Google Workspace provides an impressive suite of business and collaboration tools, including custom email addresses with your own domain. But, what about email security and privacy? Well, although they do provide some additional email security, they only offer "real" email encryption with their Enterprise plans. And, the options can be complicated and quite expensive. Let's review the "built-in" email encryption options of Google Workspace as well as a much simpler, lower cost, and Google-approved third party solution called SecureMyEmail™.
Email encryption is the process of converting email content (and, ideally, attachments too) into an undecipherable format to prevent unauthorized access by anyone, except the intended recipient(s).
What is end-to-end email encryption?
This is the highest standard of encryption where the email and attachments are encrypted on the sender's device, and can only be decrypted on the recipient's device. When applied correctly, the email and attachments are also encrypted "at rest" when saved or archived on the email provider's server. This should mean that no one, not even the email provider, can access the message or contents.
Why do I need to encrypt email?
Frankly, just for basic security and privacy. Even though we all use email for sensitive personal and business communication, it was never designed for this. Email has many flaws that can only be solved by encryption if you want to keep your personal and business data safe and private. This is especially true when emails are saved or archived because if your email provider ever suffers a data breach, or even just your individual account is hacked, years of personal and/or business data may be compromised.
Why is email encryption usually so complicated and/or expensive?
Well, historically, it was because encryption is a complicated operation. Legacy solutions, such as PGP and S/MIME work, but are hopelessly complex for anyone without a degree in Computer Science. Later attempts to simplify them still weren't so simple and were/are quite pricey. This is why we developed SecureMyEmail. It's incredibly simple, secure, and is very low cost.
Ok, so what are the email security options for Google Workspace?
The email security options for Google Workspace are below. We will discuss each one in detail so you're fully aware of the capabilities, complexity, and cost of each one.
- TLS (Transport Layer Security)
- Google Confidential Mode
- Google Hosted S/MIME (Secure/Multipurpose Internet Mail Extensions)
- Google Client Side Encryption (CSE)
- SecureMyEmail™

TLS (Transport Layer Security)
COST: Free. All Google Workspace plans include standard TLS encryption for emails in transit if both sender and recipient email servers support TLS. However, configuring advanced TLS policies, such as requiring TLS for specific domains or email routes, is more robust in higher cost plans, such as Business Plus.
COMPLEXITY: Easy
ENCRYPTION CAPABILITY: Weak
Google, like most email providers, and SecureMyEmail, use Transport Layer Security (TLS) for a baseline level of email security. This should NOT be mistaken for what people think of as "real" email encryption, though.
- TLS only encrypts the "connection" and not the email or attachments.
- It cannot be guaranteed as both the sender's and recipient's email servers must support it and be correctly configured, which many are not.
- The email and contents are not protected or encrypted after they arrive.
- Emails and attachments are not encrypted "at rest" on the email server when they are saved or archived which means your provider (Google, in this case) can still access.
- The lack of encryption once the email arrives and at rest also leaves emails vulnerable to a hacker or data breach.
Again, TLS is very nice to have, but it's not terribly special. It's really just an evolution of email security protocols in general. Many providers try to claim it as something special they are doing, but it's not.
Google does have useful tools that let you know if the path through the internet is TLS encrypted and refuse to send if it is not. I mean, that is a nice feature, but it's still not a substitute for encrypted email.
Google Confidential Mode
COST: Nada. Google Confidential Mode is included in all Google Workspace plans.
COMPLEXITY: Easy
ENCRYPTION CAPABILITY: Weak. It's not really encryption at all.
Google's Confidential Mode is, again, "something" but it does not encrypt emails and should not be used for anything you truly want to remain secure or private. It, most certainly, should not be used for HIPAA or GDPR compliance.
Here are the main issues:
- It's not encrypted.
- It does add some extra security controls like preventing forwarding, copying, and printing, but these can be easily overridden.
- The email and attachments remain unencrypted and stored in plain text on Google's servers. This makes them vulnerable to a data breach and hacking.
- Google retains full access to the email even when you set a self-destruct timer.
- If you password-protect an email, Google can link your recipient's phone number with their email address. This is a privacy and security issue for whomever you send email to.
If you'd like to know more, here is an older, but very good article from the Electronic Frontier Foundation (EFF) discussing the shortfalls of Google Confidential Mode.
Google Hosted S/MIME (Secure/Multipurpose Internet Mail Extensions)
COST: Very high. As of this writing, is only available with Enterprise Plus and Education plans. Additional costs include purchase of third party S/MIME certificates for each user and significant IT resources due to complexity to set up and maintain.
COMPLEXITY: Extremely difficult and labor-intensive.
ENCRYPTION CAPABILITY: Strong, but still not end-to-end encrypted because Google still has access to the decryption keys.
Despite it's catchy name, Google's Hosted S/MIME is an option you don't want to deal with for Google Workspace email encryption unless you have significant IT resource at your disposal or you truly hate yourself. :) It's been around since 1995 and although improvements have been made over the years, it seems quite outdated versus modern email encryption techniques. The setup and maintenance is extremely complicated and the features are quite limited.
Here are the details:
- Every user must install, manage, and maintain S/MIME certificates and their public/private keys.
- The individual S/MIME certificates are issued by third party trusted Certificate Authorities (CAs), which often require payment.
- If a Certificate Authority is ever compromised, all users are potentially exposed.
- Compatibility issues are common between different email clients or platforms.
- All recipients must also have a compatible S/MIME certificate and public/private key pair.
- To exchange encrypted email, you must first exchange S/MIME keys with every single person you wish to exchange encrypted email with.
- Configuration is also often quite "challenging" for mobile users.
- S/MIME is not compatible with any other email encryption methods.
- Doesn’t provide advanced controls like self-destructing emails or expiration dates.
- Because keys are hosted by Google, Google has access to your email and contents...if that is a concern.
- S/MIME is NOT end-to-end encrypted.
Ok. So that is a lot of bad stuff. ;-) Unfortunately, it's all true. If you are still unconvinced S/MIME is a LOT to deal with, check out Google's own page on setting up S/MIME.
Now, that being said, S/MIME, although not as secure as end-to-end encryption, is, indeed, real email encryption and it works. If you already have a Google Workspace Enterprise or Education License AND a big smart IT department looking for a big project, it may be a viable option.
Google Client Side Encryption (CSE) for Email
COST: Extremely high. Google CSE is only available for the Enterprise Plus, Education Standard, and Education Plus plans. Additionally, beyond the expense of setting up and managing S/MIME, and the third party S/MIME keys, you must hire a third party key management service to provide an additional set of keys per user.
Total Estimated Cost Per User for Google CSE for Email Encryption
Cost Component | Estimated Monthly Cost (Per User) |
---|---|
Google Workspace Subscription | Varies, but approx. $30 (for Enterprise Plus plan) |
Key Management Provider | $5–$10 |
S/MIME Keys | Variable, but Digicert quotes $11 per email address for business email. |
IT Administration/Training | Varies, but setup, training, and ongoing maintenance is required and likely costly. |
Therefore, for a small team of 50 users, the cost may range from $2,300 to $2,550 per month, including subscriptions, S/MIME certificates, and KMS services. Again, this cost estimate does not include any of the IT Administration and Training costs.
It should be noted that larger enterprises with more users may benefit from scaled pricing for Google Workspace, S/MIME certificates, and KMS providers. Nevertheless, this is amazingly expensive compared to modern third party email encryption solutions that are perfectly compatible with Google Workspace.
COMPLEXITY: Extreme. Adds an additional layer on top of the already extremely complex and labor-intensive S/MIME solution with the required management of a third party Key Service Provider (and associated per user keys).
ENCRYPTION CAPABILITY: Strong. The addition of a third party key prevents Google from having access to your S/MIME keys and, therefore, your organization's emails and their content are considered end-to-end encrypted.
But, Google Client Side Encryption (CSE) is essentially just an enhanced version of Google Hosted S/MIME and suffers from all the same other limitations.
All you're getting, with the addition of a third party Key Management Provider, is an additional layer of security where Google cannot access your emails. I mean, that's great if that is a primary concern or if you are trying to meet certain compliance standards, but it still leaves a lot to be desired.
And, again, yes. Google-approved third party email encryption services, such as SecureMyEmail, do accomplish so much more without the massive costs or complexity. As well as provide end-to-end encryption. :)
And, not to pile on, but it must be noted, that even with the shocking expense and difficulty, the one thing you still can't do is send a simple encrypted email to someone outside your organization unless they too have S/MIME set up and you do a key exchange with them...per email address.
So, a Google Enterprise license does certainly have value if you need the capabilities it offers. But, for encrypting email, you can save yourself a tremendous amount of time and expense by staying with one of the lesser cost Google Workspace plans and choosing a third party email encryption provider that integrates with Google Workspace.
Or, even if you have an Enterprise License, the Google options for encrypting email are still quite costly and complicated so a third party option still seems to be the best choice.
SecureMyEmail™
COST: Free tier available. Paid subscriptions are $3.99 month-to-month or $2.50/month with annual subscription (volume, and other, discounts available).
COMPLEXITY: Easy. 3-5 minute setup. Users can set up themselves. No IT support or training necessary. Zero burden on recipients. No need to use SecureMyEmail, download anything, register, perform a "key exchange" :), or even use a password with password-less option.
ENCRYPTION CAPABILITY: Ultimate. End-to-end encryption.
Unless you have significant IT resource, or need the capabilities included in the Google Enterprise License, it's hard to understand why you wouldn't choose a Google-approved third party solution, like SecureMyEmail, to achieve Google Workspace email encryption.
And, even if you do have the budget and IT resources to set up Google Hosted S/MIME or Google Client Side Encryption (CSE), the inability to easily send encrypted email to anyone outside your organization seems to be a dealbreaker.
We humbly suggest you give SecureMyEmail a try. You can do so with our instant download and 30-day free trial. You don't even have to talk to a salesperson or submit any payment information.
Contact Sales at sales@securemyemail.com with any questions and to get a quote for volume pricing and invoicing.
- Fully integrated with Google. Use your Google sign-in to set up.
- Free tier for Gmail, Yahoo, and Microsoft consumer email addresses such as outlook.com, and hotmail.com. No hassle 30-day instant free trial for paid plans.
- Paid plans are only $2.50/month (with annual subscription) or $3.99/month-to-month per user. Contact sales@securemyemail.com for unified invoicing for multi-user accounts and volume discounts for larger organizations.
- Immediately send encrypted email to any email address on Earth
- Zero-knowledge End-to-end encryption. No one, not even Google, can access your encrypted email and attachments.
- Zero burden on recipients. No need to download anything, register, or even use a password with our unique password-less option.
- Beautiful inbox for your recipients to keep all their encrypted messages and reply encrypted back to you, including attached files.
- Paid plans work with any email address or carrier. Not just Google Workspace addresses. Manage all your email accounts in one place.
- Send and Receive your encrypted email from all your devices - Apps for Windows, Mac, iPhone, iPad, and Android included at no cost.
- Encrypted at rest
- Attached files are encrypted too.
- Message Expiration
- Message Revocation

In Summary
Google is a great company with countless innovative products and services. But, so much variety can also make things confusing, and potentially expensive. This is especially true when it comes to encrypting email. If you want the easiest and lowest cost way to send encrypted email with Google Workspace, SecureMyEmail is the best choice. It's fully approved and integrated with Google OAuth authentication and Sign in so the setup is super easy and secure. Feel free to try it right now with an instant 30-day free trial. No payment info, webinar, or talking to a salesman is required.
- Encrypt your personal and business emails.
- All VPN Features, Protocols, and Stealth Modes.
- Unconditional 30-Day
Money-Back Guarantee.