How do I send a secure email in Gmail?

Gmail gives you three different things people call "secure email," and they are not interchangeable. Confidential mode restricts what a recipient can do with a message and is available to everyone. S/MIME signs and encrypts messages between mail clients. Client-side encryption (CSE) encrypts the message body in your browser before it ever reaches Google. The last two require specific Google Workspace editions and an administrator to switch them on.
Quick Takeaways
- Confidential mode is free and available in any Gmail account — but it is a set of restrictions, not encryption.
- Gmail encrypts mail in transit with TLS whenever the receiving server supports it; that happens automatically and protects nothing once the message is delivered.
- Hosted S/MIME is supported on Frontline Plus, Enterprise Plus, and Education Fundamentals, Standard, and Plus.
- Client-side encryption is supported on Frontline Plus, Enterprise Plus, Education Standard, and Education Plus.
- With CSE, the body, inline images, and attachments are encrypted — the subject, timestamps, and recipients are not.
- None of these stop someone impersonating your domain to your customers; that is what DMARC is for.
How do I use Gmail confidential mode?
Compose a message, click the padlock-and-clock Turn on confidential mode icon in the compose toolbar, set an expiration date and a passcode option, then click Save and send as normal.
Confidential mode does two things, per Google's documentation: it disables the options to forward, copy, print, and download the message, and it lets you set an expiration date after which the recipient can no longer open it. You can also revoke access early, before the expiration date arrives. For the passcode, you choose either no SMS passcode — Gmail recipients open the message directly, others get a passcode by email — or an SMS passcode, where every recipient gets one by text.
Google is explicit about the limits. Confidential mode "doesn't prevent recipients from taking screenshots or photos of your messages or attachments," and "recipients who have malicious programs on their computer may still be able to copy or download your messages or attachments." Treat it as a deterrent against casual re-sharing, not as a control that protects genuinely sensitive data from a motivated recipient.
What is Gmail's S/MIME and how do I turn it on?
Hosted S/MIME encrypts and digitally signs messages using paired public and private keys, with your organization holding the private key. It is the interoperable standard most enterprise mail clients understand, so it works with recipients outside Gmail who also use S/MIME.
An administrator enables it from the Google Admin console:
1. Open Gmail user settings in the Admin console. 2. Tick Enable S/MIME encryption for sending and receiving emails. 3. Optionally allow users to upload their own certificates, and upload root certificates for specific domains. 4. Click Save. Changes can take up to 24 hours to apply, after which users reload Gmail.
Two practical constraints: certificates must meet current cryptographic standards and be supplied in PKCS #12 archive format, and users can only upload and manage their S/MIME certificates in Gmail on the web — the mobile Gmail app does not support it. Supported editions are Frontline Plus, Enterprise Plus, and Education Fundamentals, Education Standard, and Education Plus, according to Google's admin guide.
When should I use client-side encryption instead?
Use CSE when the requirement is that Google itself cannot read the content — regulated data, legal work product, anything with a customer-managed-key mandate. With CSE the encryption happens in your browser before the data is transmitted to or stored in Google's cloud.
To send one, per Google's help documentation:
1. Click Compose. 2. Select the Message security icon at the top right. 3. Under Additional encryption, click Turn on. 4. Add recipients, subject, and content, then send.
Know exactly what is and is not covered. Encrypted: the body of the email, including inline images and attachments. Not encrypted: the header, including the subject, timestamps, and recipients. If the subject line itself is sensitive, do not put it in the subject line.
CSE also disables a long list of Gmail features while it is active, including confidential mode, delegated accounts, multi-send, signatures, printing, smart features, and AI products. Attachments and inline images are capped at 5 MB. Google Workspace has extended CSE so that end-to-end encrypted messages can be sent to recipients on other providers, who access the message through a guest account rather than exchanging keys.
What does Gmail encrypt automatically?
Transport encryption, and nothing more. Gmail negotiates TLS with the receiving mail server, so the message is encrypted in transit on that hop. If the receiving server does not support TLS, the message can still be delivered unencrypted.
The gap people miss: TLS protects the message on the wire, not at rest in the recipient's mailbox, and it says nothing about who sent the message. A perfectly TLS-encrypted email can be a forgery. Confidentiality and authenticity are separate problems, which is why email authentication sits alongside encryption rather than replacing it.
Common issues with secure email in Gmail
Why don't I see the confidential mode or Message security icon?
Confidential mode can be disabled organization-wide by an administrator in the Admin console. The Message security icon only appears if your edition supports CSE and an admin has turned it on for your organizational unit. If you are on an unsupported edition, no amount of clicking will reveal it — check your edition first.
Why is my recipient asked for a passcode they never received?
You chose the SMS passcode option and Gmail is texting the phone number you entered, not the one they use. Re-send with the correct number, or switch to the no-SMS-passcode option so Gmail recipients open the message directly and other recipients receive the passcode by email.
Why did my S/MIME setting not take effect?
Admin console changes can take up to 24 hours to propagate, and users must reload Gmail afterwards. If it still fails, the certificate is the usual culprit: it has to be in PKCS #12 format and meet current cryptographic standards, and it must be uploaded through Gmail on the web rather than the mobile app.
Why can't I attach a large file to an encrypted message?
Client-side encryption enforces a 5 MB limit on attachments and inline images. Share the file through Drive with explicit permissions instead, and keep the email itself short.
How does this fit with domain security?
Encryption protects the contents of the mail you send. It does nothing to stop an attacker sending mail as you to your customers, staff, or suppliers — the message they receive is a fresh, unencrypted forgery that never touched your mailbox. That is a DNS problem, solved by publishing SPF, DKIM, and a DMARC policy at enforcement so receiving servers reject anything unaligned. Send yourself a test message and open Show original in Gmail: SPF, DKIM, and DMARC should all read PASS.
For MSPs running this across a client base, Palisade automates the part that does not scale by hand — moving each domain from p=none to enforcement, keeping every legitimate sender aligned so nothing breaks, and turning the DMARC XML reports into something readable. Run any domain through the free Email Security Score to see where it stands before you touch DNS.
Frequently asked questions
Is Gmail confidential mode end-to-end encrypted?
No. It restricts forwarding, copying, printing, and downloading and adds an expiry date. The message is not encrypted end to end, and Google states it cannot prevent screenshots.
Can I send an encrypted email from Gmail to an Outlook user?
Yes, in two ways. S/MIME works with any recipient whose client supports S/MIME and whose certificate you can validate. Google Workspace CSE can also send end-to-end encrypted mail to recipients on other providers, who open it through a guest account. Encrypting from the other direction works too — see sending secure email using Outlook.
Does a personal @gmail.com account support S/MIME or CSE?
No. Both are Google Workspace features tied to specific paid editions and require an administrator to enable them. Personal accounts get confidential mode and automatic TLS in transit.
Does encryption stop phishing?
No. Encryption protects a message you send. Phishing is a message someone else sends. Authentication and filtering handle that side — see what is email spoofing.
Can an admin see the contents of a CSE message?
Not the body. The encryption keys are held in the external key service your organization controls, outside Google. Message headers, including subject and recipients, remain visible.