S/MIME is used to support enhanced encryption in transit, and automatically encrypts your outgoing emails if it can.
Important:These steps only work if you have S/MIME enabled on your account.
Check whether a message that you're sending is encrypted
- In Gmail, start composing a message.
- In the 'To:' field, add your recipients.
- To the right of your recipients, you'll see a lock icon that shows the level of encryption that is supported by your message's recipients.
- If there are multiple users with various encryption levels, the icon will show the lowest encryption status.
- To change your S/MIME settings or learn more about your recipient's level of encryption, select the lock
View details.
View details.Check whether a message that you've received is encrypted
- In Gmail, open a message.
- On an Android phone or tablet: Tap View details
- On an iPhone or iPad: Tap View details.
- On an Android phone or tablet: Tap View details
- To check the level of encryption that was used to send the message, find the lock icon.
Learn what the encryption icons mean
When you send or receive messages in Gmail, a lock icon indicates the level of encryption for the message. The colour of the icon changes based on the level of encryption.
- Green (S/MIME enhanced encryption)
: Suitable for your most sensitive information. S/MIME encrypts all outgoing messages if we have the recipient's public key. Only the recipient with the corresponding private key can decrypt this message.
- Grey (TLS – standard encryption)
: Suitable for most messages. TLS (Transport Layer Security) is used for messages exchanged with other email services which don't support S/MIME.
- Tip: TLS support is not guaranteed. Support is inferred from past communications with the email service.
- Red (no encryption)
: Unencrypted mail which is not secure. Past messages sent to the recipient's domain are used to predict whether the message you're sending won't be reliably encrypted.
: Suitable for your most sensitive information. S/MIME encrypts all outgoing messages if we have the recipient's public key. Only the recipient with the corresponding private key can decrypt this message.
: Suitable for most messages. TLS (Transport Layer Security) is used for messages exchanged with other email services which don't support S/MIME.
: Unencrypted mail which is not secure. Past messages sent to the recipient's domain are used to predict whether the message you're sending won't be reliably encrypted.Learn about the red lock icon
If there's a red lock icon when you a write a message, consider removing unencrypted addresses or deleting confidential information. To find which address is unencrypted, select View details.
If you receive a message with the red lock icon and the message contains sensitive content, let the sender know and they can contact their email service provider.
Find out more about encryption
If the person who you're emailing is using an email service that doesn't encrypt all messages using S/MIME or TLS, their emails might not be secure. However, messages are encrypted in S/MIME whenever possible.
For S/MIME to work, to either sign or receive S/MIME-encrypted emails, a user must have a valid S/MIME cert from a trusted root.
Important: A message can't be decrypted if the user's key isn't uploaded when the message is delivered. Learn more about uploading certificates.
S/MIME is a long-standing protocol which allows encrypted and signed messages to be sent using standard email delivery SMTP.
It uses public key cryptography to:
- Encrypt the message on send and decrypt the message on receipt with a suitable private key to keep message content private.
- Sign on send and verify the signature on receipt to authenticate and protect integrity.
Opportunistic TLS (STARTTLS) is a protocol that helps provide privacy between communicating applications and their users during email delivery. When a server and client communicate, TLS ensures that no third party can overhear or tamper with any messages.
For delivery TLS to work, the email delivery services of both the sender and the receiver must always use TLS.