[mh_key_takeaways]
Email encryption looks different in every mail client. The button lives in different menus. The recipient sees a different sign-in flow. The license required to unlock it changes by provider tier.
This guide covers how to encrypt email in Outlook, Gmail, Apple Mail, and Yahoo, plus S/MIME certificate setup and hosted alternatives. Where a healthcare team needs a simpler flow, a dedicated secure email service with a BAA in the base plan removes the license tier and portal steps entirely.
Read the sections in order. Each includes the exact click path, the recipient experience, and the license or certificate required to make it work.
The Three Practical Types of Email Encryption
Every encryption option in a mail client falls into one of three buckets. Knowing the bucket helps predict how the recipient will open the message.
TLS handles server-to-server transit. It runs automatically between providers that support it. The sender takes no action. The recipient sees a normal email in their inbox.
S/MIME and PGP encrypt the message body end to end using certificates or keys installed on each side. Setup is per user. Once configured, the flow is one click.
Portal-based encryption from Microsoft or Google routes the message through a hosted page. The recipient clicks a link and signs in or enters a one-time passcode. This adds friction but works with any recipient regardless of their client.
The right choice depends on who the recipient is and whether both parties can maintain certificates.
Encrypting Email in Outlook Step by Step
Outlook 365 and the New Outlook client both use Microsoft Purview Message Encryption behind the Encrypt button.
Compose a new message. On the ribbon, click the Options tab. Click Encrypt. Choose Encrypt-Only for standard protection or Do Not Forward to block forwarding, copying, and printing.
Add the recipient, subject, and body. Attachments inherit the same protection as the message. Click Send.
The Encrypt button requires Microsoft 365 Business Premium, E3, E5, A3, A5, or G3/G5. Business Basic and Business Standard do not include it. The Purview Message Encryption documentation lists every eligible plan.
External recipients receive a notification email with a portal link. They sign in with Microsoft, Google, or a one-time passcode. Related guide: how to encrypt email in Outlook.

Encrypting Email in Gmail and Google Workspace
Gmail offers two encryption paths, each tied to a different plan level.
Confidential Mode is available on all Google accounts, including personal Gmail. In the compose window, click the lock and clock icon at the bottom. Set an expiration date and optional SMS passcode.
Confidential Mode restricts forwarding, copying, and downloading. It does not encrypt the message end to end. Google can still read the content, so it does not meet HIPAA end-to-end requirements on its own.
Hosted S/MIME is available only on Google Workspace Enterprise Plus, Enterprise Standard with add-on, and Education Plus. Admins enable it in the Google Admin console under Apps, Google Workspace, Gmail, User settings.
With hosted S/MIME on, users see a padlock icon in the compose window. Green padlock means encryption is available for the recipient.
Encrypting Email in Apple Mail on macOS and iOS
Apple Mail supports S/MIME natively. Setup happens through Keychain Access.
On macOS, obtain an S/MIME certificate from a public CA or internal PKI. Double-click the .p12 file to import into Keychain. Restart Mail.
When composing a message to a recipient whose public key is in your contacts, a lock icon appears next to the subject line. Click it to toggle encryption on.
On iOS and iPadOS, install the certificate through a configuration profile pushed from an MDM provider or emailed as an attachment. Go to Settings, Mail, Accounts, select the account, then Advanced. Toggle S/MIME on.
Apple Mail S/MIME works only when the recipient also has a certificate installed and their public key is in the sender contact record. Cross-provider encryption to Gmail requires the Gmail recipient to have hosted S/MIME.
[mh_example]
S/MIME Certificate Setup and Exchange
S/MIME needs an X.509 certificate for each user. Certificates come from public CAs like DigiCert, GlobalSign, and Sectigo, or from an internal PKI.
Purchase a personal email certificate matching the user email address. Follow the CA verification steps, which typically involve a validation email and identity check. Download the .p12 or .pfx file.
Install the certificate to the local certificate store on Windows, Keychain on macOS, or the mail client store on mobile. Restart the mail client.
Before the first encrypted send, exchange signed messages with each recipient. Each signed message carries the sender public key, which the recipient client stores in the contact record.
Certificates typically expire after one year. Renewal happens through the CA portal. Expired certificates block new encrypted sends until reissued. Track expirations in a shared calendar.

PGP Encryption for Technical Users
PGP is the alternative to S/MIME. It uses key pairs generated locally instead of certificates issued by a CA. Journalists, security researchers, and open-source maintainers use it heavily.
Install GPG Suite on macOS, Gpg4win on Windows, or OpenKeychain on Android. Generate a key pair with a passphrase. Upload the public key to a keyserver like keys.openpgp.org or share it directly with recipients.
Configure the mail client extension. Enigmail for Thunderbird, GPG Mail for Apple Mail, and Mailvelope for browser-based Gmail all handle PGP encryption per message.
PGP has no central authority. Trust builds through key signing and web of trust models. The learning curve is steeper than S/MIME, which is why most business users skip it.
Healthcare senders rarely use PGP because recipients cannot install extensions on hospital systems. S/MIME or hosted encryption fits the workflow better.
What the Recipient Sees on Each Method
Recipient experience predicts adoption. If opening the message is hard, the sender gets a phone call instead of an acknowledgment.
- TLS encrypted messages appear as normal emails in the inbox. No sign-in step. No portal.
- S/MIME encrypted messages open directly in the recipient mail client provided their certificate is installed. Otherwise the client shows an encrypted attachment icon and refuses to display the body.
- Microsoft Purview Message Encryption sends the recipient a notification email with a link. They sign in with Microsoft, Google, or a one-time passcode.
- Gmail Confidential Mode sends a notification with a Google-hosted link. Non-Gmail recipients enter an SMS passcode if the sender enabled it.
- A dedicated encrypted email service like Mailhippo delivers messages that open with one click, without portals or passcodes on the recipient side.
Practices whose recipients are older patients or busy referring physicians measure the friction cost carefully. One extra step per message compounds across a caseload.
[mh_protip]
Automatic Encryption Rules for Consistent Compliance
Manual clicking depends on staff remembering to encrypt. Rules take that decision out of the sender workflow.
Exchange Online admins create mail flow rules that trigger on subject keywords, sender group, recipient domain, or content matching a sensitive information type. The rule action applies Office 365 Message Encryption automatically.
Google Workspace admins configure content compliance rules under Apps, Google Workspace, Gmail, Compliance. Conditions include predefined data types for medical record numbers, Social Security numbers, and credit card numbers.
Rules cover the gap when workforce members forget to click Encrypt. They also apply to messages sent from mobile devices that lack a ribbon.
Test each rule against a monitored test mailbox before pushing to production. False positives on internal messages create friction that pushes users to send from personal accounts.
HIPAA Requirements Beyond the Encryption Click
Encryption satisfies one HIPAA Security Rule safeguard. Full compliance requires several more.
The practice signs a business associate agreement with the email provider. Microsoft and Google both offer BAAs on eligible plans. Sign it before sending PHI. The HHS Security Rule guidance covers each safeguard.
Additional obligations include workforce training on PHI handling, audit logging on message access, access controls with unique user IDs, sanction policies for violations, and incident response procedures.
A healthcare practice that clicks Encrypt but leaves the BAA unsigned is not compliant. OCR breach investigations routinely surface this gap.
Practices that also run patient-facing websites face parallel obligations. See HIPAA-compliant healthcare website design for the site-side controls that pair with encrypted email.
When a Dedicated Encrypted Email Service Makes Sense
Native encryption in Outlook and Gmail works well for organizations already on the qualifying license tier with dedicated IT staff. Elsewhere, cost and complexity push practices toward a dedicated service.
Small practices on Business Basic or a starter Workspace plan avoid the per-seat cost jump to unlock encryption. Multi-provider teams running Gmail and Outlook side by side avoid maintaining certificates in two ecosystems.
Mailhippo is a HIPAA-compliant email service that works with existing Gmail and Outlook accounts, includes a business associate agreement in the base plan, and delivers encrypted email to recipients without a portal sign-in. TLS plus client-side encryption cover the transmission safeguard without per-recipient S/MIME certificates.
Related guides: how to encrypt an email across clients, how to send encrypted email, and encrypt email for the terminology overview.
Match the method to the workflow. Native buttons for standardized enterprise tenants. S/MIME for internal certificate-managed teams. A dedicated service for practices that want one-click send and one-click open across every recipient.
[mh_faqs]





