Google Gmail making end-to-end encrypted emails easy for organizations

At Google, we believe that secure, confidential communication should be available for organizations of all sizes. However, end-to-end encrypted (E2EE) email was historically a privilege reserved for organizations with significant IT resources, due to the complexity of S/MIME and proprietary solutions. Over the past two years, we've made progress in breaking down these barriers, simplifying E2EE, to help customers address their critical compliance and data sovereignty needs. But we knew there was more work to do to truly democratize it.

Today is Gmail’s birthday, and we wanted to do something special — enable enterprise users to send E2EE messages to any user on any email inbox with just a few clicks. This capability, requiring minimal efforts for both IT teams and end users, abstracts away the traditional IT complexity and substandard user experiences of existing solutions, while preserving enhanced data sovereignty, privacy, and security controls. We’re rolling this out in a phased approach, starting today, in beta, with the ability to send E2EE emails to Gmail users in your own organization. In the coming weeks, users will be able to send E2EE emails to any Gmail inbox, and, later this year, to any email inbox. Let’s take a closer look.


Sending an E2EE email to a non-Gmail user

The current state of encrypted email — the good, the bad, and the unpleasant​

Most enterprise email providers encrypt customer data at rest and in transit. Gmail does it by default. The Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol that enables sending digitally signed and encrypted messages. It is typically used for highly-sensitive emails among regulated organizations, such as government agencies and businesses that work with them.

While more organizations have real needs for E2EE emails, few have the resources to implement S/MIME. IT teams need to acquire and manage certificates and deploy them to each user, resulting in additional efforts and costs. And end users have to figure out whether they and the recipient have S/MIME configured (few do), and then go through the hassle of exchanging certificates before the encrypted emails can be exchanged. This often results in frustration and the inability to send encrypted emails.

Alternatives to S/MIME, such as encryption features from email providers or proprietary point solutions, present significant drawbacks as well: the former requires sharing encryption keys, increasing data privacy and sovereignty risks, while the latter complicates end user experiences with custom applications, portals, or browser extensions. We think there should be a simpler and more efficient way.

Sending end-to-end encrypted emails to any inbox with Gmail​

The idea here is simple. Email messages are encrypted with just a few clicks in Gmail regardless of who they are being sent to — no need for end users to exchange certificates or use custom software. The emails are protected using encryption keys controlled by the customer and not available to Google servers, providing enhanced data privacy and security. And the IT team no longer needs to go through the complex S/MIME setup or certificate management. This is how it works behind the scenes:

• When the recipient is a Gmail user (enterprise or personal), Gmail sends an E2EE email. The email is automatically decrypted in the recipient's inbox, and the recipient can use Gmail in a familiar way.
• When the recipient is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail. The recipient can then use a guest Google Workspace account to securely view and reply to the email.
• When the recipient has S/MIME configured, Gmail sends an E2EE email via S/MIME (just like it does today).

Securely viewing an E2EE email in a restricted version of Gmail

IT teams also have the option to require all external recipients (even if they are Gmail users) to use the restricted version of Gmail. This helps ensure that their organization’s data does not end up stored on third-party servers and devices. It also makes it easier for organizations to protect their data by having the ability to apply security policies and revoke access to emails, no matter how long ago they were sent. Essentially, the E2EE email becomes like a document in Google Drive, allowing the IT team to control its access.

This new capability is powered by client-side encryption (CSE), a technical control in Workspace, that helps organizations to protect their sensitive emails, documents, calendar events, and meetings using encryption keys that are under their sole control and stored outside of Google’s infrastructure in a location of their choice. Data gets encrypted on the client before it is transmitted or stored in Google's cloud-based storage, rendering it indecipherable to Google and other third-party entities and helping to meet regulatory requirements, such as data sovereignty, HIPAA, and export controls.

Additional security and sovereignty enhancements in Gmail​

Beyond E2EE emails, we’re also making a number of security capabilities in Gmail generally available to help organizations keep their data secure and compliant, including:

• CSE default mode — allows IT admins to set a policy that makes E2EE messages a default setting in Gmail for teams that regularly deal with sensitive data.
• Classification labels — help users in your organization understand message sensitivity and handle messages accordingly.
• Data loss prevention (DLP) — allows IT teams to leverage rules to automatically apply classification labels to messages and take action on messages based on their labels, such as blocking email message delivery.
• A new threat protection AI model — we added a new holistic AI model in Gmail that acts as a supervisor to our existing AI/ML and heuristic defenses. It evaluates thousands of combined signals from billions of endpoints based on the actor, behavior, and content to catch more spam and phishing before they reach users.

Getting started​

With data security and sovereignty, the job is never done. We are always at work to help our customers — from small businesses and large enterprises to schools and government agencies — strengthen their security and compliance posture. To get early access for E2EE emails in Gmail, let us know. To learn more, check out the documentation, understand what’s included in Assured Controls plans, and attend our upcoming sessions at Cloud Next ‘25.