How to email documents securely

Why Standard Email Is Not Secure

Email protocols (SMTP, IMAP, POP3) were created decades ago without encryption as a default. While most email providers now use TLS (Transport Layer Security) to encrypt messages in transit between servers, TLS has gaps.

TLS encryption is opportunistic, meaning it depends on the receiving server also supporting TLS. If the recipient's server does not support it, the email may be transmitted unencrypted. TLS also protects data only in transit. Once the email arrives at the destination server, it is stored in readable form. Anyone with access to the server, whether an administrator, a hacker, or a legal subpoena, can read it.

Attachments face the same risks. A PDF sent as a standard attachment is accessible to anyone who intercepts the email or gains access to either the sender's or recipient's email account.

For most routine communication, TLS provides sufficient protection. For sensitive documents, you need additional layers.

Method 1: Password-Protect the Document Before Sending

The simplest and most widely applicable method. Encrypt the document with a password, send the encrypted file as an attachment, and share the password through a separate channel.

For PDF Files

In Adobe Acrobat, open the PDF and go to File, then Properties, then Security. Select "Password Security" and set a password to open the document. Save the file.

On Mac, open the PDF in Preview. Go to File, then "Export as PDF." Click "Show Details" and check the "Encrypt" box. Set a password and save.

Free alternatives include online tools like Smallpdf (select "Protect PDF") or LibreOffice (export as PDF with password protection).

For Microsoft Office Files

In Word, Excel, or PowerPoint, go to File, then Info, then "Protect Document" (or "Protect Workbook" / "Protect Presentation"). Select "Encrypt with Password." Enter a password and confirm.

The file is now encrypted with AES-256 encryption. Without the password, the file cannot be opened.

For ZIP Archives

If you need to send multiple files securely, compress them into a password-protected ZIP archive. On Mac, use the Terminal command for encryption. On Windows, use 7-Zip (right-click files, select 7-Zip, then "Add to archive," set a password, and choose AES-256 encryption).

Sharing the Password

Never send the password in the same email as the document. Use a different channel: a phone call, a text message, or a secure messaging app like Signal. This ensures that even if the email is intercepted, the document remains protected.

Method 2: Use Your Email Provider's Encryption Features

Major email providers offer built-in security features that add protection beyond standard TLS.

Gmail Confidential Mode

Gmail's Confidential Mode restricts what recipients can do with your message. Enable it by clicking the lock icon with a clock in the compose window. You can set an expiration date (after which the email becomes inaccessible), require a SMS passcode for the recipient to open the email, and prevent forwarding, copying, downloading, and printing.

Confidential Mode is not true end-to-end encryption. Google can still access the message on its servers. But it adds meaningful protection against unauthorized sharing and accidental exposure.

Outlook Message Encryption

Microsoft 365 users can encrypt individual messages. In the compose window, click Options, then Encrypt, and select "Encrypt-Only" or "Do Not Forward." The recipient receives an encrypted message that they can read through a secure web portal if they do not use Outlook.

Outlook encryption works best when both sender and recipient use Microsoft 365. For external recipients, the experience involves an extra step of authenticating through a web portal.

ProtonMail and Tutanota

If security is a primary concern, consider using an email service built on end-to-end encryption. ProtonMail and Tutanota encrypt messages on the sender's device before they ever reach the email server. Even the service provider cannot read the contents. Our guide to free email providers covers these and other security-focused options in detail.

Method 3: Use Secure File-Sharing Platforms

For documents requiring audit trails, access controls, or regulatory compliance, email attachments are insufficient regardless of encryption. Use a dedicated file-sharing platform instead.

Google Drive with restricted sharing. Upload the document to Google Drive. Share it with specific email addresses and set the permission to "Viewer" (to prevent editing) or "Editor" (if collaboration is needed). Disable options like "Download, print, and copy" under advanced sharing settings. Send the link in your email.

Microsoft OneDrive or SharePoint. Similar to Google Drive, upload the file and share with specific recipients. Set an expiration date on the link and require authentication. OneDrive links can also be password-protected.

Dropbox with view-only links. Upload the document, create a shared link, and set it to "view only." Enable link expiration and require a password for access.

Dedicated secure platforms. For industries with strict compliance requirements (healthcare, legal, finance), platforms like Box, Tresorit, or Virtru provide end-to-end encryption, access logs, and compliance certifications (HIPAA, SOC 2, GDPR).

The advantage of file-sharing platforms over email attachments is control. You can revoke access at any time, see who accessed the document and when, and prevent unauthorized downloads.

Method 4: End-to-End Encryption with PGP or S/MIME

For the highest level of email security, PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions) provide true end-to-end encryption. Both methods encrypt the message and attachments on the sender's device and decrypt them only on the recipient's device.

PGP requires both sender and recipient to have PGP keys. Tools like GPG4Win (Windows), GPG Suite (Mac), or Mailvelope (browser extension for Gmail and Outlook) simplify the setup. You exchange public keys, and the software handles encryption and decryption.

S/MIME uses digital certificates issued by certificate authorities. It is more commonly used in corporate environments where an IT department manages certificate distribution. Outlook has native S/MIME support.

Both methods provide strong protection but require technical setup and coordination with the recipient. For most business communication, methods 1-3 are more practical.

Choosing the Right Security Level

Not every document requires the same level of protection. Match the method to the risk.

Low sensitivity (meeting notes, project updates, general business correspondence): Standard TLS encryption from Gmail or Outlook is sufficient. No additional steps needed.

Medium sensitivity (contracts, proposals, invoices with personal information): Password-protect the document and send the password separately. Or use Gmail Confidential Mode or Outlook encryption.

High sensitivity (medical records, legal documents, financial statements, personal identification documents): Use a secure file-sharing platform with access controls and audit trails. Consider end-to-end encrypted email services.

Regulatory compliance (HIPAA, GDPR, SOX, PCI-DSS): Use a platform that provides compliance certifications. Standard email, even with encryption, may not meet audit and retention requirements.

Common Mistakes When Emailing Sensitive Documents

Sending the password in the same email as the file. This defeats the purpose of encryption. If someone intercepts the email, they have both the file and the password.

Using weak passwords. A password like "1234" or "password" provides no real protection. Use at least 12 characters with a mix of letters, numbers, and symbols.

Forgetting to verify the recipient's email address. Sending a sensitive document to the wrong person is a data breach. Double-check the address before sending. Following proper email etiquette reduces the risk of misdirected sensitive information.

Assuming "Delete" means the document is gone. Deleting an email from your Sent folder does not remove it from the recipient's inbox or from email server backups. Once sent, you cannot reliably unsend a document.

Not setting an expiration or revoking access. When using cloud sharing, set link expiration dates. After the recipient no longer needs access, revoke the sharing permission.

FAQ

Is Gmail secure enough for sending sensitive documents?

Gmail uses TLS encryption for messages in transit, which protects against casual interception. For sensitive documents, add password protection to the file or use Gmail's Confidential Mode. For highly sensitive data, use a secure file-sharing platform instead.

Can someone intercept my email attachments?

If the email is encrypted with TLS in transit and the recipient's server also supports TLS, interception is difficult. However, once delivered, the attachment is accessible to anyone with access to the recipient's email account. Password-protecting the file adds a second layer of defense.

What is the most secure way to send a document?

End-to-end encrypted email (PGP or ProtonMail) combined with password-protected files provides the highest level of protection. For most business contexts, a secure file-sharing platform with access controls is the most practical balance of security and usability.

Should I encrypt every email I send?

No. Encryption adds complexity for both sender and recipient. Use it proportionally to the sensitivity of the content. Routine business emails do not need additional encryption beyond standard TLS.