Encrypting an email prevents anyone except your intended recipient from reading it, and most email services include a built-in way to do it.
Knowing how to encrypt an email keeps sensitive information out of the wrong hands, whether you are sending client data, financial details, or a private note. Several straightforward methods exist, and the right choice depends on your email provider, your recipient’s setup, and the level of protection you need. Most take just a few clicks once you know where to look.
What Does Email Encryption Actually Do?
Email encryption scrambles the content of your message so only the person with the correct decryption key can read it. Most systems rely on public-key cryptography: the sender encrypts using the recipient’s public key, and the recipient decrypts with their private key.
This is different from TLS (Transport Layer Security), which protects messages while they travel between mail servers but does not prevent the service provider or an intermediary from reading the content. True email encryption protects the message itself, not just the connection.
Encrypting An Email With Microsoft 365: The Built-In Way
If you have a Microsoft 365 Personal or Family subscription, Outlook includes a straightforward encryption button. Compose a new message, open the Options ribbon, and select Encrypt. You can then choose Encrypt for standard protection or Do Not Forward to prevent recipients from sharing what you sent. Microsoft’s support documentation for Microsoft 365 encryption covers the full workflow.
Recipients of an encrypted message may need to sign in or use a one-time passcode to read it. That passcode expires after 15 minutes, so let the person on the other end know to check their inbox promptly.
Setting Up S/MIME For Stronger Protection
S/MIME is a widely used standard for end-to-end email encryption that requires a digital certificate installed in your email client. It works with most major providers and is common in enterprise environments.
To set up S/MIME in classic Outlook for Windows with a PIV certificate, go to File > Options > Trust Center > Trust Center Settings > Email Security. Create a new security setting, select your signing and encryption certificates, set the Hash Algorithm to SHA256, set the Encryption Algorithm to AES 256-bit, and enable Send these certificates with signed messages.
When you are ready to send a signed message, choose Options > Sign. To encrypt, select Options > More Options > Security Settings and check Encrypt message contents and attachments.
What S/MIME Requires From Both Sides
S/MIME only works when both you and your recipient have compatible certificates and have exchanged public keys. Without the recipient’s certificate installed in your system, Outlook cannot complete full end-to-end encryption. This is the single most common blocker. If the person you are emailing does not use S/MIME, you will need a different method. A qualifying Microsoft 365 subscription is also required for encryption features, and S/MIME specifically needs a digital ID configured in Outlook.
Using A Third-Party Tool As An Alternative
If your provider does not offer built-in encryption and S/MIME setup feels like more than you want to take on, third-party services provide a simpler on-ramp. Virtru offers a Chrome plugin that works with Gmail and Outlook. Install the tool, sign in, compose your email as normal, then toggle Protect your message with Virtru. The free personal tier makes this accessible without any subscription. Virtru uses S/MIME under the hood for Gmail’s client-side encryption, so the protection is still standards-based even though the workflow feels like a simple add-on.
Which Encryption Method Should You Use?
| Method | Best For | Key Requirement |
|---|---|---|
| Microsoft 365 built-in Encrypt | One-click protection inside Outlook | Microsoft 365 Personal or Family subscription |
| S/MIME | Standards-based end-to-end encryption | Digital certificate installed on both sides |
| PGP / OpenPGP | Decentralized, platform-independent encryption | Manual key exchange and ongoing key management |
| Virtru (personal tier) | Plugin-based encryption for Gmail and Outlook | Browser plugin and a free account |
| Mimecast / enterprise gateways | Organization-wide encryption policies | Corporate deployment and IT administration |
| TLS (transport only) | Protecting messages in transit between servers | Server-side configuration; not end-to-end |
| SecureZip (federal use) | Encrypting attachments with FIPS 140-2 compliance | FIPS 140-2-compliant software |
Common Encryption Mistakes That Leave You Exposed
Assuming TLS alone counts as full email encryption is one of the most frequent errors. TLS protects the connection between mail servers, not the content of the message itself. Your email provider can still read an unencrypted message sitting in your sent folder or on their servers.
Forgetting that both sides need compatible key setup is another regular blocker. S/MIME and PGP only work smoothly when sender and recipient have exchanged certificates or public keys in advance. Encrypt a message without the recipient having the matching private key, and they will not be able to read it.
Putting sensitive information in the subject line can also undo your protection, especially when using workflows that only encrypt attachments. CMS explicitly warns against referencing confidential data in the subject or body when only the attached files are encrypted.
Keeping Your Keys Safe And Accessible
Lose your private key or certificate, and any message encrypted to that key becomes permanently unreadable. Virtru recommends organizing your keys carefully and creating a backup and recovery plan before you start sending encrypted mail. For S/MIME users, that means keeping a secure copy of your certificate file and noting where it was issued from so you can re-request it if needed.
Quick Setup Reference
| Situation | Best First Step |
|---|---|
| You use Outlook with a Microsoft 365 subscription | Open Options > Encrypt in the compose window |
| You need enterprise-grade encrypted email | Set up S/MIME with a digital certificate |
| You use Gmail or Outlook and want something simple | Install Virtru’s Chrome plugin (free tier available) |
| You need to send encrypted attachments only | Use FIPS 140-2 software like SecureZip |
| You are unsure what method your recipient supports | Start with your provider’s built-in encryption or a portal-based service |
Encrypt Your Next Message In Under A Minute
The best encryption method is the one you actually use. For most people with a Microsoft 365 subscription, the built-in Encrypt button in Outlook is the fastest route to a protected message. If you need stronger assurance or work in a regulated environment, S/MIME provides the standards-based foundation, and third-party tools like Virtru fill the gap when native options fall short. Pick the method that matches your recipient’s setup and send one encrypted email to build the habit.
References & Sources
- Microsoft Support. “Send Encrypted Messages With A Microsoft 365 Personal Or Family Subscription.” Official guide to Outlook’s built-in encryption feature for personal and family plans.