How to Encrypt an Email - Step by Step for Gmail, Outlook, and More

Your Emails Are Probably Less Private Than You Think

You would not mail a postcard with your bank details written on it. But standard email works a lot like a postcard — the content is readable by every server it passes through, unless encryption is in place.

The good news: most email today is already encrypted in transit, even if you never configured anything. The bad news: that basic protection has limits, and if you need real end-to-end privacy, you will need to do some setup.

This guide breaks down the three layers of email encryption, explains what each one actually protects, and walks you through setting them up step by step.

The Three Layers of Email Encryption

Not all encryption is equal. Email encryption comes in three forms, each protecting a different part of the chain:

1. TLS (Transport Layer Security) — Encrypts the connection between email servers. Automatic. Protects email in transit.
2. S/MIME (Secure/Multipurpose Internet Mail Extensions) — Certificate-based encryption built into Outlook and Apple Mail. Encrypts the message content itself.
3. PGP/GPG (Pretty Good Privacy / GNU Privacy Guard) — Open-standard encryption using public/private key pairs. Encrypts the message content itself.

Think of it this way: TLS is like an armored truck carrying your mail. S/MIME and PGP are like putting the letter in a locked box inside the truck. The truck protects against highway robbery; the locked box protects against anyone who opens the truck.

Layer 1: TLS - The Encryption You Already Have

TLS encrypts the connection between your email client and your email server, and between email servers when they relay messages. If both the sending and receiving server support TLS (most do), the email is encrypted as it moves across the internet.

What TLS Protects

• Email content while it moves between servers
• Your login credentials when you check email

What TLS Does Not Protect

• Email stored on the server (it is decrypted once it arrives)
• Email on the recipient's server (their provider can read it)
• Metadata (who emailed whom, when, subject line)

How to Check If TLS Is Active in Gmail

1. Open an email you received
2. Click the small arrow below the sender's name ("Show details" or "to me")
3. Look for "Standard encryption (TLS)" in the security section
4. If you see a red open padlock icon, TLS was not used for that message

In Outlook on the web, click the three dots on any email and select "View message details." Look for TLS references in the headers.

Do You Need to Configure TLS?

No. TLS is configured at the server level, and virtually all major email providers (Gmail, Outlook, Yahoo, iCloud) have it enabled by default. According to Google's transparency report, over 90% of inbound and outbound Gmail messages use TLS.

If you run your own mail server, make sure TLS is enabled and that your certificate is valid and up to date.

Layer 2: S/MIME - Built-In Encryption for Business

S/MIME uses digital certificates to encrypt email content end-to-end. It is built into Outlook, Apple Mail, and iOS Mail, making it the most accessible option for business users.

How S/MIME Works

1. You obtain an S/MIME certificate from a Certificate Authority (CA)
2. You install the certificate in your email client
3. You exchange certificates with people you want to email securely
4. Your email client encrypts messages using the recipient's public key
5. Only the recipient's private key can decrypt the message

Setting Up S/MIME in Outlook (Desktop)

1. Obtain an S/MIME certificate (Sectigo, DigiCert, and Actalis offer free personal certificates)
2. Double-click the certificate file to install it in your system certificate store
3. In Outlook, go to File → Options → Trust Center → Trust Center Settings
4. Click "Email Security"
5. Under "Encrypted email," click "Settings"
6. Choose your signing and encryption certificates
7. Click OK
8. When composing an email, click Options → Encrypt (or the lock icon)

Setting Up S/MIME in Apple Mail (macOS)

1. Obtain an S/MIME certificate
2. Double-click the certificate file — it opens in Keychain Access automatically
3. Quit and reopen Apple Mail
4. When composing a message to someone whose certificate you have, a lock icon appears in the toolbar
5. Click the lock to encrypt the message

The Catch with S/MIME

Both parties need certificates, and you need to exchange them before you can encrypt. This usually happens by sending each other a signed (but not encrypted) email first. Your email client stores the sender's certificate automatically. In practice, S/MIME works well within organizations that issue certificates to all employees, but it is impractical for ad hoc encrypted communication with strangers.

Layer 3: PGP/GPG - The Open Standard

PGP (and its open-source implementation GPG) uses the same public/private key concept as S/MIME but without centralized Certificate Authorities. You generate your own key pair and share your public key however you like.

Setting Up PGP with Thunderbird

Thunderbird has built-in OpenPGP support since version 78. No plugins needed.

1. Open Thunderbird and go to Account Settings
2. Select your email account, then click "End-To-End Encryption"
3. Click "Add Key" and choose "Create a new OpenPGP Key"
4. Select your key type (RSA 4096-bit or ECC are good choices) and an expiration date
5. Click "Generate key"
6. To share your public key, go to Tools → OpenPGP Key Manager, right-click your key, and select "Export"
7. Send the exported public key file to your contacts
8. Import their public keys through the same Key Manager
9. When composing a message, click the Security dropdown and select "Require Encryption"

The Catch with PGP

Key management is the hard part. You need to obtain your contact's public key, verify it is genuine (not a fake key published by an attacker), and keep your private key safe. For most people, this is too much friction for everyday email.

What About Gmail Confidential Mode?

Gmail's "Confidential Mode" lets you set an expiration date on emails and prevent forwarding, copying, and downloading. It sounds like encryption, but it is not.

Confidential Mode emails are still stored on Google's servers. Google can read them. The "protection" is an access control layer: the recipient views the email through a special link, and that link expires. It is useful for limiting how long someone can access a message, but it provides zero cryptographic protection of the content.

Do not rely on Confidential Mode if you need actual privacy.

What About Proton Mail?

Proton Mail is an email service built around end-to-end encryption. Emails between Proton Mail users are encrypted automatically with no setup required. Emails to non-Proton users can be encrypted with a shared password.

Proton Mail is a solid choice if privacy is your top priority. The trade-off is that you are locked into Proton's ecosystem for the encryption to work seamlessly, and the free tier has storage limits.

What Encryption Does NOT Protect

Even with full end-to-end encryption (S/MIME or PGP), certain information is always visible:

• Subject line — Not encrypted by S/MIME or PGP. Never put sensitive information in the subject.
• Sender and recipient addresses — Visible to every server in the chain. Encryption hides what you said, not who you said it to.
• Timestamps — When the email was sent and received.
• Message size — Can sometimes hint at the content (a tiny encrypted email is probably just text; a large one probably has attachments).

For a deeper comparison of TLS, PGP, and S/MIME, see our detailed encryption guide. And if you want to understand specifically how TLS protects email connections, check out What Is TLS in Email.

Which Encryption Do You Actually Need?

Be honest about your threat model:

• Normal personal email — TLS is sufficient. It is already active. Your email is encrypted in transit.
• Business email with sensitive data — Consider S/MIME if your organization can distribute certificates. It integrates smoothly with Outlook and Apple Mail.
• Journalists, activists, high-risk communications — PGP or a service like Proton Mail. Accept the friction; the protection is worth it.
• Sending a password to a colleague — Use a password manager's sharing feature or a secure messaging app instead of email.

All Cleanbox connections use TLS to ensure email is encrypted between servers. For content-level encryption like S/MIME or PGP, Cleanbox works alongside any encryption tool — the encrypted message passes through intact because Cleanbox does not modify email content.

The Bottom Line

Email encryption is not all or nothing. Most people already have the baseline protection (TLS) without lifting a finger. If you need more, S/MIME and PGP are available but require effort from both sender and recipient.

The most practical step for most people: make sure you are using an email provider that enforces TLS, be cautious about what you put in email, and use end-to-end encrypted channels (Signal, WhatsApp, or PGP) for truly sensitive communications.