How to send a secure email with Gmail in 2026?
Nicolas,
Gmail is the most widely used email service in the world with over 1.8 billion users. While Google automatically encrypts emails in transit via TLS, this level of protection remains insufficient for truly confidential communications. In 2026, Gmail offers several methods to strengthen the security of your outgoing messages — here is how to use them according to your needs.
What Gmail protects by default
By default, Gmail encrypts all emails in transit via the TLS (Transport Layer Security) protocol when the recipient's server supports it. This means the message is encrypted between servers, but Google can technically access it on its own servers. TLS protects against interception in transit, but not against access from Google's or the recipient's servers.
A padlock icon in the Gmail interface indicates that TLS encryption is active for the sending. If the padlock is red or absent, the recipient's server does not support TLS.
Method 1: Gmail confidential mode
Gmail's confidential mode allows sending messages with additional access restrictions. It is available for all Gmail accounts, free and professional.
Confidential mode features:
- Set an expiry date for the message (1 week, 1 month, 5 years…)
- Prevent forwarding, copying, printing and downloading of content
- Protect access with an SMS code sent to the recipient
- Revoke access to the message at any time before it expires
To enable confidential mode:
- In Gmail, click Compose
- At the bottom of the composition window, click the padlock with a clock icon (confidential mode)
- Set the expiry date and choose whether to require an SMS code
- Click Save then write and send your message normally
Good to know: Gmail's confidential mode does not encrypt the message end-to-end. Google can still access the content on its servers. Confidential mode mainly prevents forwarding and sets an expiry date — it does not replace true end-to-end encryption for highly sensitive data.
Method 2: S/MIME encryption (Google Workspace)
S/MIME (Secure/Multipurpose Internet Mail Extensions) encryption is available for Google Workspace Enterprise Plus, Education Plus and Education Standard accounts. It provides server-side end-to-end encryption, more robust than confidential mode.
To enable S/MIME on Google Workspace:
- The Google Workspace administrator must enable S/MIME in the admin console: Apps → Google Workspace → Gmail → User settings → Enable S/MIME encryption
- Each user must import their S/MIME certificate in Gmail settings: Settings → See all settings → Accounts and Import → Send mail as → Edit info → Upload a certificate
Once S/MIME is enabled, Gmail displays a colour-coded padlock icon in the composer:
| Padlock colour | Meaning |
|---|---|
| Green | S/MIME encryption — maximum protection level |
| Grey | Standard TLS encryption — in-transit protection |
| Red | No encryption — email sent in plain text |
Method 3: Client-Side Encryption (CSE)
Available since 2023 for Google Workspace Enterprise Plus, Education Standard and Education Plus subscriptions, Client-Side Encryption (CSE) goes further than S/MIME: data is encrypted on the user's device before being sent to Google's servers. Google therefore technically has no access to the content in plain text.
- Requires configuration by the Workspace administrator with an external key management service (EKMS)
- Compatible with leading key management providers: Thales, Virtru, Flowcrypt
- The user activates CSE for a specific message via the padlock icon in the composer
Good to know: Google Workspace's client-side encryption is designed for organisations subject to strict compliance requirements (finance, healthcare, defence). For individuals or SMEs seeking simple end-to-end encryption, alternatives such as ProtonMail offer a more accessible solution without requiring infrastructure configuration.
Method 4: using a third-party encryption extension
For users of free Gmail accounts who want true end-to-end encryption, browser extensions can add this functionality:
- Mailvelope: Chrome and Firefox extension that integrates OpenPGP encryption directly into the Gmail interface. Free and open source
- FlowCrypt: extension that adds PGP encryption to Gmail with a simple interface. Available in free and paid versions
These extensions use the OpenPGP standard — both sender and recipient must have the extension installed and have previously exchanged their public keys.
Comparison of Gmail security methods
| Method | Availability | Encryption level | Ease of use |
|---|---|---|---|
| TLS (default) | All accounts | In transit only | Automatic |
| Confidential mode | All accounts | Access restrictions (not E2E) | Very simple |
| S/MIME | Workspace Enterprise/Education | Strong server-side encryption | Configuration required |
| Client-side encryption | Workspace Enterprise/Education | E2E encryption — Google no access | Advanced configuration |
| PGP extension (Mailvelope, FlowCrypt) | All accounts | E2E OpenPGP encryption | Installation required |
Good to know: regardless of the encryption level used, your IP address is visible in email headers when sent from a desktop email client. Gmail via browser or mobile app, however, hides your real IP address behind Google's servers in the technical headers of the message.