Your step-by-step guide to sending encrypted email via Gmail, Outlook, and Mac Mail
News of cyber attacks and data breaches is continually making headlines. Sometimes, these breaches are the result of phishing attacks and poor employee email practices — other times, they occur because sensitive information is left unprotected, is sent via unsecure channels, or businesses fail to meet regulatory cyber security requirements. This is why upping your email security protections is vital to the safety and success of your company and customers.
Choosing the best way to accomplish this goal can be challenging. Of course, you can (and should) provide cyber security awareness training to your employees to teach them how to follow email security best practices (using strong passwords, not sending sensitive business or customer data over unsecure channels, etc.). But that’s only one piece of the puzzle — employee training shouldn’t be your only solution.
Beyond this approach, the next best way to help protect your sensitive data is to use email encryption and identity verification methods such as digital signing certificates. After all, every unencrypted email you send with sensitive information (personal information, financial data, product specs, etc.) is vulnerable and, therefore, leaves your business and customers at risk.
Not sure how to secure email with digital signing certificates so your messages can’t be read by unintended third parties? No worries. We’ll break down the process for how email signing and encryption certificates work and how you and your organization can send encrypted email communications using them on different email platforms.
Let’s hash it out.
How to Secure Email Using S/MIME Email Encryption Certificates
Depending on your country and industry — such as finance, retail, eCommerce, or healthcare — you may have stringent requirements to meet concerning data protection. In many cases, you’ll need to use encrypted emails to meet these requirements. (In the case of HIPAA, though, they’re “administrative safeguards.”) Staying compliant not only helps you protect your business, but it also helps you avoid costly fines and lawsuits stemming from noncompliance.
Companies use different methods for encrypting their emails — transport layer security (TLS), Pretty Good Privacy (PGP), third-party email clients such as ProtonMail, third-party and native web browser and email client plugins and extensions, etc. Each of these methods have pros and cons associated with them:
- TLS encrypts the channel but not the message. Once the message arrives in the recipient’s inbox, it’s unencrypted and unprotected!
- PGP is clunky and cumbersome and, historically, has had implementation issues that led to security vulnerabilities.
- Encrypted email services such as ProtonMail offer end-to-end encryption but requires both the user and the recipient to use the email addresses provided by the service (e.g., @protonmail.com), which can make it impractical for a lot of businesses.
Another popular email encryption method is the use of S/MIME certificates (S/MIME stands for secure/multipurpose internet mail extensions). These certificates:
- Use cryptography to protect your emails from access by unintended third parties.
- Digitally sign the emails to validate the identity of the sender.
S/MIME certificates are used to encrypt emails before they are sent to a mail server or across the internet where hackers and malicious users can read them.
Is S/MIME perfect? No. The downside of S/MIME is that to use it, an S/MIME certificate first needs to be installed to your individual computer or device’s email client. In the past, this was done manually. However, using a zero-touch S/MIME solution to automate the issuance and deployment of S/MIME certificates makes the process of managing multiple (or hundreds) of these digital certificates for your business simple. This solution also helps you to ensure that your certificates are renewed before their expiry date.
How S/MIME Works
We’ve previously discussed the what S/MIME is and how it works at length, so we won’t go into depth about that here. But here’s a quick recap to refresh your memory: SSL or TLS provides server to server encryption, which protects your email while it’s in transit. S/MIME, on the other hand, uses asymmetric encryption to protect your email data both in transit and when it’s at rest. Basically, you use a public key to encrypt the email data and your recipient uses a matching private key to decrypt it.
Note: For S/MIME encryption to work, both you (the sender) and your intended recipient need to have encryption enabled, and you need to have the recipient’s public key to encrypt your messages so only they can decrypt them. A simple way to ensure that you and your recipient have the matching public/private keys is to send each other a signed certificate email prior to sending them an encrypted email. This way you’ll each have the other’s public key for encrypting emails.
Essentially, the difference between using SSL email encryption and sending an encrypted email is the difference between securing your channel (data in transit) and protecting the message itself (data at rest data protection). Let’s consider the following example:
- Protecting data in transit is like speaking normally (sending a plaintext communication) over a secure/encrypted phone line. This is great to keep man-in-the-middle (MitM) attackers out of the communication channel. But what if someone has infiltrated your office and is hiding in the cubicle next to yours?
- Protecting data at rest, on the other hand, is like speaking in code over an unencrypted/non-secure phone line. This secures and encrypts your message so that even if an attacker breaks into your office, they can’t decrypt your message because they lack your intended recipient’s private key.
Using email encryption ensures that the message and attachments of your email are protected before they are ever sent to a mail server and will remain secure/encrypted until your recipient with the private key accesses it. So, rather than only protecting the communication channel, you’re protecting the message itself.
Step by Step: How to Send Encrypted Email on Three Mail Clients
Regardless of which email client or platform you use, the first step to using S/MIME entails getting an email encryption certificate, which you can do by purchasing one directly from a certificate authority (CA) or a reputable reseller. The next step is installing the certificate on your email client/platform.
Seeing as how S/MIME certificates is kind of what we do — along with providing other digital security solutions such as SSL certificates, PKI management platforms, etc. — we’ve already written articles on how to install these certificates on Outlook for Mac and Windows systems. For explicit directions on how to install these certificates, check out these Apple– and Windows-focused articles.
Assuming that you already have these certificates installed, we’ll move on to our step-by-step directions for how to send encrypted email in the following three mail clients: Google Suite, Outlook 2016, and Mac Mail.
How to Send an Encrypted Email in Gmail
Although Google promised end-to-end email encryption for users on their Gmail platform nearly five years ago, the internet giant has yet to follow through on their word. For a period, G Suite was selling and supporting Zix’s G Suite Mail Encryption (GAME) as its own form of email encryption. However, since April 30, 2018, Google no longer sells or supports the service. The good news? Businesses using G Suite can use S/MIME. The catch? It’s hosted S/MIME, which means that Google hosts clients’ S/MIME certificates on its servers.
Google’s Gmail email services offer Basic, Business, and Enterprise. The company’s site shows that all three use TLS server-to-server encryption. However, only the Enterprise level users (G Suite Enterprise and G Suite Enterprise for Education users) can take advantage of hosted S/MIME encryption.
You’ll need to enable S/MIME in Google Admin console for G Suite and upload your certificate to Google’s server. Once this is done, you can encrypt and digitally sign your outgoing emails in Google Suite (Enterprise or Education) by doing the following:
- Create a new email and write out your message, add attachments, add a recipient, etc.
- In the top-right corner of your screen (next to CC and BCC), click the padlock icon.
- Click View Details to see whether your recipient has encryption enabled or to change your S/MIME settings.
- Select Settings.
- Click Enhanced Encryption (with digital signature) and select Ok.
- Hit Send.
How to Send an Encrypted Email in Outlook 2016
Encrypting an email — or all outgoing messages — is a pretty straightforward process in Outlook. Once you’ve installed your certificate, there’s really nothing to it.
To encrypt an outgoing email in Outlook 2016:
- Create a new email and write out your message, add attachments, etc.
- Select the Options tab.
- Select the dropdown for Encrypt from the menu.
- Click Encrypt with S/MIME.
- Add you recipient’s name and a subject line to those corresponding fields.
- Hit Send.
… And that’s it. It’s really that simple.
Mac Mail Encryption: How to Send Encrypted Email in Mac Mail
Don’t worry, Apple users — we haven’t forgotten about you. The great news for Apple users who wish to increase their email security is that Apple Mail supports S/MIME right out of the box. This means that when you purchase and install an S/MIME certificate, you don’t have to jump through a bunch of hoops to use it. They really make it easy.
Once you upload the certificate to your computer’s key store, Mac Mail sets up the cert automatically for digital signing and the option for encryption. There is no required configuration outside of the keychain access utility. You can simply click to activate/deactivate signing and encryption. Again, the user would need to have the recipient’s public key to encrypt to a (or many) recipients.
What this means is that to send an encrypted and digitally signed email using Apple Mail:
- Open Apple Mail and create a new email.
- To the right of the subject field, select the padlock icon.
- To digitally sign your email, select the checkmark next to it to encrypt the message.
- Create the content of your email and upload any attachments
- Hit Send.
It doesn’t get much easier than that.
Email signing and encryption are a must for businesses in a digital world. Every day, major companies are making headlines by falling prey to phishing scams — and small businesses aren’t safe from these attacks, either. We can honestly say that we don’t want to see your business as one of the next related headlines.
Are you not seeing these options for your email client? That may be because you need to purchase and install an S/MIME certificate. Without it, you won’t be able to gain access to the email signing and encryption capabilities we discussed in this article. Whether you’re a small or midsize business (SMB) or a large corporation, our team can help you find the right certificate to meet your needs. Hit us up with any questions or to learn more.
Have insights or questions about this topic? Feel free to share them below.