In Gmail, encryption in transit makes it harder for others to read your email when it travels between you and your intended recipients. If you have a work or school account, additional encryption types may be supported.
Learn about Gmail encryption types
Gmail uses TLS by default to encrypt the connection when messages travel between email servers. TLS helps provide privacy and prevents eavesdropping or tampering with emails while in transit. To use TLS, both the sender and the receiver must use email delivery services that support TLS.
In Gmail, emails that use TLS are also known as standard encryption .
S/MIME is an additional level of protection that encrypts the message using keys provided by the sender and recipients. S/MIME provides additional privacy by only allowing decryption by the people who possess the encryption keys.
To use S/MIME in Gmail:
- You need an eligible work or school account.
- Your administrator must enable S/MIME for your organization.
In Gmail, S/MIME is available as hosted S/MIME or client-side encryption (CSE).
Hosted S/MIME
With hosted S/MIME, messages are encrypted and decrypted using keys hosted within Google. Gmail uses the hosted keys to decrypt messages and provide abuse protections.
In Gmail, emails that use hosted S/MIME are also known as enhanced encryption . Learn more about hosted S/MIME.
CSE
With CSE, messages are encrypted and decrypted using keys managed by your organization. Google never has access to the private keys or the decrypted content of messages. Encryption is handled in a client browser or device before any data is transmitted or stored in Google's cloud-based storage.
In Gmail, emails that use CSE are also known as additional encryption . Learn more about CSE.
Learn how to verify message security
There are two ways to verify message security:
- On your computer or Android device, when you compose a message, select Message security .
- When you receive a message, open the recipient details.
Learn how to check message security.
What to do if an email isn’t encrypted
- If you get a warning that your email isn’t encrypted, or there’s a red lock icon , the recipient may be using an email service that doesn’t support TLS or another encryption type supported by Gmail. Consider removing unencrypted addresses or deleting confidential information from the email before you send it.
- If you receive an unencrypted email that contains sensitive content, let the sender know and ask them to contact their email service provider.
- If you use S/MIME, emails are encrypted in S/MIME whenever possible. To either sign or receive S/MIME-encrypted emails, you need to have a valid S/MIME cert from a trusted root.