Gmail uses standard encryption by default, so your messages aren’t private. We explain how to use enhanced encryption in Gmail and the best alternative if you’re looking for genuine privacy.
If you have a free email account from a big provider like Gmail, Outlook, or Yahoo Mail, it’s no secret that your messages aren’t private. The only way to truly secure your emails is by using end-to-end encryption(new window). That way, only you and the recipient of your messages can read them.
Gmail doesn’t offer end-to-end encryption for any of its services. But you can enable stronger encryption to send more secure Gmail messages if you have an eligible paid Google account.
What is email encryption?
Email encryption is a process that encodes a message so that only the intended recipient of the message can read it. The email is encrypted (encoded) into an illegible string of characters called ciphertext(new window).
The only way to read it is to decrypt (decode) it into its original, readable format using a unique encryption key.
Is Gmail encrypted?
Gmail uses TLS (Transport Layer Security)(new window) to encrypt emails by default. That means your messages are secure while in transit, as long as the recipient’s email service supports TLS. But once they arrive, the privacy of your emails depends on what encryption the receiving server uses.
Gmail also holds the encryption keys to your messages. So it can access them and hand over their contents to third parties, like advertisers or governments. Google says it no longer scans emails for advertising purposes(new window) but does scan messages to enable smart features(new window) by default, though you can switch this off.
Gmail offers three ways to send more secure emails, although two of them require specific Google Workspace paid accounts:
- Confidential mode limits options for accessing or sharing a message but doesn’t add stronger encryption. Confidential mode is available for all Gmail accounts.
- Secure/Multipurpose Internet Mail Extensions (S/MIME)(new window) uses public-key cryptography(new window) to encrypt and digitally sign(new window) emails. But first, you need to enable it and upload an S/MIME certificate (private key) to Google’s servers. Furthermore, S/MIME only works with recipients that have enabled it and is only available with certain paid Google Workspace accounts.
- Client-side encryption (CSE)(new window) uses S/MIME but allows you (or your organization’s administrator) to choose an external encryption key service to manage your encryption keys, so Google can’t access them. CSE can only be enabled if you have an eligible Google Workplace enterprise or education account.
Only confidential mode is available for free Gmail accounts, though it does little to make your messages more secure.
How to use Gmail confidential mode
Gmail says confidential mode is a way to protect sensitive emails from unauthorized or accidental sharing. With confidential mode, you can:
- Set an expiration date for a message and revoke access to it later
- Remove options to forward, copy, print, or download messages or attachments
- Require that a verification code (password) be sent by SMS so the recipient has to enter the code to open it
To use confidential mode, click on the icon below in Gmail’s composer window:
Despite its name, confidential mode does little to enhance the security and privacy of your messages:
- When you set an expiration date and messages “expire”, they’re still stored in your Sent folder, so they remain accessible to Google.
- While there are no options to forward, copy, print, or download a message, anyone can easily screenshot it.
- If you want to send a verification code by SMS, you must give Google the recipient’s phone number.
- Messages aren’t end-to-end encrypted, so Google can still access them.
How to send an encrypted email in Gmail (S/MIME or CSE)
You can use S/MIME to encrypt your emails in Gmail, but it’s only available with certain paid Google Workspace enterprise or education accounts. S/MIME allows you to encrypt emails with user-specific keys so that only the intended recipients can decrypt them.
To set up S/MIME, log in to your Gmail administrator account, enable hosted S/MIME(new window), and then reload Gmail. You’ll then need to upload a personal S/MIME certificate from a trusted certificate authority(new window).
While Gmail’s implementation of S/MIME offers stronger encryption, it has several drawbacks:
- Messages aren’t end-to-end encrypted, so Google can still access your emails.
- S/MIME isn’t available by default. You need to get an eligible paid account and have an administrator enable it.
- It only works if the recipient of the email also has S/MIME enabled. There’s no way to send a private email to anyone using a regular Gmail account or any other provider without S/MIME support.
- Unlike PGP(new window), S/MIME has a centralized system of certificate authorities that could be compromised, though this may only matter to you if you’re at high risk of surveillance.
If you have an eligible Google Workplace enterprise or education account, you can also set up client-side encryption (CSE)(new window). CSE lets you choose an external service to manage your encryption keys, so Google won’t have access to them. But you still rely on a third party to generate and store your keys (unless you’re ready to build a custom key service(new window)).
If you want to be sure no one but you and the intended recipient of your email can read it, you need to use end-to-end encryption, like PGP(new window).
Easy way to send an encrypted email
You can enable PGP end-to-end encryption in Gmail using a third-party plugin, like open-source Mailvelope(new window). However, Mailvelope requires some setting up, and you can’t use it on your mobile device.
The easiest way to send a truly secure email is to use Proton Mail, which offers the following and more out of the box:
- End-to-end encryption(new window): Any message you send to someone on Proton Mail is end-to-end encrypted by default. No one except you and your intended recipient(s) can read them.
- Password-protected Emails: Easily send an end-to-end encrypted email to anyone who isn’t on Proton Mail without any technical knowledge.
- Zero-access encryption(new window): No one can access any of your stored emails without your authorization, not even Proton.
- Open-source transparency: All Proton apps are open source and independently audited, so anyone can verify that they’re secure.
- Proton Easy Switch: Transfer and encrypt all your emails and contacts from Gmail to Proton Mail in a few clicks — a simple and secure way to test how encrypted email can work for you.
At Proton, our vision is to make secure email available to everyone, so join us and send an encrypted email for free.
If you’d like to support our vision, sign up for a paid plan. Together, we can build a better internet where privacy is the default.
Gmail encrypted email FAQs
Does Gmail automatically encrypt my emails?
By default, Gmail uses TLS/SSL(new window) to secure your emails while they’re being sent from A to B. However, this encryption only works if your recipient’s email service supports TLS. And once they arrive, the privacy and security of your messages depend on what encryption the receiving server uses to store them.
To send a more secure email, you can enable S/MIME or client-side encryption but only if you have an eligible paid Google Workspace account. If you want to send truly private message with end-to-end encryption(new window), switch to a private email service like Proton Mail.
Is confidential mode in Gmail secure?
No, Gmail’s confidential mode isn’t secure. While it allows you to set an expiration date for an email and to restrict options to forward, copy, print, or download it, anyone can easily screenshot the message. In addition, messages sent in confidential mode aren’t end-to-end encrypted, so Google can still access them.
Learn more about why confidential mode is neither private nor secure(new window).
What is PGP encryption, and how do I set it up in Gmail?
PGP (Pretty Good Privacy)(new window) is an encryption method that’s widely used to secure emails with end-to-end encryption. To use PGP in the Gmail web app, you can install a desktop browser extension, like Mailvelope. But the easiest way to send a PGP-encrypted email is to switch to a private email service, like Proton Mail. With Proton Mail, you can send end-to-end encrypted emails from any device.
Does the person I send an encrypted email to have to install the same encryption tool or extension to decrypt my email?
Typically, if you send an encrypted email to someone, they’ll need to have the same encryption enabled on their device to decrypt it. For example, if you send an email encrypted with S/MIME in Gmail (see how to send an encrypted email above), your recipient will need to have S/MIME enabled. However, if you’re on Proton Mail, you can use a Password-protected Email to send an end-to-end encrypted message to any email address.