In this article. You will explore the ultimate guide to activating Gmail encryption. Wondering how to enable encryption in Gmail? Well, we have the best guide for you. According to Google's transparency report, 96% of inbound messages and 90% of outbound messages will be secured by Gmail encryption in 2024. Gmail uses two types of encryption - TLS and S/MIME. TLS is safe for email encryption during the transition between email servers. However, Google recommends advanced Gmail encryption, such as S/MIME. It encrypts email with user-specific keys.

What is email encryption?

Email encryption is a technique that applies a cryptographic algorithm to protect your emails from any kind of cybercrime. As a result, if any unauthorized party has access to your email, they can’t read the original content of the message. Instead, they will see an unreadable string of characters within the message. Once the message has been delivered to the right recipient, they can read it using private keys.  

So, Gmail standardized the email encryption with S/MIME. Now, let’s have a look at it.

Step-by-step process for enabling Gmail encryption

As a Google Admin, you can enable hosted S/MIME (Secure/Multipurpose Internet Mail Extensions) to protect your organization's users from phishing, spamming, and other email-related threats. S/MIME adds Gmail encryption and digital signature to emails. To decrypt messages, you need a private key and a public key, and the private key is stored by your organization. 

Note: Hosted S/MIME can be enabled by Enterprise Plus, Education Standard, Education Plus, Education Fundamentals, Teaching and Learning Upgrade. 

Step 1: Enable S/MIME on Google Admin Console

  1. Sign in to Admin Console using a Google administrator account.
  2. Go to Menu Apps > Google Workspace > Gmail > User settings.Menu Apps Google Workspace Gmail User setting
    • Get into the Google Workspace menu to continue email encryption process.Choose Gmail to keep the email encryption process underway.Choose Gmail to keep the email encryption process underway
    • Access User setting to change the Gmail encryption statusAccess User setting to change the Gmail encryption status
  3. Then, select the organization or domain that you want to configure. Select it under the Organizations, from the left side. Remember that you must upload and manage root certificates and enable S/MIME in the top-level organization to opt for advanced S/MIME. 
  4. After that scroll to the settings of S/MIME and check the box for the Enable S/MIME encryption for sending and receiving emailsEnable SMIME encryption for sending and receiving emails
  5. If you wish, you can allow the users (of your organization) to upload their certificates (optional). For this, you need to click the checkbox Allow users to upload their certificatesAllow users to upload their certificates.
  6. To upload and manage the root certificates (optional), you have to perform the following steps -
    • Click Add from the next of the Accept these additional Root Certificates for specific domains.
    • Click Upload Root Certificate in the Add Root Certificate window. 
    • Then, start browsing to select the certificate file. Then, click Open. At this stage, you will find a verification message for the certificate.
    • After that, you have to select the encryption level under the encryption level to use this certificate. 
    • Following the above step, you have to enter at least one domain for the root certificate. You have to enter it under the Address list. If you want to enter multiple domains, then use commas to separate them. 
    • If you want to allow CSE or client-side encryption key pairs with the certificates associated with the email addresses except for the primary email, then select the mismatch option for the certificate. Remember that it’s an optional step and you can apply it when your organization needs it.
    • After that, click on Done
    • You have to repeat these steps if you need to upload more chains of certificates. 
  7. You have to check the Allow SHA-1 globally box, in case your organization is using the Secure Hash Algorithm 1 (SHA-1). You can learn more about the SHA-1 from Manage trusted certificates for S/MIME
  8. Finally, click Save. After saving this change, you will see the icon shown on this image when you deliver a message. A lock sign against a green background refers to the success in Gmail encryption

Know more about S/MIME and root certificates from here

Step 2: Tell the users to reload Gmail

Then, tell your users to reload Gmail to see if the S/MIME is working or not. If a green lock icon appears in the message subject after reloading Gmail, it indicates that the S/MIME is working. 

Step 3: Certificates uploading

To enable hosted S/MIME email encryption, the end-user certificates for S/MIME must be uploaded to Gmail. As an admin, your role is crucial here. Google recommends you to upload these certificates using the Gmail S/MIME API. This API provides access to managing users’ S/MIME email certificates in the domain of Google Workspace. The certificates should use the Public-Key Cryptography Standards - PKCS #12 and meet the cryptographic standard for S/MIME certificate profiles.

Moreover, the admin can allow the users to upload their certificates in Gmail settings using these steps - 

  1. Open Gmail and go to Settings > See all settingsSettings See all settings
  2. Select Accounts and Import option. select Accounts and Import
  3. Then select the Edit info from the next of Send mail as. Here you can see an Edit email address window. If they don’t find this option, they have to contact their administrator. select the Edit info from the next of Send mail as
  4. At this step, click Add a personal certificate
  5. Now select the certificate. Then click Open. By clicking this option the users will be prompted to enter the password for their certificates. 
  6. Finally, after entering the password, they have to click Add certificateclick Add a personal certificate

Step 4: Tell the users to exchange their keys

Finally, the users need to exchange their keys with the recipients of the messages to exchange S/MIME messages. So, they have to choose any one of the following ways -

  • They can send the recipients a S/MIME signed message to the recipients. The message includes the digital signature and public key of the users’. Again, the recipients can use the public e to send the messages to the user. 
  • Otherwise, the users can ask the recipients to send them a message. When the recipients receive the messages, they will be signed with S/MIME. As a result, the key will be automatically stored in future messages sent to that recipient. 

Understand the meanings of Gmail encryption icons

You can find a lock icon within the messages you send and receive. It indicates the level of Gmail encryption. So, let’s understand the different levels of encryptions in Gmail:

  • Green lock icon:It indicates the S/MIME encryption. It’s recommended for protecting sensitive information. If you have the recipient's public key, S/MIME will encrypt all the outgoing messages. However, the message can be decrypted by the recipient who has the private key. 
  • Gray lock icon: The gray icon indicates the standard encryption - TLS. This email encryption is suitable for most of the emails. TLS or Transport Layer Security is applicable for message exchange with third-party email services that don’t align with S/MIME. This email encryption takes place when an email is in transit. Many third-party email providers don’t apply any encryption technique to the messages during the transit. As a result, the messages remain open for cybercriminals to tamper with. That’s why TLS is required for secured communication between the other email servers and the clients.
  • Red lock icon: It refers to the unencrypted messages. These messages aren't secure. If you have received any message with a red lock icon and the message incorporates any sensitive information, then inform them immediately and tell them to contact their email service provider. But if you see this red icon while sending a message, then delete the confidential information or remove the unencrypted addresses. 

Learn the cutting edge no-code automation with Foresight

Offering no-code automation for Google Workspace admin and users,  Foresight revolutionizes your day-to-day business workflows. It trims the manual workflows and finds out the simplified ways to solve the tasks related to Google Workspace. Just you need to use the user-intuitive interface of the platform and create automation rules with simple drag-and-drop functionalities. 

So, learn the robust no-code automation solution from Foresight and the use cases, such as Mail Merge Using Gmail And Foresight


Gmail encryption is mandatory to secure your emails. The powerful encryption solution protects both the sender and recipients of emails. By enabling this, you can protect your messages' confidential data, such as login credentials, bank details, and other sensitive data, from hackers. 

Also, learn about using Foresight to ease your regular Google Workspace workflows. So, try a 14-day free trial of this platform and enjoy no-code automation.