Google makes end-to-end encrypted Gmail easy for all – even Outlook users – Source: go.theregister.com

Google will soon offer end-to-end encrypted (E2EE) email for all users, even those who do not use Google Workspace, and says it’ll do so without imposing any undue stress on IT admins.

It’s pitched as an alternative to the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol often used by well-resourced, regulated organizations for encrypted comms.

The protocol hinges on the exchange of certificates, which Google claims is a hassle few other types of organizations have the impetus to implement, despite having a legitimate need for secure emails.

The way it works is that E2EE emails, powered by client-side encryption, can be sent by enterprise Gmail users to anyone. If sending to another Gmail user, either enterprise or personal, the encrypted mail feature functions without additional configuration. The compose window’s UI changes slightly to show a bold blue banner at the top, saying: “New encrypted message.”

If a Gmail user sends one of these emails to someone using, say, Outlook, they will be sent an email asking them if they want to see an encrypted message. Clicking a link will prompt recipients to re-authenticate their email account, granting temporary access via a restricted Gmail account to view and reply to the encrypted email.

The initial “would you like to see this?” email in this case looks similar to a Docs/Sheets/Pages collaboration link, which may raise phishing concerns. It’s also something Google has considered, which is why a warning box above the link urges recipients to only click through if they fully trust the sender.

In fact, by Google’s own admission, the whole process is comparable to sharing a Workspace document with someone from outside your organization. Because IT admins can require recipients to use restricted Gmail to view encrypted messages, it essentially allows admins to control recipients’ access using policies and ensure data is not stored on third-party servers.

In cases where E2EE emails are sent to recipients who already have S/MIME configured, there’s no real change. Gmail will send an encrypted email to its destination as normal, as it did before today’s announcement.

“This capability, requiring minimal efforts for both IT teams and end users, abstracts away the traditional IT complexity and substandard user experiences of existing solutions, while preserving enhanced data sovereignty, privacy, and security controls,” says Google’s Johney Burke and Julien Duplant in a blog shared with The Register ahead of publication.

• Apple’s alleged UK encryption battle sparks political and privacy backlash
• Apple drags UK government to court over ‘backdoor’ order
• Governments can’t seem to stop asking for secret backdoors
• Signal will withdraw from Sweden if encryption-busting laws take effect

“We’re rolling this out in a phased approach, starting today, in beta, with the ability to send E2EE emails to Gmail users in your own organization. In the coming weeks, users will be able to send E2EE emails to any Gmail inbox, and, later this year, to any email inbox.”

The extent to which Gmail users could safeguard their emails before today, beyond Google’s TLS encryption in transit, was to enable Confidential Mode, which prohibits recipients from forwarding, copying, printing, or downloading emails, but does not have E2EE. There are also options for emails to expire after a set time frame and to require an SMS passcode to open the message.

This also works with other email platforms but the actual message content is replaced with a “would you like to see this?” type of email, prompting users to enter a passcode to view it in their browser.

Using Confidential Mode doesn’t necessarily mean message contents won’t be visible to enterprise admins, however, unlike E2EE, which is kept strictly between sender and receiver.

If Google’s announcement sounds familiar, that might be because you have a Microsoft 365 account. E5 customers have had a very similar option available to them and their end users since January in the form of Microsoft Purview Message Encryption.

It functions in the exact same way. Outlook-to-Outlook mail works as normal, just with E2EE, and Outlook to Gmail, Yahoo, or other platforms generally involves sending a link to view an encrypted message.

Before these features were released, security-savvy users could have opted for an encrypted email platform like Proton, Tuda, or one of the others out there, but using it alongside an enterprise account for their everyday work could be tedious.

In addition to E2EE emails, which IT admins can make the default for all end users should they wish, Google launched a number of other features for Gmail, including classification labels that will inform users of each email’s sensitivity and how they should be dealt with.

These classification labels will also inform new data loss prevention rules IT admins can set to automatically handle emails based on what labels they have assigned.

Of course, it would not be 2025 without an AI flavor to all these new features. A threat protection model is added to Gmail’s existing AI/ML-based spam and phishing detectors so fewer malicious emails slip through the net. ®