The font size on my phone is so large that anyone within a five-mile radius can read my messages, and honestly, I'm not overly concerned about people seeing all the Wallace & Gromit memes.
But when it comes to sending financial, health, or other sensitive information via email, encryption is a security measure I can get on board with. Encryption essentially scrambles your message so unauthorized users can't access it, keeping personal details like your address or banking information away from bad actors.
If you're ready to keep prying eyes off your private emails, here's how to send encrypted emails in Gmail, step by step.
Table of contents:
Is Gmail encrypted?
Yes, Gmail automatically implements Transport Layer Security (TLS) encryption. This functions like a secure tunnel for your message while it travels between email servers. It's protected during transit, but once it reaches the recipient's mail server, it's out in the open again.
Certain Google Workspace users on paid accounts have access to S/MIME encryption. This encrypts the email content itself, not just while it's moving between servers, for stronger protection. But it still isn't fully end-to-end, meaning Google itself still has access. No, Google isn't just reading your emails for funsies but they could technically access the email if they were legally required to by a warrant, for example.
Keep in mind that neither encryption type works if the recipient's email server doesn't use the same level of encryption. Most email servers at least use TLS encryption, but it isn't a 100% guarantee.
What is confidential mode in Gmail?
Gmail also offers "confidential mode," including on free accounts. Despite its name, it doesn't actually encrypt your emails. But it does add restrictions to how recipients can interact with your emails, so it's better than nothing.
For instance, it prevents someone from casually forwarding your not-so-casual information. Your emails are also guarded in the event the recipient's account is compromised by a bad actor.
When you send an email in confidential mode, you can prevent your messages from being downloaded, copied, forwarded, or printed.
You can also require the recipient to verify their identity via an SMS passcode before accessing the email, or set an expiration date for the email, after which it'll no longer be accessible to the recipient.
The feature is an easy security upgrade, but keep in mind:
The message isn't end-to-end encrypted, so Google still has access to it.
Even after the message expires, it doesn't disappear completely. You can still find it in your Sent folder.
The recipient can still screenshot or take a photo of your message (though this is true for any level of encryption).
How to send an encrypted email in Gmail
If you have one of the following types of Google Workspace account, you can upgrade your email security from TLS encryption to S/MIME encryption: Enterprise Plus, Education Fundamentals, Education Standard, Teaching and Learning Upgrade, or Education Plus account.
Keep in mind that you'll have to purchase an S/MIME certificate for every user in your organization. This is a one-time purchase from a Certificate Authority (CA). You'll provide the CA with your organization's domain name, contact information, and location to generate a Certificate Signing Request (CSR). Once the CA validates your request, they'll issue the certificate (which comes with a unique passcode).
Once you've obtained the S/MIME certificate(s), here's how to implement it in Gmail:
Log in to Gmail with your admin account.
Click the hamburger icon in the top-left corner.
Click Apps, then Google Workspace > Gmail.
In the Gmail settings dashboard, click User settings.
Scroll down to S/MIME. Check Enable S/MIME encryption for sending and receiving emails.
Check Allow users to upload their own certificates.
From there, each user will have to upload their own (unique) S/MIME certificate. In Gmail, they'll need to:
Reload Gmail (to be sure the new settings are up to date).
Click Settings, then See all settings.
Click the Accounts tab.
Next to Send mail as, click Edit info.
Click Upload a personal certificate.
Select the certificate (a .pfx or .p12 file sent from the CA), and click Open.
Enter the password for the certificate. This will be sent separately from the certificate in a secure SMS message, email, or link.
Click Add certificate.
To start exchanging S/MIME messages, users typically need to exchange their public keys with one another. Keys are included with a S/MIME certificate and ensure only the intended recipient with a corresponding key can decrypt and read the message. But Gmail handles the key exchange automatically for you in the background. Once you've enabled your S/MIME certificate, you're set.
How to turn on confidential mode in Gmail
Confidential mode is for any type of Google Workspace account, but like S/MIME encryption, it has to be enabled by an organization's admin.
Log in to Gmail with your admin account.
Click the hamburger icon in the top-left corner.
Click Apps, then Google Workspace > Gmail.
In the Gmail settings dashboard, click User settings.
Scroll down to Confidential mode. Mine was automatically enabled, but if it's not, check Enable confidential mode, then hit Save.
Now users sending emails from your domain have the option to use confidential mode.
How to use confidential mode in Gmail
If your organization enabled confidential mode and you want to stop getting passive-aggressive messages from IT, here's how to turn it on.
Start a new message in Gmail.
Click the lock icon at the bottom of the message.
Choose the date you want your email to expire, and decide whether you want to add password protection. If you check SMS passcode, Google will send the recipient a text with a code to access the email.
Click Save. If you chose SMS passcode, you'll also need to provide the recipient's phone number.
Send your message.
Here's what the recipient's message will look like before they're sent the SMS passcode.
After the recipient provides the passcode (or if no passcode was required), this is what the confidential email will look like on their end.
How to see if an email is encrypted in Gmail
To check if an email you've sent has been encrypted, you'll need a Google Workspace account—it won't work on free accounts.
To check if your message is encrypted:
Log in to your Gmail account.
Start a new message.
In the To field, enter the recipient's email address.
To the right of the recipient, hover over the lock icon. You'll see the following message depending on the type of encryption:
Standard encryption: TLS
Enhanced encryption: S/MIME
No encryption: Not encrypted or encryption type unrecognized
You can check messages you've received with any type of account:
Log in to Gmail.
Open a message.
Click the down caret next to the recipient.
Next to security, you'll be able to see the encryption type.
Third-party email encryption tools
Google only lets you use the highest encryption levels if you're paying the big bucks. If you're not an enterprise or educational organization but want extra security, here are some third-party browser extensions and Gmail plugins to check out:
FlowCrypt: This browser extension adds a secure compose button to Gmail using Pretty Good Privacy (PGP) encryption.
Mailvelope: Also utilizing PGP encryption, Mailvelope is an open source browser extension.
Virtru: Beyond end-to-end encryption, Virtru offers a Gmail plugin that lets you revoke messages and add watermarks.
SendSafely: This tool focuses on secure file transfer but also offers user-friendly email encryption.
Just make sure you thoroughly vet any app you give permissions to so you don't create more of a security risk than you solve.
Automate your inbox with Zapier
If you spend enough time in your inbox that you need extra encryption, you also need automation. With Zapier's Gmail integrations, you can automate tasks like saving new Gmail attachments to Google Drive, moving emails to the correct folders, or uploading new Zoom recordings to Google Drive and sending notifications via Gmail. That way, you can spend less time sorting through your inbox and more time on the work that truly matters.
Learn more about how to automate Gmail, or get started on one of these pre-made templates.
More details
More details
Zapier is the leader in workflow automation—integrating with thousands of apps from partners like Google, Salesforce, and Microsoft. Use interfaces, data tables, and logic to build secure, automated systems for your business-critical workflows across your organization's technology stack. Learn more.
Gmail encryption FAQ
Can I encrypt an email in Gmail?
You can encrypt an email in Gmail with a Google Workspace account. If you skipped this whole post and went straight to the FAQ, scroll up: you can send S/MIME-encrypted emails by enabling them in the admin settings.
How do I send an encrypted email?
If you have an Enterprise or Education Google Workspace account, you can turn on the option to send S/MIME-encrypted emails by accessing Gmail user settings with your admin account. From there, you can enable S/MIME encryption. Otherwise, you can use a third-party encryption tool like FlowCrypt or Mailvelope.
Is Gmail confidential mode encrypted?
No, Gmail's confidential mode doesn't encrypt your emails. It only restricts how the recipient can interact with your email.
How do I make my Gmail safe?
To level up your Gmail security, start with strong, unique passwords and enable two-factor authentication. Consider using a password manager to securely store your credentials. For sensitive emails, use a third-party encryption tool or Gmail's confidential mode.
Related reading:
