How to Encrypt Email: PGP, S/MIME, and Easy Alternatives
Learn how to encrypt your emails using PGP/GPG, S/MIME, Gmail Confidential Mode, Outlook encryption, ProtonMail, and Tutanota. A practical guide for every skill level.
How to Encrypt Email: PGP, S/MIME, and Easy Alternatives
Email was invented in the 1970s — before the internet had security concerns. By default, email travels across the internet in plain text, readable by anyone who intercepts it. It's like sending a postcard instead of a sealed letter.
Encrypting your email fixes this. But with multiple methods available — PGP, S/MIME, built-in encryption features, dedicated providers — choosing the right approach can be confusing.
This guide breaks down every method, from technical to simple, so you can pick what works for your situation.
Why Email Encryption Matters
Without encryption, your email can be read by:
- Your email provider (Gmail, Outlook, Yahoo — they scan content for ads and features)
- Your employer (if using a corporate email server)
- Internet service providers along the route
- Hackers who intercept traffic (man-in-the-middle attacks)
- Government agencies with legal access to provider data
Even "deleted" emails often exist in backups, archives, and multiple server copies.
Method 1: PGP/GPG — The Gold Standard
Pretty Good Privacy (PGP) is the original email encryption standard, created by Phil Zimmermann in 1991. GPG (GNU Privacy Guard) is the free, open-source implementation.
How PGP Works
PGP uses asymmetric encryption with a key pair:
Public Key → Share with anyone (used to encrypt messages TO you)
Private Key → Keep secret (used to decrypt messages you receive)
When you send an encrypted email:
- You encrypt with the recipient's public key
- Only their private key can decrypt it
- Not even you can read the sent message afterward
Setting Up PGP
Option A: Thunderbird (Built-in since version 78)
1. Install Mozilla Thunderbird
2. Go to Account Settings → End-to-End Encryption
3. Generate a new OpenPGP key pair
4. Share your public key with contacts
5. Import contacts' public keys
6. Compose email → click the encryption icon
Option B: GPG Suite (macOS) / Gpg4win (Windows)
1. Install GPG Suite or Gpg4win
2. Generate your key pair
3. Upload your public key to a key server
4. Install the mail client plugin
5. Encrypt/sign emails from your regular client
PGP Pros and Cons
| Pros | Cons |
|---|---|
| Strongest encryption available | Complex setup for non-technical users |
| Decentralized — no trusted third party | Both parties must use PGP |
| Open source and well-audited | Key management is cumbersome |
| Works with any email provider | No encryption of subject line or metadata |
| Free (GPG) | Revoked/expired keys cause confusion |
Method 2: S/MIME — Certificate-Based Encryption
S/MIME (Secure/Multipurpose Internet Mail Extensions) uses digital certificates issued by Certificate Authorities (CAs).
How S/MIME Works
Instead of manually exchanging keys (like PGP), S/MIME relies on certificates from trusted CAs:
1. Obtain an S/MIME certificate (from a CA like Sectigo, Comodo, or your organization)
2. Install the certificate in your email client
3. Emails are automatically encrypted when the recipient's certificate is available
4. Digital signatures verify sender identity
S/MIME Pros and Cons
| Pros | Cons |
|---|---|
| Built into Outlook, Apple Mail, Thunderbird | Certificates cost money (free options exist but are limited) |
| Easier than PGP for organizations | Centralized trust (relies on CAs) |
| Automatic key exchange via certificates | Certificate renewal required |
| Good for corporate environments | Less common for personal use |
Method 3: Gmail Confidential Mode
Gmail offers a built-in "Confidential Mode" that provides limited protection.
How to Use It
1. Compose a new email in Gmail
2. Click the lock+clock icon at the bottom
3. Set an expiration date
4. Optionally require an SMS passcode
5. Send
What It Does
- Prevents forwarding, copying, printing, and downloading
- Sets an expiration date for the message
- Can require SMS verification to open
- You can revoke access after sending
What It Does NOT Do
- Does NOT encrypt the email content — Google can still read it
- Does NOT prevent screenshots
- The email is still stored on Google's servers
- Not true end-to-end encryption
Verdict: Privacy theater, not real encryption. Useful for casual use but not for genuinely sensitive information.
Method 4: Outlook Encrypted Email
Microsoft Outlook offers email encryption through Microsoft 365 Message Encryption.
How to Use It
Outlook Desktop:
1. Compose a new email
2. Go to Options → Encrypt
3. Choose encryption level:
- Encrypt-Only (Microsoft 365)
- Do Not Forward
- Confidential
4. Send
Outlook Web:
1. Compose a new email
2. Click the Encrypt button
3. Choose "Encrypt" or "Do Not Forward"
4. Send
Limitations
- Requires Microsoft 365 subscription (Business plans)
- Recipients without Microsoft accounts receive a link to view in browser
- Microsoft can still access the content (not true E2E)
- S/MIME in Outlook requires certificate setup
Method 5: ProtonMail — Built-in E2E Encryption
ProtonMail provides end-to-end encryption without any setup.
How It Works
- Between ProtonMail users: Automatic E2E encryption — zero configuration
- To external recipients: Set a password; recipient opens via encrypted link
- PGP compatible: Can exchange encrypted emails with PGP users
Advantages
- No technical knowledge required
- Encryption is automatic and transparent
- Swiss jurisdiction (strong privacy laws)
- Zero-access encryption — ProtonMail cannot read your emails
- Free tier available
Limitations
- Free accounts limited to 500 MB
- Emails to non-ProtonMail users require the recipient to use a password or PGP
Method 6: Tutanota — Zero-Knowledge Encryption
Tutanota encrypts everything — emails, contacts, calendar, and even subject lines.
How It Works
- Between Tutanota users: Automatic E2E encryption
- To external recipients: Set a password; recipient uses a secure link
- Subject lines are encrypted (unlike PGP and most other methods)
Advantages
- Subject line encryption (unique feature)
- Open source client and server
- No IP logging in standard operation
- Encrypted search
Limitations
- Free accounts limited to 1 GB
- Custom domains require paid plan
- Cannot use with third-party email clients (IMAP/SMTP not supported on free tier)
Comparison Table
| Method | Encryption Type | Setup Difficulty | Cost | Subject Encrypted | Provider Can Read |
|---|---|---|---|---|---|
| PGP/GPG | E2E (asymmetric) | Hard | Free | ❌ | ❌ |
| S/MIME | E2E (certificate) | Medium | Free–$$ | ❌ | ❌ |
| Gmail Confidential | Access control only | Easy | Free | ❌ | ✅ |
| Outlook Encrypt | Transport/DRM | Easy | $$ (M365) | ❌ | ✅ |
| ProtonMail | E2E (automatic) | Easy | Free/Paid | ❌ | ❌ |
| Tutanota | E2E (automatic) | Easy | Free/Paid | ✅ | ❌ |
Which Method Should You Choose?
For maximum security (technical users):
PGP/GPG — decentralized, well-audited, works with any provider. Requires both parties to participate.
For corporate environments:
S/MIME — integrates with Outlook, centralized certificate management, good for organizations.
For everyday encrypted email:
ProtonMail or Tutanota — no setup required, automatic encryption, free tiers available.
For quick protection in Gmail:
Gmail Confidential Mode — better than nothing, but remember it's not real encryption.
When Email Encryption Isn't Enough
Even encrypted email has limitations:
- Email metadata is always exposed — sender, recipient, timestamps, subject line (except Tutanota)
- Encrypted email is still email — it sits in inboxes permanently
- Key management is fragile — lost keys mean lost access to old emails
- The recipient's behavior is uncontrolled — they can screenshot, forward decrypted content, etc.
For sharing information that needs to be truly temporary — passwords, credentials, confidential notes — consider tools designed for ephemeral sharing. LOCK.PUB creates password-protected links that self-destruct after a set time or number of views. Unlike encrypted email, the content doesn't persist anywhere.
Getting Started
- Assess your needs: Are you protecting casual emails or genuinely sensitive data?
- Consider your recipients: Will they set up PGP, or do you need something simpler?
- Start with the easiest option: ProtonMail or Tutanota for most people
- Upgrade as needed: Add PGP for maximum security when communicating with technical contacts
Email encryption isn't all-or-nothing. Even switching to ProtonMail for sensitive conversations while keeping Gmail for everyday use is a meaningful improvement.
Keywords
You might also like
How to Check If Your Password Has Been Leaked
Learn how to find out if your passwords were exposed in a data breach. Step-by-step guide to using Have I Been Pwned, Google Password Checkup, and what to do if your credentials are compromised.
The Complete Guide to Secret Memos: How to Share Sensitive Text Safely
Learn how to securely share passwords, account credentials, and confidential messages using LOCK.PUB's encrypted secret memo feature.
How to Password Protect an Email in Gmail, Outlook, and Apple Mail
Step-by-step instructions for sending password-protected emails in Gmail, Outlook, and Apple Mail. Learn the limitations and discover better alternatives for sharing sensitive information.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free