Is standard Outlook HIPAA compliant?

No. Standard Outlook is not HIPAA compliant. Only Microsoft 365 E3 or higher can support HIPAA compliance when properly configured.

Is Office 365 HIPAA compliant by default?

No. Office 365 requires encryption, MFA, audit logging, DLP policies, and a signed BAA to meet HIPAA requirements.

What Microsoft 365 subscription is required for HIPAA compliance?

Microsoft 365 E3 or higher. Lower-tier plans lack required HIPAA email encryption and compliance controls.

Does TLS encryption alone satisfy HIPAA email requirements?

No. TLS protects email in transit but does not provide full end-to-end encryption for PHI.

How long does Outlook HIPAA configuration take?

2–4 weeks for basic setup; 4–8 weeks for full implementation with training and testing.

What is the cost of Outlook HIPAA compliance?

Typically, $12–$20 per user/month for Microsoft 365 E3, plus optional security tools if needed, may add $5–$10 per user/month, depending on your setup.

Should we use Outlook or a dedicated HIPAA-compliant email solution?

Outlook works if you have IT expertise. Dedicated solutions are simpler and require less ongoing management.

How To Send Secure Email In Gmail: Step-by-Step Guide

Key Takeaways

Gmail uses TLS by default, which protects emails while they move between servers, but it is not private from Google.
Confidential Mode is the easiest way to prevent recipients from forwarding or downloading sensitive info, though it isn’t true “encryption.”
S/MIME provides genuine end-to-end encryption but is reserved for specific Google Workspace paid tiers.
You can send Confidential Mode emails directly from the iPhone or Android app, but S/MIME requires a desktop setup.
To truly secure a file, password-protect attachments before uploading them, even when using Gmail’s built-in security features.

Gmail has two built-in ways to protect sensitive emails: Confidential Mode for most users, and Secure/Multipurpose Internet Mail Extensions (S/MIME) for enterprise teams. Whether you are a casual user looking for privacy or a business professional needing enterprise-grade protection, this guide covers each of these methods to send secure email in Gmail across all devices.

What Does “Secure Email” Mean in Gmail?

Before diving into the “how-to,” it is important to understand what security layers Gmail actually uses. “Secure” can mean different things depending on your settings:

TLS (Transport Layer Security): Gmail uses TLS by default to protect emails while they move between servers, but that does not mean the message is private from email providers themselves.
Confidential Mode: This is an access-restriction layer. It allows you to set expiration dates and prevents recipients from forwarding or downloading content.
S/MIME (Secure/Multipurpose Internet Mail Extensions): This is true end-to-end encryption. It ensures that only the intended recipient can decrypt the message. This feature is exclusive to Google Workspace (Business and Enterprise) accounts.

Note: Confidential Mode is not “end-to-end” encryption. While Confidential Mode hides the message from the recipient’s traditional inbox view, Google still technically has access to the data on its servers.

How to Send a Secure Email in Gmail Using Confidential Mode

Confidential Mode is the most accessible way for standard Gmail users to protect sensitive information. It doesn’t “encrypt” the email in the cryptographic sense, but it places the content behind a secure link that you control.

Step-by-Step Instructions:

1. Open Gmail on your desktop and click Compose.

2. In the bottom right of the compose window, click the Toggle Confidential Mode icon (it looks like a clock with a lock).

3. Set an expiration date: Choose how long the recipient has access to the email (from 1 day to 5 years).

4. Set a passcode:

No SMS passcode: If the recipient uses Gmail, they can open it directly. If they don’t, they’ll be emailed a code.
SMS passcode: The recipient will receive a code via text message to their phone to open the email.

5. Click Save.

6. Compose your message and hit Send.

What the recipient sees: Instead of the message body, the recipient sees a notice stating the message has arrived via Confidential Mode. They must click a link to view the content in a secure window.

What Is Gmail Confidential Mode?

Gmail Confidential Mode is a security feature designed to protect sensitive information from being shared beyond your target recipient. Gmail Confidential Mode is clearly a popular tool, but many users are unclear on its mechanics.

Technically, when you use Confidential Mode, the message content isn’t sent to the recipient’s server. Instead, it stays on Google’s server, and the recipient is granted “viewing rights.”

Key Features:

No Forwarding: Recipients cannot forward, copy, print, or download the message or attachments.
Revoke Access: You can go to your “Sent” folder at any time and click “Remove Access” to lock the email before the expiration date.
SMS Verification: Adds a layer of Two-Factor Authentication (2FA) to a specific message.

Best Used For: Sending one-time sensitive info like a password or internal company memos. Note its limitation: While it stops the “Forward” button, it cannot stop a recipient from simply taking a photo of their screen with a smartphone, which recently led to high-profile leaks of “confidential” internal corporate emails.

How to Send Secure Email in Gmail with S/MIME Encryption

If you require high-level compliance (like HIPAA or General Data Protection Regulation (GDPR), you need S/MIME. S/MIME is Gmail’s strongest built-in security option because it provides true encryption that only the intended recipient can unlock, assuming both sides are properly set up.

Prerequisites:

You must have a supported Google Workspace plan.
S/MIME must be enabled by your IT Administrator in the Admin Console.
Both you and your recipient must have valid S/MIME certificates exchanged.

Pro Tip: This is the only way to achieve true Gmail end-to-end encryption. For instance, a legal team handling GDPR-sensitive settlement files must use S/MIME because, unlike Confidential Mode, it ensures that not even Google (as the service provider) can access the data; only the parties holding the digital keys can.

How to use it:

1. Start composing a message.
2. Add your recipient.
3. Look for a Padlock icon to the right of the recipient’s name.

Source: https://www.bleepingcomputer.com/news/security/google-introduces-end-to-end-encryption-for-gmail-on-the-web/++

Green: S/MIME encryption is active.
Grey: The message is protected by TLS (standard).
Red: No encryption (the recipient’s provider doesn’t support it).

How to Send Secure Email in Gmail on Mobile

You don’t need a laptop to send secure messages. The Gmail app for Android and iOS supports Confidential Mode natively.

1. Open the Gmail app and tap Compose.

2. Tap the three-dot menu (⋮) in the top right corner.

3. Select Confidential mode.

4. Toggle the mode On, set your expiration date, and choose your passcode preference.

5. Tap Save (the checkmark icon) and send your email.

Note: You cannot configure or install S/MIME certificates directly through the mobile app; this must be handled via your desktop browser or by your Workspace Admin.

How to Send Secure Email Attachments in Gmail

While Confidential Mode prevents a user from clicking “Download” on an attachment, it doesn’t encrypt the file itself. If you are sending a highly sensitive document, follow these best practices:

Password-Protect the File: Before uploading, use a tool like Acrobat or 7-Zip to password-protect the PDF or ZIP file. Send the password via a different communication channel (like a phone call or text).
Use Google Drive Links: Instead of attaching a file, upload it to Drive and share a restricted link. You can manage who has access and see if they’ve viewed it.
Combined Approach: Send a password-protected PDF inside a Gmail Confidential Mode email for double-layered security.

How Secure Gmail Works with Email Authentication (SPF, DKIM, DMARC)

Sending a “secure” email involves more than just hiding the content; it involves proving the email actually came from you. This is where email authentication comes in.

Even if you use S/MIME, a cybercriminal could “spoof” your domain to send phishing emails that look like they are from your company. To prevent this, you need three core protocols:

SPF: Lists which servers are allowed to send mail for your domain.
DKIM: Adds a digital signature to your emails.
DMARC: Tells receiving servers what to do (e.g., block the email) if SPF or DKIM fails.

As of late 2024 and heading into 2025, Google and Yahoo have moved to enforce these requirements strictly for bulk senders. If your authentication isn’t set up correctly, even your “secure” emails might end up in the spam folder or be rejected entirely.

How PowerDMARC Helps: Solutions like PowerDMARC simplify this technical setup and help with Google email deliverability. They provide a centralized dashboard to monitor your SPF records and DMARC reports, ensuring your “secure” emails are actually delivered, and your brand identity is protected from spoofing.

Why Can’t Recipients Open My Secure Gmail?

Confidential Mode is missing: If you are on a work account, your Admin may have disabled this feature. Contact your IT department.
Recipient can’t open the email: This usually happens if the SMS passcode was sent to the wrong phone number. Ensure you have the correct country code and mobile number for the recipient.
No Padlock Icon for S/MIME: This indicates that the recipient’s email service does not support S/MIME, or they haven’t shared their digital certificate with you yet (usually done by them sending you a signed email first).

Which Gmail Security Method Should You Use?

Sending a secure email in Gmail is simpler than it appears. If you’re just trying to make sure a sensitive PDF doesn’t live forever in someone else’s inbox, Confidential Mode is the simplest option; it is built in and covers most use cases.

If you’re in a high-stakes industry like healthcare or finance, S/MIME is the way to go for that “impenetrable vault” level of encryption; just keep in mind you’ll need a Workspace account to unlock it. But remember: your email is only as secure as your identity. You can send the most encrypted, self-destructing message in the world, but if a threat actor is spoofing your domain, content-level security alone is insufficient.

Don’t let scammers hide behind your brand name. While Gmail handles the content, PowerDMARC handles the “who’s who.” Our platform makes it easy to set up SPF, DKIM, and DMARC so your emails stay out of the spam folder and your identity stays protected from spoofing. Secure your domain with a 15-day free trial of PowerDMARC today.

Frequently Asked Questions

Is Gmail secure by default?

Yes, but with caveats. Gmail encrypts emails in transit using TLS (Transport Layer Security) by default. This ensures that your messages are protected from being intercepted as they travel between mail servers.

However, Gmail is not end-to-end encrypted by default. Because Google holds the decryption keys, it can technically access your email content to facilitate features like Smart Reply, search indexing, and malware filtering. For higher security, users must opt for Confidential Mode or S/MIME.

Is Gmail end-to-end encrypted?

No. Standard Gmail accounts do not use end-to-end encryption (E2EE). In a true E2EE system, only the sender and recipient have the keys to read the message.

In Gmail, Google acts as a middleman that can “see” the data. The only way to achieve E2EE within the Google ecosystem is via S/MIME (Secure/Multipurpose Internet Mail Extensions). This feature is restricted to specific Google Workspace (enterprise) plans and requires both the sender and recipient to have valid digital certificates.

What is Gmail Confidential Mode, and is it actually secure?

Confidential Mode is an access-control tool, not a high-level encryption tool. It allows you to:

Set expiration dates for messages.
Revoke access at any time.
Disable options to forward, copy, print, or download the email content.

Is it secure? It is effective for preventing accidental sharing or keeping a message from sitting in a recipient’s inbox forever. However, it is not “private” from Google, and a recipient could still take a photo of their screen to bypass the restrictions.

How do I send a secure email in Gmail on iPhone?

To send a secure message using your iPhone:

Open the Gmail app and tap Compose.
Tap the three-dot menu (…) in the top right corner.
Select Confidential mode.
Toggle it on and set an expiry date and an optional SMS passcode.
Tap the checkmark and send.

Note: S/MIME encryption settings cannot be managed directly through the iOS app; these must be configured by an administrator via the Google Admin console.

Can I send a secure email in Gmail to someone outside Gmail?

Yes. If you use Confidential Mode, a non-Gmail recipient will receive a link to the message, which they can view in a secure browser window. They may be required to enter an SMS passcode to authenticate.

If you are using S/MIME, the recipient must also have S/MIME configured and a valid certificate. If they do not, the email will automatically “roll back” to standard TLS encryption, meaning it is protected during travel but not end-to-end.

Does Gmail Confidential Mode protect attachments?

Partially. Confidential Mode prevents a recipient from using the “Download” or “Forward” buttons on an attachment within the Gmail interface.

However, because the attachment itself is not encrypted, it is not a foolproof solution for highly sensitive files. For better security, you should:

Password-protect the file (e.g., a PDF or ZIP) before attaching it.
Share the file via a Google Drive link with specific “Viewer” permissions and “Disable options to download, print, and copy” enabled in the Drive sharing settings.

About
Latest Posts

Yunes Tarada

Domain & Email Security Expert at PowerDMARC

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

How to Send Secure Email in Gmail: Step-by-Step Guide