[mh_category_pill]

Encrypt an Email in Gmail Outlook and Beyond With Real Compliance

[mh_post_meta]
encrypt an email guide featured image

[mh_key_takeaways]

To encrypt an email means scrambling the message body and attachments so only the intended recipient can read them. The steps vary by mail platform and by how strong the encryption needs to be.

This guide walks through the practical methods in order of increasing security, covers the cost of each, and explains where each fits. For practices sending patient information, dedicated encrypted email services are usually the shortest path.

Skip to the section that matches your mail platform if you already know which one you use. Otherwise, read from the top to compare.

The five ways to encrypt an email you might encounter

Encryption for email comes in five practical forms. Each targets a different scenario, and knowing the differences prevents wasted setup effort.

  • TLS between mail servers, on by default across Gmail, Outlook.com, and Microsoft 365.
  • Confidential Mode in Gmail, which restricts actions but does not encrypt the body.
  • Microsoft Purview Message Encryption in Outlook, triggered by the Encrypt button.
  • S/MIME and PGP end-to-end encryption, using certificates or key pairs.
  • Gateway-based encryption services that route mail through a compliant server.

TLS is baseline. Confidential Mode is not real encryption. Purview and S/MIME are the Microsoft- and Google-native strong options. Gateways are the third-party option that works on any account.

Related coverage on the same territory is in to encrypt an email and can I encrypt an email.

How to encrypt an email in Outlook using the Encrypt button

Microsoft 365 Business Premium and Enterprise plans include Purview Message Encryption. The user experience is a single button in the compose window.

  • Open Outlook and start a new message.
  • On the desktop app, click Options in the ribbon, then Encrypt.
  • On Outlook web, click the three-dot menu in the compose window, then Encrypt.
  • Choose an encryption policy from the dropdown, such as Encrypt Only or Do Not Forward.
  • Compose and send the message as normal.

Internal recipients on the same tenant read the message directly in Outlook. External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode.

The Microsoft Purview Message Encryption documentation covers the policy options and setup steps in more depth. Sibling coverage in how do you encrypt an email outlook covers the same flow from a different angle.

encrypt an email in article illustration one

How to encrypt an email in Gmail with hosted S/MIME

Gmail on Google Workspace Enterprise Plus supports hosted S/MIME, which encrypts messages end-to-end using certificates. It is the only Google-native option that meets healthcare compliance.

The admin enables S/MIME encryption for outgoing email in the Google Admin console. Each user uploads a personal certificate through their Gmail settings.

Once configured, composing a message shows a lock icon next to the recipient field. If the recipient’s certificate is available, the icon shows green and the message will encrypt automatically.

Recipients without a certificate fall back to standard TLS delivery. That fallback is why S/MIME alone is not sufficient for a full compliance program.

The Google Workspace S/MIME setup guide covers the certificate policies. For the Outlook variant of the same standard, see encrypting an email outlook.

How the main platforms compare on cost and compliance

The right platform depends on the existing subscription, the compliance requirement, and the recipient’s technical skill. A side-by-side view helps narrow the choice.

Method Monthly cost per user Meets HIPAA Recipient friction Setup effort
Outlook Encrypt button (M365 Business Premium) Around $22 Yes, with BAA Low, portal fallback Low
Google Workspace Enterprise Plus S/MIME Around $30 plus certificate cost Yes, with BAA High, needs recipient certificate High
PGP via Mailvelope on any plan Free, plus mail plan cost Case by case documentation Very high, needs PGP client Medium
Gateway service on any plan $5 to $15 Yes, BAA in base plan Low, portal fallback Low, DNS record

For a solo practice, the gateway path costs the least and meets compliance out of the box. For a Microsoft 365 tenant already at Business Premium, the Encrypt button is already paid for and adds nothing more. Google Workspace Enterprise Plus is the most expensive path per user.

[mh_example]

Encrypting an email containing PHI

Protected health information carries specific HIPAA obligations. Encrypting an email that contains PHI is one part of a larger compliance stack.

The mail vendor needs to sign a Business Associate Agreement. The encryption needs to meet TLS 1.2 or higher for transmission and AES-256 or similar for at-rest storage.

Every send and open needs to appear in a retained audit log. Workforce training under the Security Rule needs to cover which channels are approved for PHI.

A single Encrypt button click on Outlook or a lock icon in Gmail satisfies the encryption piece. It does not satisfy the BAA, the audit log, or the training piece by itself.

Gateway services designed for healthcare cover all three technical pieces automatically. Sibling coverage in encrypt an email containing PHI covers the PHI-specific angle.

Encrypting an email through a gateway service

Gateway services encrypt outbound mail at the server, which removes the user decision. The setup is a DNS change rather than a client configuration.

  • Sign up with the vendor and receive an SPF record and DKIM key.
  • Add both records to the DNS zone for the practice domain.
  • Wait for DNS propagation, usually within a few hours.
  • Send a test message and verify it routes through the vendor’s server.
  • Sign the Business Associate Agreement or Data Processing Agreement provided by the vendor.

Once configured, every outbound message from the mailbox routes through the vendor’s gateway. The gateway applies the encryption policy before releasing the message.

End users see no change. Staff continue composing in Gmail or Outlook, and the encryption happens invisibly. Mailhippo is one example of that model.

The HIPAA Journal breakdown of compliant email covers the vendor-selection criteria in more depth.

encrypt an email in article illustration two

Encrypting an email with a PGP browser extension

PGP through a browser extension works on any mail account, including personal Gmail and Outlook.com. It is the strongest end-to-end option and the most flexible for individuals.

Install Mailvelope from the Chrome or Firefox extension store. The extension generates a PGP key pair on first run and stores the private key locally in the browser.

Share the public key with correspondents through a keyserver or a signed message. Both sides need each other’s public keys before encryption works.

Composing in Gmail then shows a Mailvelope button. Clicking it opens a secure editor inside the browser. The message is encrypted locally before being pasted into the Gmail compose window.

The tradeoff is friction. Every recipient needs a PGP client, which excludes patients and most business correspondents. PGP fits technical audiences and individual privacy scenarios rather than mainstream healthcare.

Encrypting attachments separately from the message body

Sometimes only the attachment carries sensitive data. Password-protecting the attachment lets the email travel through any provider.

  • Compress the file with 7-Zip, WinRAR, or Windows built-in compression, and enable AES-256 encryption.
  • Set a strong password of 12 characters or more.
  • Attach the encrypted archive to the email.
  • Share the password over a phone call, SMS, or in-person conversation.

The mail server does not see the file contents, so the file travels through Gmail or Outlook as opaque data. The recipient extracts the archive with the shared password.

This method is not HIPAA compliant on its own because it produces no audit trail and the password channel is often insecure. It fits one-off file transfers between organizations without a shared encryption service.

[mh_protip]

Verifying an outbound message actually went out encrypted

An encrypted send is only useful if the encryption held. Both Gmail and Outlook provide ways to verify.

In Gmail, open the sent message and click the three-dot menu, then Show Original. The header displays the TLS status of the delivering connection.

In Outlook desktop, right-click the message and choose Message Options. The header lines show Received records with TLS version details.

For Purview or S/MIME messages, the sent view shows a lock or shield icon in the header. Clicking the icon shows the encryption policy applied.

If none of those indicators appear, the message either traveled without encryption or fell back to a lower tier than expected. Sibling coverage in what happens when you encrypt an email outlook covers the outbound side.

When to encrypt every message versus specific messages

User-driven encryption depends on the user deciding correctly each time. Compliance frameworks treat that decision as a weakness because a single missed message counts as a violation.

The alternative is policy-based encryption at the gateway. Every outbound message routes through the encryption layer, regardless of whether the user clicked a button.

Policy-based encryption uses rules to decide what to protect. Rules can trigger on keywords, recipient domain, sender department, or data classification labels. The user does not need to know the rule was applied.

For healthcare practices, policy-based encryption on every outbound message is the safer default. It removes the failure mode where a staff member forgets to click Encrypt on a specific message.

The right method for your workflow

Choosing the right method comes down to the mail platform, the compliance requirement, and the recipient list.

Microsoft 365 Business Premium tenants can use the Encrypt button in Outlook. The BAA is in place if the tenant is configured correctly, and the recipient side is handled through the portal.

Google Workspace tenants on Enterprise Plus can use hosted S/MIME. Lower tiers need a gateway service or a browser extension.

Practices on any mail plan needing compliance in a solo or small clinic setting default to a gateway service. The cost is the lowest, the setup is the shortest, and the audit trail is built in.

Practices reviewing email decisions alongside the broader patient outreach can pair the choice with a look at healthcare digital marketing services to align intake, messaging, and encryption under a single vendor stack. For the mailbox itself, Mailhippo secure email service covers the loop end to end.

[mh_faqs]

[mh_post_tags]
🔒 Send secure email, free HIPAA-compliant, encrypted email in minutes. No setup, no hassle. Start Free Trial → No credit card required
[mh_categories]
[mh_popular_tags]
[mh_featured_posts]
Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →