction becomes a security risk. Recipients who cannot open an encrypted message will ask for it in plaintext. Pick the method that removes that pressure.

Frequently Asked Questions

What is the difference between encryption in transit and end-to-end encryption? +

Encryption in transit protects the connection between two mail servers using TLS. Once the message reaches the destination server, TLS no longer applies and the mail provider can read the content. End-to-end encryption protects the message content from the moment the sender clicks Send until the recipient opens it. Only the sender and the recipient can read the content, not the mail provider in between. S/MIME and PGP provide end-to-end encryption. TLS alone does not.

Do I need special software to send encrypted email? +

It depends on the method. TLS is automatic in every modern mail client and requires no user setup. Confidential Mode in Gmail and Encrypt in Outlook are built into the compose interface. S/MIME needs a certificate installed in the mail client. PGP needs a key pair generated and shared. Portal-based services either install a browser plug-in or route mail through an SMTP relay, and the sender continues to use their existing client. Recipients on portal-based services need no software at all.

Can I send encrypted email to someone who does not use encryption? +

Yes, but the method matters. S/MIME and PGP will not work because both parties need matching keys or certificates. TLS covers the transport but drops to plaintext if the recipient server does not support TLS. Portal-based services solve this because the recipient does not need to configure anything. They receive a notification, click a link, enter a one-time code, and read the message in a browser. Any recipient with an email address and a web browser can open portal-encrypted messages.

Is Gmail Confidential Mode enough for HIPAA? +

No. Confidential Mode does not use end-to-end encryption. Google can read the message content, and the business associate agreement Google signs for Workspace does not extend Confidential Mode into a HIPAA-safe transmission method. Confidential Mode blocks forwarding, copying, and downloading, which are useful controls, but does not meet the transmission encryption standard HIPAA requires for PHI. Use a HIPAA-focused service with a signed BAA that provides verified encryption for every send.

How do S/MIME certificates get issued and renewed? +

S/MIME certificates come from a trusted certificate authority such as DigiCert, Sectigo, or IdenTrust. The user or administrator submits a certificate signing request, verifies identity, and receives the certificate for install in the mail client. Certificates typically expire after one to three years. Renewal repeats the request-and-verify process. Departing employees should have their certificates revoked so their prior encrypted messages cannot be decrypted after they leave. Enterprise deployments automate the process through a managed PKI.

What happens if I send an encrypted email to the wrong person? +

With TLS, the message reaches the wrong recipient and they read it because TLS does not restrict access at the mailbox level. With S/MIME or PGP, the wrong recipient cannot decrypt unless they somehow hold the intended recipient private key, which is very unlikely. With portal-based services, most providers let the sender revoke access at any time from their outbox. The recipient link stops working immediately. This is one of the practical reasons portal-based services are the healthcare default.

Does my mail provider store copies of encrypted messages? +

Yes, in almost every case. Even with S/MIME or PGP, the mail provider stores the encrypted ciphertext in the sender Sent folder and the recipient inbox. Neither the provider nor anyone else can decrypt it without the private key, but the encrypted copy remains stored. This is why HIPAA archive requirements are satisfied by encrypted copies retained for six years. Portal-based services store the content on their own servers and use enforced access controls with logging on every read.

Email Encryption Explained (Methods, Standards, and Costs)

email encryption guide featured image

๐Ÿ”‘ Key Takeaways

  • TLS transport runs server to server. Content encryption via S/MIME, PGP, or portal locks the body.
  • S/MIME wins in enterprise Outlook and Apple Mail but small practices abandon key exchange in months.
  • Hosted encryption from Purview, Confidential Mode, or vendor gateways skips certs but adds friction.
  • HIPAA needs a signed BAA, audit logs, workforce training, and policy above any working algorithm.
  • A ten-seat practice pays about $1,200 a year on a gateway vs $3,600 on Workspace Enterprise Plus.

Email encryption sounds like one feature. It is actually a stack of choices about transport, content, keys, licensing, and recipient experience. Getting the stack wrong leaves gaps that compliance auditors find.

This guide covers email encryption methods, the standards that back them, the platforms that implement each one, and the price ranges buyers see. For HIPAA senders who want to skip the license tier upgrade, a dedicated secure email service often removes the portal step and includes a BAA in the base plan.

Read the sections in order. Each layer builds on the one before it.

Transport and Content Encryption Are Different Layers

Two encryption layers cover email. Buyers often confuse them, which leads to gaps.

Transport encryption uses TLS between mail servers. When Gmail sends to Outlook, both servers negotiate TLS 1.2 or 1.3 and the message travels encrypted. Neither user takes any action.

Content encryption protects the message body and attachments themselves. S/MIME, PGP, and hosted portal encryption all fit here. The message remains encrypted at rest in the recipient mailbox until decrypted with a key or portal credential.

TLS alone leaves messages readable at the recipient provider, in server logs, and in backup snapshots. HIPAA and PCI treat that exposure as non-compliant for regulated content. Content encryption fixes it.

Every serious encryption deployment uses both layers together.

email encryption in article illustration one

S/MIME Is the Enterprise Standard for Content Encryption

S/MIME encrypts message bodies using X.509 certificates issued by a certificate authority. It is the default choice for organizations with dedicated IT.

Outlook, Apple Mail, and Google Workspace Enterprise Plus all support S/MIME natively. No plugin required. The mail client handles encryption and decryption behind the compose window.

Setup requires purchasing a personal certificate from a public CA like DigiCert, Sectigo, or GlobalSign, installing it in the local certificate store, and exchanging signed messages with each recipient to share public keys.

Certificates typically expire after twelve months. Renewal happens through the CA portal. Expired certificates block new encrypted sends until reissued.

Related guide: S/MIME email encryption covers the certificate model in detail.

OpenPGP Serves Technical and Journalism Communities

OpenPGP is the alternative content encryption standard. It uses locally generated key pairs instead of CA-issued certificates.

Users install GPG Suite on macOS, Gpg4win on Windows, or Mailvelope in the browser. The tool generates a key pair with a passphrase. The user shares the public key with recipients through a keyserver or direct email.

Trust builds through key signing rather than a central authority. Security researchers, journalists, and open source maintainers use PGP heavily because it does not depend on any CA infrastructure.

Business adoption of PGP stays limited. Recipients cannot install extensions on locked-down corporate systems. Healthcare and financial senders skip PGP for that reason.

The technical strength of PGP is not the barrier. The recipient-side friction is.

Example

A ten-person orthopedic practice compares annual encryption costs. Microsoft 365 Business Premium at $22 per seat totals $2,640 per year and includes Purview Message Encryption plus a BAA. Google Workspace Enterprise Plus at $30 per seat totals $3,600 and adds hosted S/MIME. A dedicated gateway service at $10 per seat totals $1,200 with the BAA included in the base plan, sitting on top of the existing Business Standard Google plan. The practice picks the gateway to avoid the tier upgrade cost.

Hosted Encryption Services Handle the Recipient Portal

Hosted encryption trades certificate management for a portal step at the recipient end. Microsoft Purview Message Encryption, Google Workspace Confidential Mode, and many third-party vendors follow this pattern.

The sender clicks Encrypt in the mail client. The service routes the message body to its own storage and sends the recipient a notification email with a link. The recipient signs in with an existing account or enters a one-time passcode to read the message.

Vendor gateways from Fortinet, Cisco, Trustifi, Datamotion, and others all follow the same portal pattern with different admin interfaces and reporting.

The recipient friction depends on the vendor. Some services allow one-click reading through a signed URL. Others require full account creation. Test each with a real recipient before committing.

Related guide: email encryption service compares vendor options in depth.

email encryption in article illustration two

Encryption Techniques and Algorithms in Use Today

The math behind email encryption uses proven algorithms defined in published standards.

  • AES-256 handles symmetric encryption of the message body itself. It appears in every current standard.
  • RSA-2048 or elliptic curve algorithms handle the key exchange that carries the symmetric key to the recipient.
  • SHA-256 or SHA-384 handles integrity hashing so recipients can detect tampering.
  • TLS 1.2 with strong cipher suites, or TLS 1.3 without weak fallback, handles transport between servers.
  • Message authentication codes bind sender identity to the message so recipients can verify origin.

Buyers rarely choose algorithms directly. Every modern platform defaults to combinations aligned with NIST guidance. See the NIST cryptographic guidance publications for the current recommended parameters.

Platform-by-Platform Encryption Options

Each mail platform ships different encryption features at different price tiers.

Microsoft 365 Business Premium and higher include Purview Message Encryption behind the Encrypt button. Business Basic and Business Standard do not.

Google Workspace Enterprise Plus and Education Plus include hosted S/MIME. Business Standard and Business Plus include Confidential Mode but not hosted S/MIME.

Apple Mail supports S/MIME natively on macOS and iOS provided the user installs a certificate through Keychain or MDM configuration profile.

Yahoo, AOL, and older ISP webmail platforms do not offer S/MIME or hosted encryption. Users on those platforms rely on TLS transport plus optional PGP through browser extensions.

Match the plan tier to the required feature before rolling out an encryption program.

๐Ÿ’กPro Tip: Layer content encryption on top of TLS, never in place of it

TLS transport is the required baseline that most modern providers negotiate automatically between mail servers. Buyers who focus only on TLS leave content readable at the recipient mail provider, in server logs, and in backup snapshots. HIPAA and PCI treat that exposure as non-compliant for regulated content. Deploy S/MIME or a hosted portal service on top of TLS so the body stays encrypted end to end. NIST cryptographic guidance treats layered encryption as the required baseline for regulated data.

HIPAA Compliance Requires More Than Encryption

Encryption satisfies one HIPAA Security Rule addressable specification. Full compliance requires several additional safeguards.

The covered entity signs a business associate agreement with the email provider. Microsoft and Google both offer BAAs on eligible plans. The HHS Security Rule guidance lists every safeguard.

Administrative safeguards include workforce training on PHI handling, sanction policies for violations, and periodic risk assessments. Physical safeguards include facility access controls on the workstations that send email.

Technical safeguards beyond encryption include unique user identification, automatic logoff on idle sessions, and audit controls that record message access.

Practices that clip on encryption software without addressing the surrounding safeguards are not compliant. Encryption is one piece of a larger program.

Cost Comparison Across Encryption Approaches

Price often decides the buying question more than features. A ten-person practice compares real annual numbers.

Approach Per user per month Annual cost (10 users)
Microsoft 365 Business Premium (Purview) 22 USD 2,640 USD
Google Workspace Enterprise Plus (hosted S/MIME) 30 USD 3,600 USD
Public CA S/MIME certificates (annual) 2 to 5 USD (amortized) 240 to 600 USD plus mail plan
Dedicated encrypted email service with BAA 5 to 15 USD 600 to 1,800 USD

Numbers exclude staff training, audit review time, and the recipient-side support calls that portal-based encryption generates. Practices measuring hidden costs often find dedicated services cheaper end to end.

How to Choose the Right Encryption Approach

The decision comes down to three questions about the sending organization.

First, does the organization already run Microsoft 365 Business Premium or Google Workspace Enterprise Plus? If yes, native S/MIME or Purview cover the encryption need with no additional software.

Second, does the recipient list change frequently, as with a healthcare practice adding new patients weekly? If yes, hosted encryption or a dedicated service avoids the S/MIME public-key exchange step.

Third, is the recipient experience business-critical? If patients or referring physicians will abandon messages that require a portal sign-in, a dedicated service like Mailhippo delivers encrypted email that opens in one click without a portal.

Practices running healthcare marketing sites pair encrypted email with a compliant patient-facing web presence. See healthcare website security features for the site-side controls.

Related guides: email encryption software, secure email encryption service, and encryption for email techniques.

Frequently Asked Questions

What does email encryption actually do? +

Email encryption transforms the message body and attachments into unreadable ciphertext during transit and, depending on the method, at rest inside the recipient mailbox. Only the intended recipient with the matching key or credentials can convert the ciphertext back to readable content. Encryption protects against interception on public networks, unauthorized access at intermediate mail servers, and exposure inside a compromised recipient inbox. It does not protect against phishing, malware on endpoint devices, or attacks against the sender or recipient authentication.

What are the main email encryption standards? +

The two dominant end-to-end standards are S/MIME and OpenPGP. S/MIME uses X.509 certificates issued by trusted certificate authorities and works natively in Outlook, Apple Mail, and Google Workspace Enterprise Plus. OpenPGP uses key pairs generated locally without a central authority and works through client extensions like GPG Suite, Gpg4win, and Mailvelope. TLS 1.2 or 1.3 handles transport encryption between mail servers under RFC 8446. Most business encryption stacks combine TLS with S/MIME or a hosted portal service.

Is email encryption required by HIPAA? +

HIPAA does not name encryption as a strict requirement. The Security Rule designates encryption as an addressable specification, which means the covered entity must implement it or document a reasonable alternative that achieves equivalent protection. OCR guidance and breach settlements consistently treat unencrypted PHI transmission as a compliance failure. In practice, healthcare organizations encrypt PHI email or restrict PHI to encrypted channels like patient portals. Unencrypted email carrying PHI is one of the most common findings in OCR breach investigations.

What is the difference between email encryption software and a service? +

Encryption software installs on the mail client or gateway and handles the cryptographic operations locally. Examples include Gpg4win, GPG Suite, and enterprise gateway appliances from Fortinet or Cisco. An encryption service runs in the cloud and integrates with existing Gmail or Outlook accounts through connectors, SMTP relay, or add-ons. Services handle key management, portal delivery, and BAA administration on behalf of the customer. Small and mid-sized organizations favor services for the reduced operational load.

Can email encryption be bypassed? +

Yes, under specific conditions. If an attacker compromises the sender or recipient device, they can capture plaintext before encryption or after decryption. Phishing attacks that steal mail credentials bypass encryption by giving the attacker legitimate access to the inbox. Weak recipient portal passcodes can be guessed or intercepted through SIM-swap attacks. Encryption defends against interception in transit and provider-side access, but a full security posture also requires multi-factor authentication, endpoint protection, phishing training, and incident response procedures.

How do I know if my email was actually encrypted? +

In Outlook, an encrypted sent message shows a padlock icon in the message header inside the Sent Items folder, and the message properties confirm Rights Management protection. In Gmail with S/MIME, the compose window displays a green padlock next to the recipient before sending. In Confidential Mode, the sent message header shows the expiration date and access restrictions. Recipient-side confirmation appears as either a padlock icon in the received message or a portal link that requires sign-in.

Does email encryption slow down message delivery? +

End-to-end encryption adds negligible time to message delivery. S/MIME processing takes milliseconds on modern devices. TLS handshakes add a few hundred milliseconds during the server-to-server connection setup. Portal-based encryption slows recipient access, since the recipient must click a link and sign in before reading. That step adds seconds to minutes depending on network speed and authentication method. Sender workflow speed is essentially unaffected on any modern platform.

Encryption and Email Security in a Layered Stack

encryption and email guide featured image

๐Ÿ”‘ Key Takeaways

  • The stack is filtering, DLP, outbound encryption, archiving, and identity. One layer alone has gaps.
  • Encryption failures leak content in transit. Filtering failures let phishing walk in the front door.
  • A VPN protects the sender network segment. Email encryption protects the body across mail servers.
  • HIPAA, SOX, FINRA, and GDPR require retention. Some archivers bundle encryption, others do not.
  • Every vendor touching PHI needs its own BAA. Consolidated platforms put filtering plus archive as 1.

Encryption is a checkbox item on most email security procurement forms. It sits next to inbound filtering, DLP, archiving, and identity controls. Buyers who focus on one checkbox at a time miss how the layers depend on each other.

This guide covers how encryption and email security fit together in a working stack. Where a healthcare team needs the outbound layer without integrating four vendors, a dedicated secure email service with a BAA in the base plan often solves the immediate compliance gap.

Read the sections in order. Each layer covers a different threat and a different auditor concern.

The Email Security Stack Has Five Layers

A complete email security posture combines five functional layers. Each addresses a different risk.

  • Inbound filtering removes phishing, malware, and business email compromise before delivery.
  • Identity controls including MFA and conditional access stop credential theft at the mailbox.
  • DLP scans outbound messages for sensitive content and enforces policy actions.
  • Outbound encryption protects message content in transit and at rest for regulated data.
  • Archiving preserves all inbound and outbound mail in tamper-evident storage for compliance.

Skipping any layer creates a gap. Filtering without encryption leaves outbound leakage. Encryption without filtering leaves the inbox exposed to the phishing that steals the credentials that bypass the encryption.

Buyers evaluating a single feature should confirm what covers the other four.

encryption and email in article illustration one

Encryption Handles Outbound Confidentiality

Email encryption operates on outbound messages. It transforms the body and attachments into ciphertext readable only by the intended recipient.

TLS handles server-to-server transport encryption. S/MIME or hosted portal services handle content encryption end to end. Both layers combine to protect messages from interception and unauthorized access.

Related guide: email encryption covers the methods and standards in depth. See also encryption for email and files.

Encryption does not protect against outbound errors. A workforce member emailing PHI to the wrong recipient still commits a HIPAA breach even when the message is encrypted correctly to that wrong address.

The DLP layer catches that case. Encryption alone does not.

Inbound Filtering Blocks Threats Before Delivery

Inbound filtering scans every incoming message against spam signatures, malware analysis, URL reputation, and behavioral indicators of business email compromise.

Microsoft Defender for Office 365 and Google Workspace Security Sandbox both bundle inbound filtering with their mail platforms. Third-party vendors like Proofpoint, Mimecast, and Barracuda offer specialized inbound protection.

Filtering catches most commodity threats. Sophisticated targeted attacks still get through occasionally. That is why the layer above it, identity controls, matters.

The CISA guidance on phishing and ransomware covers the current threat landscape that inbound filtering has to handle.

Healthcare senders face specific targeting because PHI has direct resale value. Filtering configuration for healthcare typically runs stricter than for general business.

Example

A twelve-provider multispecialty group builds a layered stack. Microsoft Defender for Office 365 handles inbound filtering under the Microsoft 365 E3 tier. Purview DLP rules match PHI patterns and auto-apply Encrypt-Only on outbound. A dedicated gateway service delivers encrypted mail to patients without a portal step. Mimecast archives every inbound and outbound message for the six-year HIPAA retention requirement. Entra ID enforces MFA plus conditional access on every mailbox. Four vendor BAAs live in the compliance folder, one per business associate.

DLP Enforces Policy on Sensitive Content

Data loss prevention scans outbound content for defined patterns and enforces automatic policy actions.

Common patterns include Social Security numbers, credit card numbers, medical record numbers, ICD-10 codes, and custom keyword lists specific to the organization.

Policy actions include block and notify the sender, quarantine for admin review, redirect to a manager, or apply encryption automatically. That last option closes the gap between manual encryption decisions and consistent compliance.

Microsoft Purview DLP and Google Workspace Data Loss Prevention both include predefined content types. Custom rules cover organization-specific patterns.

Test DLP rules against a monitored test mailbox before pushing to production. False positives on internal messages create friction that pushes users toward personal accounts.

encryption and email in article illustration two

VPNs Add a Network Layer That Overlaps Partially

A VPN encrypts the network path between a client device and the VPN provider. It matters when workforce members send email from public Wi-Fi or shared networks.

The VPN protects the traffic from the coffee shop to the VPN endpoint. From there, the traffic exits to the mail server as normal internet traffic protected by the mail platform TLS.

Once the message leaves the sender mail server and travels to the recipient mail server, the VPN provides no protection. The message needs TLS between the mail servers and content encryption for the body itself.

A VPN is not a substitute for email encryption. It protects the first mile only. HIPAA-regulated content still requires end-to-end encryption on the message itself.

Practices deploying VPNs should still deploy email encryption. The layers cover different segments of the message journey.

Archiving Preserves Compliance Evidence

Archiving captures every inbound and outbound message at the gateway and stores it in tamper-evident form for defined retention periods.

HIPAA calls for six-year retention of documentation supporting security policies, which includes evidence of PHI communications. SOX requires seven years of financial records. FINRA requires three years of broker communications with clients.

The archive protects against message tampering after delivery, which matters during litigation and audit. Users cannot delete archived copies from their mailbox to hide activity.

Some vendors bundle archiving with encryption in one product. Others sell them separately. Buyers should confirm which vendor covers each function to avoid gaps or duplicate contracts.

The archive itself must also be encrypted at rest. Vendors typically use AES-256 with keys managed by the customer or the vendor per contract.

๐Ÿ’กPro Tip: Deploy identity controls before adding more expensive encryption products

Compromised mailbox credentials bypass encryption and filtering entirely because the attacker holds legitimate access. Multi-factor authentication and conditional access are the cheapest layer with the highest breach-cost prevention. Enforce MFA on every workforce member with mailbox access through Microsoft Entra ID or Google Workspace identity. Add conditional access rules that restrict logins to known devices or geographies. This stops most business email compromise attacks before any encryption or filtering product has to work.

Identity Controls Guard the Mailbox Access Point

Encryption and filtering both fail when an attacker holds the legitimate mailbox credentials. Identity controls prevent that scenario.

Multi-factor authentication blocks most credential theft attacks. Conditional access rules restrict logins to known devices, networks, or geographies. Session timeout controls limit exposure when devices are left unattended.

Microsoft Entra ID and Google Workspace identity both include MFA and conditional access as core features. Enforce MFA for every workforce member with mailbox access.

Compromised mailbox credentials are the entry point for most business email compromise attacks. See the Microsoft business email compromise guidance for attack patterns and defenses.

Identity controls are cheap compared to the breach cost they prevent. Deploy them before adding more expensive encryption or filtering products.

HIPAA Requires the Full Stack for Covered Entities

HIPAA covered entities need every layer of the stack for the Security Rule and Privacy Rule requirements.

Encryption meets the transmission security safeguard. Inbound filtering supports the malicious software safeguard. DLP supports the administrative safeguard against workforce error. Archiving supports the six-year documentation retention requirement.

Each vendor that touches PHI signs a business associate agreement. Consolidated platforms simplify BAA management by putting encryption, filtering, and archiving under one contract. Specialized services require separate BAAs.

The HHS Security Rule guidance lists every safeguard the covered entity must implement.

Practices running patient-facing websites face parallel obligations. See healthcare website security features for the site-side controls that pair with the email stack.

Choosing Between Consolidated and Best-of-Breed Vendors

Buyers face a decision between one platform that covers every layer and multiple specialized vendors that each cover one layer well.

Consolidated platforms from Microsoft, Google, or major security vendors deliver encryption, filtering, DLP, and archiving through one console. Reporting is unified. One contract covers everything. Small practices favor this model for administrative simplicity.

Specialized vendors focus on one layer and often deliver a better recipient experience or specific compliance feature. Larger organizations mix a consolidated inbound filter with a specialized outbound encryption service like Mailhippo that delivers encrypted email without portal friction.

Related guides: email encryption solutions comparison, email encryption solutions for Outlook and Gmail, and HIPAA compliant texting and email.

Match the vendor mix to the operational team size. A one-person IT department cannot maintain four separate consoles. A dedicated security team can extract value from specialized products that a consolidated platform cannot match.

Neither approach is wrong. The wrong choice is buying encryption in isolation and ignoring the other four layers.

Frequently Asked Questions

How do encryption and email security work together? +

Encryption protects the content of individual messages during transit and at rest. Email security is the broader program that also filters inbound threats, prevents outbound data loss, archives messages for compliance, and controls mailbox access through authentication. Encryption alone cannot stop a phishing message from entering the inbox or catch a workforce member emailing PHI to the wrong recipient. Email security alone cannot prevent an outsider from reading intercepted messages if the content is unencrypted. Both layers are required for a complete posture.

Does a VPN encrypt email? +

A VPN encrypts the network connection between the client device and the VPN provider. If the mail client uses TLS to reach the mail server, the VPN adds an outer encryption layer during that first leg. Once the message leaves the VPN endpoint and travels to the recipient mail server, the VPN provides no protection. The message itself still needs TLS transport encryption and, for regulated content, S/MIME or hosted portal encryption to protect the body between mail servers and at rest.

What is the difference between email encryption and email filtering? +

Encryption transforms outgoing message content into ciphertext so only the recipient can read it. Filtering analyzes incoming messages for spam, phishing, malware, and business email compromise indicators before delivery. They operate on opposite directions of the mail flow and address different threats. Encryption defends confidentiality on the outbound side. Filtering defends the inbox on the inbound side. HIPAA and PCI compliance require both, plus additional controls like DLP, archiving, and access management.

Do I need archiving if I already have email encryption? +

Yes, if regulations require retained records of communications. HIPAA calls for six-year retention of documentation supporting security policies. SOX and FINRA require multi-year retention of email evidence. GDPR requires the ability to produce specific messages on request. Encryption protects the content but does not preserve it after the mailbox owner deletes the message. Archiving captures every message at the gateway and stores it in tamper-evident form. Some vendors bundle encryption and archiving in one product, and others sell them separately.

How do encryption and DLP interact? +

Data loss prevention scans outbound messages for sensitive content patterns like Social Security numbers, credit card numbers, medical record numbers, and custom keywords. When DLP detects a match, it can block the message, quarantine it for review, or apply automatic encryption. That last option is the most common integration. A workforce member who forgets to click Encrypt on a message containing PHI triggers the DLP rule, which encrypts the message server-side before delivery. This removes the compliance risk of relying on manual encryption decisions.

What compliance frameworks require email encryption? +

HIPAA treats encryption of PHI in transit as an addressable specification and treats unencrypted PHI transmission as a compliance failure in practice. PCI DSS requires encryption of cardholder data when transmitted over public networks. GLBA requires financial institutions to protect customer information in transit. GDPR requires appropriate technical measures for personal data, and encryption is treated as evidence of due diligence. State laws like California CCPA and New York SHIELD Act also incentivize encryption through breach notification safe harbors that exclude encrypted data.

Should encryption and email security come from the same vendor? +

The tradeoff is between integration and specialization. Consolidated platforms from Microsoft, Google, or major security vendors handle encryption, filtering, and archiving under one console with unified reporting and one contract. Specialized vendors focus on one layer and often deliver a better recipient experience or specific compliance feature. Small practices favor consolidated platforms for administrative simplicity. Larger organizations often mix a consolidated inbound filter with a specialized outbound encryption service that pairs better with their workforce workflow.

Encrypted Email Guide for Business and HIPAA Workflows

encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Encrypted email spans three layers: TLS in transit, S/MIME or PGP end to end, and portal delivery.
  • TLS 1.2 or 1.3 protects the wire between servers, but plaintext still sits readable at rest on both.
  • S/MIME and PGP need pre-exchanged keys, which breaks a first send to any patient on personal Gmail.
  • Portal encryption reaches any browser recipient, but replies stall outside the sender inbox thread.
  • HIPAA needs a signed BAA plus training and Security Rule safeguards, not just working encryption.

Encrypted email protects message content from anyone who is not the intended recipient. The term covers three separate technical layers, and they solve different problems. Getting the layer right is what separates a defensible deployment from a false sense of security.

This guide walks through each layer, the tools that implement it, and where each one fits a business or healthcare workflow. It closes with a practical view on when to combine layers and when a portal-based encrypted email service is the right choice.

The reader should come out with enough context to decide which encryption model matches the recipients they email most often and what the budget implications are.

Encrypted Email Covers Three Distinct Layers

The first layer is TLS in transit. It encrypts the network connection between two mail servers. The message body travels through a tunnel that a passive network snoop cannot read.

The second layer is end-to-end encryption at the message level. S/MIME and PGP encrypt the body with the recipient public key. The mail server sees only ciphertext.

The third layer is portal-based delivery. The sender uploads the message to a hosted portal. The recipient authenticates and reads it in a browser. The mail itself never leaves the portal.

Each layer defends against a different threat. TLS covers passive interception. End-to-end covers a compromised or subpoenaed provider. Portal covers recipients who cannot install client-side keys.

TLS Is the Baseline for All Modern Mail Providers

Gmail, Outlook, iCloud, and most business mail providers negotiate TLS 1.2 or 1.3 by default. The two servers exchange certificates, agree on a cipher, and encrypt the connection.

TLS ends when the message arrives at the recipient server. The mail sits at rest on that server in a form the provider can decrypt. A subpoena, a rogue admin, or a provider compromise exposes plaintext.

TLS also fails when the receiving server does not support it. Older on-premise Exchange systems still exist in the wild. Google publishes a delivery status for each domain the user emails, which can reveal these gaps.

MTA-STS and DANE are add-ons that force TLS on the sending side. NIST covers the technical baseline in Special Publication 800-177 Trustworthy Email. Every modern deployment should have MTA-STS enabled at a minimum.

encrypted email in article illustration one

End-to-End Encryption Uses Keys the Provider Cannot See

S/MIME and PGP are the two dominant end-to-end standards. Both work by encrypting the message body with the recipient public key on the sender client before the message leaves the device.

S/MIME uses X.509 certificates from a certificate authority. It is native in Outlook, Apple Mail, and Google Workspace Enterprise. Setup requires a certificate for each user.

PGP uses a web of trust model where users sign each other public keys. It runs on plugins in most mail clients. Setup requires a keypair and public key exchange with every contact.

Both models fail when the recipient has no client-side setup. A referring physician on personal Gmail without S/MIME cannot receive an S/MIME encrypted message. Related linked topic: should I consider encrypted email using ProtonMail as one example.

Portal-Based Encrypted Email Works With Any Recipient

Portal delivery is the practical choice when recipients are variable, include patients, or refuse to install certificates. The sender writes the message in a normal mail client or a web portal.

The service uploads the message to a hosted portal. The recipient receives a notification with a link. They click the link, authenticate with a passcode or SSO, and read the message in a browser.

Microsoft Purview Message Encryption uses this model. Google Workspace confidential mode uses a similar model. Third-party services like Mailhippo use the same model with a HIPAA-focused BAA in the base plan.

Portal delivery works with any recipient on any device. The tradeoff is friction. Replies happen in the portal, not the recipient normal inbox. Threading breaks for downstream record keeping.

Example

A mid-size clinic with a stable set of peer providers layers all three encryption models. TLS runs by default between Microsoft 365 mail servers and their peer clinic servers. S/MIME certificates issued from an internal PKI cover peer clinical mail between six known referring physicians. A portal gateway handles patient billing statements and one-off external contacts who cannot install certificates. DLP rules in Exchange Online auto-encrypt any message containing an MRN pattern. Audit logs retain for the six-year HIPAA administrative requirement.

HIPAA Requires More Than Encryption Alone

HIPAA compliance for email requires three things. A signed Business Associate Agreement with the mail provider. Technical safeguards under the Security Rule. Workforce training on encryption use.

Encryption is one technical safeguard. Access controls, audit logging, session timeouts, and secure key management are others. The HHS Security Rule spells out the full list.

A signed BAA is what makes the mail provider a business associate under 45 CFR 164.502(e). Without it, sending PHI through any encrypted service is still a HIPAA violation regardless of encryption strength.

Gmail on Google Workspace Business Standard and above and Outlook on Microsoft 365 Business Standard and above both offer BAAs. Free personal accounts do not. See related healthcare security context for how email fits inside the broader stack.

encrypted email in article illustration two

Common Encrypted Email Deployment Patterns

Small practices with a single mail provider usually run TLS plus a portal gateway. This covers passive interception and external recipient delivery in one setup.

Mid-size clinics with a stable set of peer providers add S/MIME on top for the peer traffic. TLS is baseline, S/MIME handles peer clinical mail, portal handles patients and one-off external contacts.

Larger hospitals with internal PKI use S/MIME across the entire clinical workforce. They still add a portal for patient communication. The two models coexist and are chosen per recipient by the mail client or by a policy rule.

Common encrypted email deployment components include:

  • TLS baseline with MTA-STS enforced on outbound
  • SPF, DKIM, and DMARC configured on the sending domain
  • S/MIME certificates issued to clinical users for peer traffic
  • Portal service for patient and external recipient traffic
  • DLP rules that auto-encrypt messages containing SSN, MRN, or PHI patterns
  • Audit logs retained per HIPAA six-year requirement

Free Encrypted Email Options and Their Limits

Free encrypted email exists but comes with real limits. Personal ProtonMail and Tutanota accounts offer zero-access encryption at rest and portal-based delivery for external recipients.

The catch is no BAA. Free tiers do not qualify for HIPAA use regardless of encryption strength. Storage caps and daily message limits also fail business use quickly.

Free personal S/MIME certificates from Actalis and similar issuers give real end-to-end encryption but require manual install and renewal. Time cost is often higher than a paid service.

For a solo user with occasional secure needs, free options are workable. For a practice with regulatory obligations, paid tiers with BAAs are the only defensible path. Related: free encrypted email for a fuller comparison.

๐Ÿ’กPro Tip: Enable MTA-STS before deploying any content encryption

TLS is the required baseline but fails silently when the receiving server does not support it or downgrades the connection. MTA-STS forces TLS on outbound mail and blocks delivery when the receiving side cannot negotiate a secure session. NIST Special Publication 800-177 covers the technical baseline. Deploy MTA-STS at the DNS layer before adding S/MIME or portal encryption, otherwise the transit layer stays exposed to downgrade attacks that content encryption cannot fix.

Encrypted Email Feature Comparison

The table below compares the main encrypted email models on the dimensions that matter most for a business buyer.

Model Encryption Level Recipient Setup HIPAA Fit Best For
TLS only Transit None Baseline only General business mail
S/MIME End-to-end Certificate install Peer traffic Clinic-to-clinic
PGP End-to-end Keyring install Rare in healthcare Technical users
Portal gateway End-to-end at rest Passcode or SSO All recipients Patient and external mail
Zero-access mailbox End-to-end at rest Account creation With BAA on paid tier Privacy-focused solo users

Encrypted Email Troubleshooting Basics

Delivery failures are the most common encrypted email problem. TLS failures show up as messages sitting in the outbound queue or arriving in plain form when the receiving server does not support TLS.

S/MIME failures usually trace to certificate expiration, address mismatch, or a missing intermediate CA. The recipient client shows a specific error that names the failing check.

Portal delivery failures often trace to the recipient marking the notification as spam. Adding the sender portal domain to a safe-sender list at the recipient side fixes this. See related linked topic: how to troubleshoot encrypted email.

Deliverability upstream matters too. A domain without SPF, DKIM, and DMARC lands portal notifications in spam even when the portal itself works. The Gmail sender guidelines apply to portal notification email the same way they apply to normal outbound mail.

Choosing an Encrypted Email Setup for Your Practice

The right choice depends on three questions. Who are you emailing most often. Are they technical enough to hold a certificate. Do you already run on Microsoft 365 or Google Workspace.

For a practice that emails patients daily and peer clinics occasionally, a portal gateway is the higher-value setup. Patients never install anything. Peer clinics can still receive the portal notification and open it in a browser.

For a practice that emails peer clinics daily and rarely emails patients, S/MIME across the peer network with a portal fallback for patients is the higher-value setup. Peer traffic runs at inbox speed with no extra clicks.

Mailhippo operates as a portal gateway on top of Gmail or Outlook, includes a BAA in the base plan, and requires no per-user certificate management. It fits practices that need patient-safe encryption without moving off their existing mail provider. Practices building a compliant public site alongside their email strategy can pair this with healthcare marketing support so intake, contact, and email flows stay inside the same compliance boundary.

Frequently Asked Questions

What is encrypted email? +

Encrypted email is any email where the message content is scrambled so only intended parties can read it. The term covers three separate layers. TLS encrypts the network connection between mail servers. S/MIME and PGP encrypt the message body at the client level. Portal services encrypt the stored content behind a login. Each layer defends against a different threat. Most business deployments use TLS as a baseline and add either message-level or portal-based encryption depending on how technical the recipients are.

Is Gmail encrypted email? +

Gmail uses TLS between mail servers when the other side supports it, and it encrypts stored mail at rest on Google servers with keys Google controls. Gmail is not end-to-end encrypted by default. Google can read stored mail because Google holds the keys. Google Workspace Enterprise and Education tiers add hosted S/MIME support, which adds true end-to-end encryption when both sides hold certificates. Confidential mode adds a passcode and expiration but does not add end-to-end encryption. See related coverage in how is email encrypted.

Is encrypted email HIPAA compliant? +

Encrypted email can meet HIPAA if the covered entity signs a Business Associate Agreement with the mail provider, configures technical safeguards under the Security Rule, and trains staff on encryption use. Encryption alone does not equal compliance. The BAA covers the legal relationship. The configuration covers the technical safeguards. Training covers workforce use. A free personal Gmail or Outlook account cannot meet HIPAA even with strong encryption because no BAA is available on those tiers.

What is the difference between encrypted email and secure email? +

Secure email is a broader term that covers encryption plus anti-phishing, anti-malware, DLP, and archiving. Encrypted email refers specifically to the encryption layer. A secure email service usually bundles multiple protections including encryption. A HIPAA-compliant secure email service adds a BAA and audit logging on top. For most business buyers, secure email is the product category and encrypted email is one required feature inside it.

Can I send encrypted email to any recipient? +

Not without setup on both sides for message-level encryption. S/MIME and PGP require both sender and recipient to hold keys or certificates. Portal-based encryption works with any recipient because the encryption stays on the sender-hosted portal and the recipient only needs a browser and a passcode. For practices that send PHI to patients, portal delivery is the only workable model. For peer clinical mail between known providers, S/MIME is often more efficient after the initial setup.

What is TLS encrypted email? +

TLS encrypted email uses Transport Layer Security to protect the network connection between two mail servers. When Gmail sends a message to Outlook, both servers negotiate a TLS session and the message body travels through an encrypted tunnel. TLS ends when the message arrives at the recipient server. The message sits at rest on that server in a form the provider can decrypt. TLS is the baseline for modern mail delivery but does not qualify as end-to-end encryption for regulated data.

Does encrypted email cost extra? +

TLS is free and built into every modern mail provider. S/MIME certificates cost $0 to $200 per user per year depending on issuer and assurance level. PGP is free but requires plugins. Portal-based services like Mailhippo charge a per-user monthly fee, usually less than $10 per user. Microsoft Purview Message Encryption is included in Microsoft 365 Business Premium and above. Total encrypted email cost depends more on which model the practice needs than on any single tool.

How to Encrypt Email Across Common Clients and Compliance Cases

encrypt email guide featured image

๐Ÿ”‘ Key Takeaways

  • Encrypt email splits four ways: TLS transport, S/MIME, PGP keys, or portal-based delivery.
  • TLS drops to plaintext if the receiving server fails to negotiate, so it fails as a standalone.
  • S/MIME and PGP encrypt the message content but need certificates or keys installed on both sides.
  • Portal services skip recipient setup and fit patient mail because zero install runs on their end.
  • HIPAA needs a signed BAA plus encryption in transit and at rest, not just any single method.

Encrypt email covers four different technical methods that each solve a different problem. Transport Layer Security handles the connection layer. S/MIME and PGP handle the message content. Portal-based services handle the recipient experience for external contacts.

This guide covers how to encrypt email across the major clients and use cases. Each method has a specific fit. Match the tool to the sensitivity of the content and the recipient environment.

The right choice depends on plan level, staff count, and how often external recipients change. Read each section for the fit and decide based on the actual send flow.

TLS Is the Baseline Encryption Every Modern Mail Server Uses

Transport Layer Security protects the connection between two mail servers. When one server sends to another, both negotiate a TLS handshake and encrypt the traffic in flight. Any observer on the network path sees only ciphertext.

TLS is on by default in Gmail, Outlook, Apple Mail, Yahoo, and every other major provider. Users do not turn it on. Administrators do not configure it per message. It happens automatically when both servers support it.

The catch is opportunistic fallback. If the receiving server does not support TLS, the sending server delivers the message in plaintext by default. No warning, no error. The sender sees a padlock in the client and assumes encryption, but the message reached the recipient over an unencrypted link.

For regulated content, the fallback rules out TLS as a standalone protection. The NIST SP 800-45 guide on email security recommends verified end-to-end encryption for sensitive email, not opportunistic TLS.

S/MIME Encrypts Message Content in Outlook and Apple Mail

S/MIME uses X.509 certificates to encrypt the message content itself. Once encrypted, only the recipient with the matching private key can read the message. The mail provider stores ciphertext and cannot decrypt.

Outlook supports S/MIME on all plans that include the desktop apps. Apple Mail supports S/MIME natively on macOS and iOS. Gmail supports S/MIME on Workspace Enterprise Plus, Education Standard, and Education Plus.

Setup requires a certificate for the sender and a certificate for the recipient. Certificates come from a trusted authority like DigiCert, Sectigo, or IdenTrust. Public keys attach to signed messages, so correspondents build up a keyring by receiving signed mail from each other.

S/MIME works well between internal users and formal partner organizations with matching PKI. It does not work well for one-off external contacts because most personal accounts do not have S/MIME set up.

encrypt email in article illustration one

PGP Uses an Open-Source Key Model

PGP is the open-source alternative to S/MIME. It does the same job with a different key management model. Users generate a public and private key pair, share the public key with correspondents, and encrypt messages with the recipient public key.

Thunderbird has built-in PGP support. Mailvelope provides a browser plugin for Gmail. GPG Suite covers Apple Mail on macOS. Outlook needs a third-party add-in like Gpg4win.

PGP has stronger cryptographic flexibility than S/MIME but a steeper learning curve. Key generation, keyserver management, and web-of-trust verification all fall to the user. Recipients unfamiliar with the process will not decrypt a PGP message without help.

PGP fits technical users and organizations where security-conscious sender and recipient both know the tooling. It does not fit patient-facing healthcare communication because most patients cannot manage PGP keys.

Portal Services Handle the External Recipient Case

Portal-based encrypted email services solve the friction problem that S/MIME and PGP create for external recipients. The sender writes the message in the normal client. The service encrypts the message and delivers a notification email with a click-to-open link.

The recipient clicks the link, verifies with a one-time passcode or a portal password, and reads the message in a browser. No key management, no certificate exchange, no software install for the recipient.

This is the model most healthcare practices adopt for patient-facing PHI. It works for patients, external providers, and vendors on any mail platform. The recipient does not need to configure anything on their end.

The tradeoff is that the message content lives on the vendor server. Vendor selection matters because that server becomes part of the compliance boundary. Portal services with a signed BAA and audit logging fit HIPAA. Consumer messaging apps generally do not.

Example

A three-provider chiropractic office wants encrypted email for referrals. The office manager tests opportunistic TLS to a regional insurer, but the insurer server drops TLS on receipt and delivers cleartext. The manager then tests S/MIME, but the insurer contact has no certificate. Finally the manager routes the message through a portal-based HIPAA service. The insurer clicks the notification, enters a one-time passcode, and reads the referral in 45 seconds. The office standardizes on the portal path for external referrals.

Encrypting Attachments Follows the Whole-Message Method

Attachments encrypt through the same method as the message body when using Purview, S/MIME, PGP, or a portal service. The sender does not need to encrypt attachments separately. The whole message envelope carries the encryption to the recipient.

Practices that need a separate attachment method have three options:

  • Save the file as a password-protected PDF and share the password through a different channel
  • Place the file in an encrypted ZIP archive using 7-Zip or WinZip with AES-256
  • Use a HIPAA-compliant file transfer service for very large files that exceed mail size limits

The whole-message method is easier for recipients and less error-prone than juggling separate passwords. Password-protected PDFs and ZIP files also fail when the sender emails the password in the same conversation, which happens frequently.

Once a recipient decrypts and downloads an attachment, the local copy is no longer covered by the sender-side encryption. HIPAA rules on the local file remain in force. That is a downstream concern for the recipient environment.

encrypt email in article illustration two

HIPAA Requires More Than the Encrypt Button

HIPAA compliance for email transmission requires four things: a signed business associate agreement with the mail platform, verified encryption in transit and at rest, access logs for six years, and workforce training on when to send PHI over email.

The Encrypt button alone does not cover all four. It covers the transmission layer. The BAA, the logging, and the training all fall to the covered entity to configure and maintain.

Microsoft 365 and Google Workspace both include HIPAA-eligible configurations with signed BAAs. Administrators accept the BAA in the admin center. The BAA applies to the tenant from that point forward. The covered entity handles the rest.

Dedicated HIPAA email services like Mailhippo include the BAA in the base plan without requiring plan upgrades on the underlying mail platform. This matches practices that need HIPAA-safe email but do not want to reconfigure the whole tenant.

Mobile Clients Support the Same Methods

Encrypt email on mobile works through the same methods as desktop. Outlook mobile supports Microsoft Purview Encrypt-Only and Do Not Forward through the same Encrypt option in the compose menu. Recipients open messages in the browser tab or in the Outlook mobile app.

Apple Mail on iOS supports S/MIME natively. Certificates install through a Configuration Profile pushed by mobile device management. The Encrypt icon appears in the compose window once the certificate is available.

Gmail mobile supports Confidential Mode through the standard compose interface. Portal-based encrypted email services provide mobile apps or work through the mobile browser. Mailhippo, Proofpoint, and other vendors all support mobile recipient flows.

The mobile recipient experience matters for patient-facing mail. Many patients read email on a phone. The service should present a clean mobile view of the decrypted message with tap-friendly buttons.

๐Ÿ’กPro Tip: Match the encryption method to the recipient population

Portal services fit patients and one-off external contacts because zero setup is required on the recipient end. S/MIME fits internal staff or partner organizations with managed PKI where certificates already exist. PGP fits technical users only. TLS fits general business mail with no regulated content. Picking the wrong method for the recipient population is the fastest way to tank open rates and force staff back to unencrypted workarounds.

Cost Varies From Free to Enterprise Tier

Encrypted email cost ranges widely. TLS is free and included in every mail platform. Gmail Confidential Mode is free with any Gmail account. S/MIME certificates cost fifty to several hundred dollars per user per year depending on the authority and support level.

Microsoft Purview Message Encryption requires Business Premium at around twenty-two dollars per user per month, up from Business Basic at six dollars. That is a plan-wide upgrade, not a per-message cost. Dedicated HIPAA services typically run five to twenty dollars per user per month depending on plan tier.

Practices on Business Basic or Business Standard often find a dedicated HIPAA service costs less than upgrading every seat to Business Premium. The math depends on how many seats need to encrypt versus how many just handle general mail.

Compare total cost of ownership, not just per-seat rate. Setup time, training, and ongoing configuration also count. A simpler service with a higher per-seat rate can cost less overall.

The Recipient Experience Determines Adoption

The single largest factor in encrypted email adoption is the recipient experience. Every step the recipient has to take lowers the open rate on regulated messages. Every extra sign-in or password reset lowers it further.

The rough order from easiest to hardest recipient experience is:

  • TLS message that arrives inline with no extra step
  • Portal service with a one-click link and one-time passcode
  • Portal service with account registration and password
  • S/MIME message that requires certificate pre-install
  • PGP message that requires key pair generation

Practices should match the method to the recipient population. Patient-facing mail needs the simplest recipient path. Internal mail between staff can use a more complex path because the setup is done once during onboarding.

Measure the open rate on encrypted messages. If the rate drops significantly compared to regular mail, the recipient path is too long. Switch to a shorter path.

Mailhippo Handles the HIPAA Case With One-Click Recipient

Mailhippo secure email service works with existing Gmail or Outlook accounts and includes a signed BAA in the base plan. There are no PGP keys, no S/MIME certificates, and no license upgrades on the underlying mail platform.

The sender writes the message in a browser interface or through an add-in. Mailhippo encrypts the content and delivers a notification email to the recipient. The recipient clicks the link, enters a one-time passcode delivered to the same email address, and reads the message.

This is the shortest recipient path among common HIPAA options. Patients on any mail platform can open the message on desktop or mobile. Attachments open inline. Replies encrypt automatically back to the sender.

The broader compliance stack includes healthcare website security features, patient portal configuration, and internal access controls. Encrypted email is one layer. The full stack covers the practice end to end.

Frequently Asked Questions

How do I encrypt an email in Outlook? +

Open a new message in Outlook. Click Options in the ribbon, click Encrypt, and pick Encrypt-Only or Do Not Forward. Write the message and click Send. Microsoft Purview handles the encryption and delivery. External recipients receive a notification email with a Read the message button that opens the content in a browser tab. They sign in with a Microsoft or Google account or request a one-time passcode. The Encrypt button requires Microsoft 365 Business Premium or higher.

How do I encrypt an email in Gmail? +

Gmail Confidential Mode is the built-in encryption option. Click the padlock and clock icon in the compose window, set an expiration date, and optionally require SMS verification. Confidential Mode blocks forward, copy, download, and print. It is not end-to-end encrypted and does not meet HIPAA requirements on its own. For HIPAA, use Google Workspace with a signed BAA plus Google Workspace client-side encryption, or route messages through a dedicated HIPAA email service that includes the BAA in the base plan.

How do I encrypt an email attachment? +

The simplest method is to encrypt the whole message using Microsoft Purview, S/MIME, PGP, or a portal-based service. All four methods encrypt the message body and attachments together. To encrypt an attachment separately, save it as a password-protected PDF, or place it in an encrypted ZIP file using 7-Zip or WinZip with AES-256. Share the password through a separate channel. The whole-message method is easier for recipients and less error-prone than the separate password method.

What is the difference between S/MIME and PGP? +

S/MIME uses X.509 certificates issued by trusted certificate authorities. The user pays for a certificate, installs it in the mail client, and encrypts using recipient certificates. PGP uses an open-source key pair generated by the user. Public keys share on keyservers or through direct exchange. Both methods encrypt at the message level. S/MIME integrates with Outlook, Apple Mail, and Gmail Enterprise. PGP integrates with Thunderbird, Mailvelope, and GPG Suite. S/MIME is more common in corporate settings. PGP is more common among technical users.

Is TLS enough to encrypt email for HIPAA? +

No, TLS alone does not satisfy the HIPAA transmission security standard reliably. TLS is opportunistic. If the receiving mail server does not support TLS, the sending server delivers in plaintext without any warning. The sender assumes encryption but the message reaches the recipient over an unencrypted connection. HIPAA requires verified encryption for PHI transmission. Use a message-level method like Microsoft Purview, S/MIME, or a portal-based service that enforces encryption on every send with no plaintext fallback.

Can I encrypt email to any recipient? +

Yes, if you use the right method. TLS reaches any recipient but drops to plaintext if the receiving server does not support TLS. S/MIME and PGP only work if the recipient has a matching certificate or key. Portal-based services work for any recipient because the message decrypts in a browser after a one-time verification. Practices sending to patients and external contacts on mixed platforms usually choose a portal-based method for the widest compatibility.

Do encrypted emails stay encrypted after the recipient opens them? +

It depends on the method. S/MIME and PGP messages stay as encrypted ciphertext in the mail client and decrypt on demand each time the recipient views them. Portal-based services keep the message encrypted on the server and decrypt in the browser for viewing. Microsoft Purview messages stay encrypted at rest. Once a recipient downloads an attachment or copies content out of the encrypted view, the local copy is no longer covered by the sender-side encryption.