[mh_key_takeaways]
The question “how can I encrypt my emails” has different answers depending on which mail provider is in front of you. Gmail, Outlook, and Microsoft 365 each expose different controls, and personal accounts on all three offer less than their business counterparts.
This guide walks through the encryption paths available in each platform, explains where S/MIME and PGP fit, and covers the compliance layer for practices that need audit trails. For practices sending patient information, dedicated encrypted email services are usually the shortest path.
Each section below covers the steps for a specific platform or method. Skip to the section that matches your setup.
Three layers of email encryption you need to understand first
Email encryption is not one thing. It operates at three layers, and each solves a different problem.
The first layer is TLS between mail servers. It protects the message on the wire from one server to the next. Gmail, Outlook.com, and Microsoft 365 all enforce TLS 1.2 or 1.3 by default when the receiving server supports it.
The second layer is message-level encryption. The mail provider encrypts the message body on its own servers and delivers it to external recipients through a portal or a signed session. Microsoft Purview Message Encryption and Google Workspace hosted S/MIME operate at this layer.
The third layer is end-to-end encryption. The message body is encrypted on the sender’s device and stays encrypted until the recipient decrypts it. S/MIME with client-held certificates and PGP both operate at this layer.
Most business scenarios stop at the second layer. The third layer adds friction that only pays off when the message content is unusually sensitive or the recipient’s mail server cannot be trusted with plain text.
How to encrypt emails in Gmail with a Workspace account
Gmail on Google Workspace Enterprise Plus supports hosted S/MIME. The admin enables it in the Google Admin console under Apps, Google Workspace, Gmail, User settings.
Once enabled, users upload their S/MIME certificate through Gmail settings. Compose messages then show a lock icon next to the recipient field, indicating that the message will send encrypted.
Encryption only applies when the recipient also holds a certificate. For recipients without one, Gmail falls back to standard TLS delivery. That fallback is the reason S/MIME alone is not sufficient for a healthcare workflow.
The Google Workspace S/MIME setup guide walks through the certificate upload and enforcement policies. Confidential Mode is not a substitute for S/MIME and does not satisfy HIPAA.
Practices on lower Workspace tiers do not have hosted S/MIME. Those accounts need a third-party gateway or a dedicated compliant email service.

How to encrypt emails in Outlook with a Microsoft 365 plan
Outlook on Microsoft 365 Business Premium, E3, and E5 exposes an Encrypt button in the compose window. It sits in the Options ribbon on the desktop app and in the three-dot menu on Outlook web.
Clicking Encrypt triggers Purview Message Encryption. The user picks an encryption policy such as Encrypt Only or Do Not Forward. The message travels encrypted, and external recipients receive a portal link with sign-in options.
The Microsoft Purview Message Encryption documentation details the policy options and the recipient experience. Setup usually completes in the admin center within an hour if Azure Rights Management is already active on the tenant.
Business Basic and Business Standard do not include the Encrypt button. Practices on those plans either upgrade or add a dedicated encryption layer. Sibling coverage for the Outlook-specific path is in can I encrypt emails in Outlook.
For a broader walkthrough of Gmail-side encryption steps, see how can I encrypt an email.
Setting up S/MIME on a desktop Outlook client
Desktop Outlook supports S/MIME natively. The user needs a certificate issued to their email address, installed in the Windows certificate store or on a smart card.
- Obtain an S/MIME certificate from a trusted certificate authority. Commercial certificates cost $20 to $60 per year.
- Import the certificate into the Windows certificate store under Personal, Certificates.
- In Outlook, open File, Options, Trust Center, Trust Center Settings, Email Security.
- Under Encrypted email, click Settings and select the imported certificate.
- Optionally enable Encrypt contents and attachments for outgoing messages to make encryption the default.
Once configured, the compose window shows a lock icon when the recipient’s certificate is available. If the recipient has never sent a signed message, Outlook cannot encrypt to them until their certificate is exchanged.
The exchange step is the operational tax of S/MIME. It works well inside a practice where every mailbox has a certificate. It falls apart with external partners and patients who do not.
[mh_example]
Using PGP with Thunderbird or Mailvelope
PGP encryption uses a public-private key pair that the user generates and controls. It works with any email account, including personal Gmail and Outlook.com, but requires a compatible client on both ends.
Thunderbird has built-in PGP support since version 78. The user generates a key pair in Account Settings, End-to-End Encryption. The public key is shared with correspondents through a keyserver, direct exchange, or embedded in outgoing signatures.
Mailvelope is a browser extension that adds PGP support to Gmail and other web-based clients. It handles key generation and message encryption directly in the browser without the mail provider seeing plain text.
PGP is the preferred method for individual users, journalists, and technical audiences who prioritize key control. It is rarely the right method for a healthcare practice because patients and referring providers will not install a PGP client.
For a client-facing walkthrough of PGP versus gateway encryption, the sibling article how do my clients encrypt email covers the tradeoffs.
Encrypting attachments without encrypting the message
Sometimes the message body is fine to send in plain text and only the attachment carries sensitive data. Password-protecting the attachment lets the email travel through any provider.
- Compress the file using 7-Zip, WinRAR, or Windows built-in compression with AES-256 encryption enabled.
- Set a strong password of 12 characters or more with mixed case, numbers, and symbols.
- Attach the encrypted archive to the email as normal.
- Share the password over a separate channel, such as a phone call, SMS, or in-person conversation.
This method is common for one-off file transfers between organizations that have no shared encryption infrastructure. It is not compliant on its own for HIPAA because it does not produce an audit trail and the password channel is often insecure.
Practices exchanging patient files frequently should route those exchanges through a compliant email service instead. The sibling piece on how to encrypt my sent emails covers the outbound side in more depth.

Government and military email encryption requirements
Army and other DoD email accounts require encryption through the DoD Common Access Card or Personal Identity Verification card. The CAC holds the S/MIME certificate that Outlook and OWA use to encrypt outbound mail.
Signed drivers for the CAC reader and the ActivClient middleware need to be installed on the endpoint. Once installed, Outlook detects the certificate and enables Sign and Encrypt buttons in the compose ribbon.
Encrypting from a home computer to a .mil address requires the sender’s CAC and the recipient’s published certificate. The DoD Global Address List holds those certificates for internal-to-internal traffic.
Contractors handling Controlled Unclassified Information under CMMC use a similar S/MIME model or a compliant email gateway. The NIST SP 800-171 Rev. 2 guidance covers the required controls for those workloads.
Compliance-driven encryption for HIPAA, CMMC, and GDPR
User-driven encryption on a per-message basis rarely satisfies a compliance framework. The framework requires a documented standard, retained audit trails, and a signed agreement with the vendor handling the data.
HIPAA requires a Business Associate Agreement with the email vendor. CMMC requires FIPS 140-2 validated cryptographic modules for CUI. GDPR requires a Data Processing Agreement covering personal data of EU residents.
A gateway-based compliant service handles all three by applying encryption at the mail server, retaining logs, and providing the signed agreement in the base plan. That removes the burden of a user deciding whether a specific message qualifies.
Practices that also send bulk patient communications should coordinate with a healthcare marketing agency so that outreach and compliance sit on the same infrastructure.
The HIPAA Journal breakdown of compliant email is the authoritative external reference for the healthcare side.
[mh_protip]
Verifying that a message was actually encrypted
An encrypted send is only useful if the encryption held. Every major mail client provides a way to verify.
In Gmail, open the message, click the three-dot menu, and select Show Original. The header displays the TLS status of the delivering connection.
In Outlook desktop, right-click the message and choose Message Options. The header shows Received lines with TLS version details.
For end-to-end encryption, the client shows a lock icon or shield in the message header. S/MIME messages in Outlook show a blue ribbon. Encrypted messages in Gmail show a green lock.
If none of those indicators appear, the message either traveled without encryption or the encryption fell back to a lower tier than the sender expected. That is worth catching before the next send rather than after an audit.
When a dedicated compliant email service saves setup time
The setup steps above cover the manual paths available in Gmail, Outlook, and Microsoft 365. Each works for individual users comfortable managing certificates or keys per contact.
A dedicated compliant email service replaces the manual path with an automatic one. The practice connects its existing mailbox, adds a DNS record, and every outbound message is encrypted at the gateway. No per-contact certificate exchange is required.
Mailhippo is one example of that model. It works with existing Gmail and Microsoft 365 accounts, includes the Business Associate Agreement in the base plan, and delivers messages directly to recipient inboxes without a portal login for standard scenarios.
For the underlying encryption model comparison, the sibling article how to encrypt email covers the technical layer in more depth. For the recipient-side experience, how can you encrypt an email walks through what the reader sees.
Choosing the right method for your workflow
The right encryption method depends on volume, sensitivity, and recipient technical skill.
Individuals sending occasional sensitive messages to technical peers can use PGP through Thunderbird or Mailvelope. The setup pays off because the recipient list is small and every recipient has the tools.
Small businesses on Microsoft 365 Business Premium can use the Encrypt button. It handles the recipient experience through the portal and needs no per-user certificate.
Healthcare practices, law firms, and financial services with compliance obligations need a gateway-based service. It removes the user decision and produces the audit trail auditors ask for.
Practices reviewing the broader digital footprint alongside the email decision can also review their healthcare website security features so the same standards apply across email, forms, and portals.
[mh_faqs]





