Learn about email encryption in Gmail

In Gmail, encryption in transit makes it harder for others to read your email when it travels between you and your intended recipients. If you have a work or school account, additional encryption types may be supported. 

Learn about Gmail encryption types

Transport-layer security (TLS)

Gmail uses TLS by default to encrypt the connection when messages travel between email servers. TLS helps provide privacy and prevents eavesdropping or tampering with emails while in transit. To use TLS, both the sender and the receiver must use email delivery services that support TLS.

In Gmail, emails that use TLS are also known as standard encryption .

Learn more about TLS.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

S/MIME is an additional level of protection that encrypts the message using keys provided by the sender and recipients. S/MIME provides additional privacy by only allowing decryption by the people who possess the encryption keys.

To use S/MIME in Gmail:

  • You need an eligible work or school account.
  • Your administrator must enable S/MIME for your organization.

In Gmail, S/MIME is available as hosted S/MIME or client-side encryption (CSE).

Hosted S/MIME

With hosted S/MIME, messages are encrypted and decrypted using keys hosted within Google. Gmail uses the hosted keys to decrypt messages and provide abuse protections.

In Gmail, emails that use hosted S/MIME are also known as enhanced encryption . Learn more about hosted S/MIME.

CSE

With CSE, messages are encrypted and decrypted using keys managed by your organization. Google never has access to the private keys or the decrypted content of messages. Encryption is handled in a client browser or device before any data is transmitted or stored in Google's cloud-based storage.

In Gmail, emails that use CSE are also known as additional encryption . Learn more about CSE.

Learn how to verify message security

There are two ways to verify message security:

  • On your computer or Android device, when you compose a message, select Message security .
  • When you receive a message, open the recipient details.

Learn how to check message security.

What to do if an email isn’t encrypted

  • If you get a warning that your email isn’t encrypted, or there’s a red lock icon , the recipient may be using an email service that doesn’t support TLS or another encryption type supported by Gmail. Consider removing unencrypted addresses or deleting confidential information from the email before you send it. 
  • If you receive an unencrypted email that contains sensitive content, let the sender know and ask them to contact their email service provider.
  • If you use S/MIME, emails are encrypted in S/MIME whenever possible. To either sign or receive S/MIME-encrypted emails, you need to have a valid S/MIME cert from a trusted root.
Search
Clear search
Close search
Google apps
Main menu
17055677939211414054
true
Search Help Center
true
true
true