Gmail expands end-to-end encryption to all

Google is taking a major step toward making email privacy more accessible. The tech giant has announced that Gmail users with Client-Side Encryption (CSE) under Google Workspace Enterprise Plus—and the Assured Controls add-on—can now send fully end-to-end encrypted (E2EE) emails to anyone, regardless of their email provider. This update marks one of the most significant upgrades to Gmail’s security framework in years, closing the gap between corporate confidentiality and everyday usability.

Until now, Gmail has relied primarily on Transport Layer Security (TLS) to protect messages in transit. TLS encryption ensures that emails cannot be easily intercepted between the sender and the recipient’s servers. However, once messages reach Google’s infrastructure, they can technically be accessed under certain legal or administrative circumstances. Client-Side Encryption takes this a step further by encrypting the message directly within the user’s browser before it ever leaves the device. In other words, Google’s servers only handle encrypted data and cannot view the contents of the message itself. The body of the email, including any attachments and embedded images, is secured, while only the header—containing the subject line and recipient information—remains unencrypted.

What makes this new feature particularly notable is that it works even if the recipient is not a Gmail user. Previously, encrypted email communication often required both sender and recipient to use the same encryption protocol or manually exchange S/MIME certificates, a complex process that few users ever attempted. Now, Google has streamlined the experience. If you send an encrypted email to someone using another provider, like Outlook or a private domain, the recipient simply receives a notification email. From there, they can access the message through a secure Google portal using a temporary guest account—no complicated setup, no certificate swapping, just straightforward access.

For those on the receiving end, the process is intuitive. The email you receive won’t display the actual message; instead, it includes a link prompting you to “View message.” You’ll then verify your email address by entering a one-time code sent to your inbox. Once verified, the system guides you through a few quick steps to view the encrypted content within a secure browser window. It’s a user-friendly experience designed to make enterprise-grade encryption accessible to people outside the corporate bubble.

Sending an encrypted email through Gmail’s new system is equally simple. After clicking “Compose,” users can enable encryption from the “Message security” button found in the lower corner of the message window. From there, selecting “Additional encryption” and turning it on activates CSE for that email. Google advises users to enable encryption before drafting the message—otherwise, any existing text will be erased when encryption is toggled, and a new blank message will appear. While this extra step may seem like a minor inconvenience, it ensures that all content is encrypted properly from the outset.

It’s worth noting that this feature is not automatically enabled for all organizations. Google has kept the ability to send encrypted emails externally turned off by default. Administrators must activate it manually at the Organizational Unit (OU) and Group level, ensuring that IT teams retain full control over how sensitive data leaves their networks. This default restriction is designed to help companies enforce internal compliance policies before allowing employees to send encrypted emails outside the organization.