Gmail is the most widely used email platform in the world, with 1-1.5 billion active users signing up for the user-friendly google service. Despite its popularity, not everyone is totally clued up on all the security features it provides and exactly how much safer they actually make you.
This guide will detail how to send secure emails, so you can maximize and make the most of Gmail's defenses.
Sending secure emails in Gmail using confidential mode
The first thing we need to do is distinguish between Gmail's 'confidential' emails and the email provider's other encryption options. Confidential emails are presented as 'secure' versions of standard emails – but how secure are they?
Features offered by Gmails Confidential mode
Confidential emails were introduced to Gmail in 2018. You can send confidential emails on both mobile and desktop. This will provide you with three safety features:
- Message Timer – converting your message into a confidential email will allow you to dictate how long the message will sit in the recipient's inbox.
- Restricted action – the recipient will not be able to forward, copy, print or download the email.
- SMS verification – the recipient will be unable to open the email without SMS verification.
How to send a confidential Gmail email (desktop)
-
Log into Gmail and open a new email message box.
-
Navigate to the taskbar at the bottom, to the right of the send button.
-
Click the padlock icon.
-
A pop-up will appear that will allow you to set timings and whether SMS verification is required.
-
Once that is all set, you're ready to send confidential emails.
Are confidential emails really secure?
Not particularly. Although they provide a semblance of protection, there are a number of cold, hard truths that mean this type of email isn't actually secure:
- Confidential emails bar the recipient from forwarding information, but they could easily take a screenshot of the email.
- Google can still read your emails, even after they expire. The confidential email content is kept on the company's servers.
- In order to set an SMS passcode, you have to hand over the recipient's personal phone number, which is a bit 'one step forward, two steps back' in terms of privacy.
- There is no encryption mechanism under the bonnet of confidential emails – the extent of the privacy measures are there for you to see.
New to Email Security?
If you are new to secure Email services, then check out our secure email beginners guide for more information.
How to send Encrypted emails in Gmail?
With confidential emails far from secure, it's a good thing Google allows users to encrypt emails through Gmail with an upgrade to G Suite.
Without G Suite, Gmail uses standard Transport Layer Security encryption that provides a base level of encryption to all outgoing emails. However, it is not end-to-end, so isn't fully secure, and if someone is using a mail server that does not adhere to TLS protocol, then the message definitely won't be encrypted.
Features of Suite Encryption
Google offers S/MIME encryption to G Suite users, which is usually for business purposes. Both sender and recipient must have S/MIME encryption for it to work. Here is what a G Suite upgrade gives users:
- User-specific keys – S/MIME provides user-specific encryption keys that can only be decrypted by the reader the message was intended to go to.
- Visibility – a G Suite upgrade lets you see the encryption level your email adheres to, reducing the chance of a user unintentionally sending an encrypted message.
- Content Compliance – you can set up rules on your account that override attempts to turn encryption off, even if it's intentional, block non-S/MIME encrypted emails from entering your inbox and being sent to those that do not have it set up.
How to download G Suite and configure S/MIME encryption
Follow the steps below to enable S/MIME encryption in Gmail:
Enable S/MIME encryption
G Suite provides a multitude of different settings to help you customize S/MIME encryption, but these are the basic steps to enable it.
-
Create a G Suite account and follow G Suite setup wizard.
-
Create a domain name or add an existing one (personal or business). This will give you a G Suite admin account.
-
From Admin Homepage, navigate to Apps > Google Workspaces > Gmail > User settings.
-
On the left-hand side, there is an 'Organizations' tab, which should have your domain name underneath it. Select the domain you entered.
-
Scroll down to the S/MIME setting and tick the "Enable S/MIME encryption for sending and receiving emails" box.
-
Press save and reload your Gmail account.
A padlock will now appear in the subject line of messages to represent the level of encryption when sending and receiving emails. If the lock is green, the email is S/MIME encrypted.
Choosing and uploading certificates
Before any emails are sent or received using S/MIME, you will have to upload a digital certificate to G Suite, which is essentially a digital ID. Google provides a list of trusted certificates you can use in their help centre. Once you've selected the appropriate certificate – which may require some research – you can then upload it to your G Suite account.
-
Start at your Gmail inbox in G Suite.
-
Click on the tab labeled 'Accounts'.
-
Navigate to the 'Send mail as' > 'Edit info'.
-
A Window will appear with an enhanced encryption option. This will only happen if the 'S/MIME' and 'Allow users to upload their own certificates' options are enabled prior in the Admin console.
- Select 'Upload personal certificate'.
-
Select the certificate you want to upload and click open.
-
Enter the password for the certificate when prompted.
-
Enter your password and click 'Add certificate'.
Is suite encryption really secure?
If S/MIME encryption is present at both sender and recipient end, then this will certainly provide an enhanced level of security on what you'd be operating with when using normal Gmail. But that's the catch – it has to be operating at both ends of the chain. On top of this, Google itself can still sift through your emails – it's not hidden from them.
Other ways to send a secure email in Gmail
If neither the above method doesn't satisfy you, there are third-party encryption services out there compatible with Gmail that will allow you to enhance your security significantly. Here are a couple of the market frontrunners to get you started:
Securemail
Securemail is a Chrome extension that you can download from the Chrome web store, designed with google users in mind, and is recommended for use with Gmail.
As with all third-party services, you will have to decide on a private key beforehand that can be used to decrypt your emails and share it with your recipient through some other means.
However, you will first have to make an account on StayPrivate before you can use the extension.
FlowCrypt
Available as an extension on Chrome and Firefox, FlowCrypt now has over 80,000 users and a 4.8 rating on the Chrome web store. They use OpenPGP (Pretty Good Privacy) to encrypt messages and can ensure the secure passage of both email text and attachments.
Upgrading to their paid service or Enterprise program (although this is largely for business) grants you increased room to customize, including choosing when messages expire and whether the email subject bar is encrypted. On both subscriptions, recipients can securely reply without any plugin.
Virtru
One of Google's recommended programs to run with G Suite, this encryption service has a whole host of features, including the ability to revoke access to emails you've already sent, so you can correct errors when all else seems lost. Impressively, it can keep any attachments you send via Gmail under your jurisdiction, even after they've been moved out of Gmail and into a desktop or drive.
What's more, it's comes completely integrated into G Suite, so you don't need any new tools or programs in addition to your Virtru download. It's very pricey, but if your business relies on the sharing of sensitive information in a secure manner, it's a very sensible investment.
Mailvelope
Also secured with OpenPGP standard encrypted, Mailvelope comes pre-configured for a whole host of email providers, including Gmail. They have regular security audits, a very transparent development process, and over 250,000 users worldwide.
Although the set-up is a little more tricky than the likes of Securemail and FlowCrypt, for just $3 a month, you can upgrade to the Business package. This software will allow you to integrate Mailvelope into G Suite, use PGP and MIME encryption, and grants you access to additional control aspects.
Should I leave Gmail for a secure email provider?
De-Googling has become all the rage, and anybody who leaves Google services for alternative providers that value consumer privacy is on the right track in our opinion.
While there is nothing stopping you from implementing the steps above to send secure emails with Gmail, there is also nothing to stop your contacts from sending you non-secured emails. Unfortunately, when they do, Google will monitor those messages via automated means.
This is far from ideal, because while you choose to use Gmail, Google will engage in some level of surveillance capitalism for marketing purposes. So what's the solution?
The best option is to leave Google behind for a secure email service that puts consumer privacy first as part of its service.
Here at ProPrivacy, we are more than happy to recommend StartMail as an alternative to Gmail/Outlook/etc. The service provides PGP encryption for emails, and has a strong privacy policy that promises no ads or tracking, and that no third party, or even its own developers, will be able to access your emails for any reason.
StartMail is based in the Netherlands – a location with strong data protection laws – and openly states that it will not cooperate with any surveillance programs, nor entertain any requests for user data (unless it is properly issued by a Dutch court). This makes StartMail a great choice for journalists, political dissidents, human rights activists, lawyers, and anyone who values their privacy.
By creating a StartMail account, you cut Google and their message scanning out of the loop. And, you'll be getting secure email functionality built into the service, which makes the entire process of sending emails privately much simpler!