Learn about email encryption in Gmail

In Gmail, encryption in transit makes it harder for others to read your email when it travels between you and your intended recipients. If you have a work or school account, additional encryption types may be supported. 

Learn about Gmail encryption types

Transport-layer security (TLS)

A static image that shows how TLS works in Gmail. In the image, two people send emails to each other. Each email has a TLS icon on it, which indicates that the emails can't be tampered with while they are in transit to the intended recipients.

Gmail uses TLS by default to encrypt the connection when messages travel between email servers. TLS helps provide privacy and prevents eavesdropping or tampering with emails while in transit. To use TLS, both the sender and the receiver must use email delivery services that support TLS.

In Gmail, emails that use TLS are also known as standard encryption .

Learn more about TLS.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

A static image that shows how S/MIME works in Gmail. In the image, two people send emails to each other. Each person has a key in their hands, which indicates that they can encrypt and decrypt the mesages.

S/MIME is an additional level of protection that encrypts the message using keys provided by the sender and recipients. S/MIME provides additional privacy by only allowing decryption by the people who possess the encryption keys.

To use S/MIME in Gmail:

  • You need an eligible work or school account.
  • Your administrator must enable S/MIME for your organization.

In Gmail, S/MIME is available as hosted S/MIME or client-side encryption (CSE).

Hosted S/MIME

With hosted S/MIME, messages are encrypted and decrypted using keys hosted within Google. Gmail uses the hosted keys to decrypt messages and provide abuse protections.

In Gmail, emails that use hosted S/MIME are also known as enhanced encryption . Learn more about hosted S/MIME.

CSE

With CSE, messages are encrypted and decrypted using keys managed by your organization. Google never has access to the private keys or the decrypted content of messages. Encryption is handled in a client browser or device before any data is transmitted or stored in Google's cloud-based storage.

In Gmail, emails that use CSE are also known as additional encryption . Learn more about CSE.

Learn how to verify message security

There are two ways to verify message security:

  • On your computer or Android device, when you compose a message, select Message security .
  • When you receive a message, open the recipient details.

Learn how to check message security.

What to do if an email isn’t encrypted

  • If you get a warning that your email isn’t encrypted, or there’s a red lock icon , the recipient may be using an email service that doesn’t support TLS or another encryption type supported by Gmail. Consider removing unencrypted addresses or deleting confidential information from the email before you send it. 
  • If you receive an unencrypted email that contains sensitive content, let the sender know and ask them to contact their email service provider.
  • If you use S/MIME, emails are encrypted in S/MIME whenever possible. To either sign or receive S/MIME-encrypted emails, you need to have a valid S/MIME cert from a trusted root.
Search
Clear search
Close search
Google apps
Main menu
782877034403003428
true
Search Help Center
true
true
true
true
true
17
false
false