How To: Use Your iPhone's Mail App to Send and Receive End-to-End Encrypted Emails in Gmail

Gmail uses TLS, or Transport Layer Security, by default for all email communications, so all of your emails will use the standard encryption as long as the recipients also support TLS. But there's a way to add even more security to your Gmail emails, and you can use your iPhone's Mail app to do it.

Apple has supported S/MIME, or Secure/Multipurpose Internet Mail Extensions, on iPhone since iOS 5 over ten years ago. S/MIME is a widely accepted cryptographic protocol for sending and receiving digitally signed and encrypted messages, and it works on top of Gmail's TLS system. S/MIME is similar to PGP, or Pretty Good Privacy, which ProtonMail, FlowCrypt, and Hushmail.

• Don't Miss: The Easy Way to Use PGP for Encrypting Emails on Windows, Mac & Linux

The TLS used by Gmail encrypts the tunnel between email servers, so it's harder for hackers to eavesdrop or snoop on communications while en route. Also encrypted is the connection between email clients and email servers. So as long as you're communicating with somebody whose email provider uses TLS, the route to and from is secure. Still, email remains vulnerable at each end.

Why You Should Use S/MIME Encryption for Gmail

Gmail can and does scan your emails for intelligent features such as malware detection, calendar integration, and autocomplete, so if there's a particularly sensitive topic in the email, you may want to protect it further. Gmail's servers could also become penetrated by attackers one day, possibly giving hackers access to all your data.

On top of that, a hacker could gain physical access to a user's device to search their emails, or they can install malware to see the emails remotely. They can even attack the user's email account directly through password-cracking, social engineering, and other attack vectors for unfettered access.

With S/MIME, you and the recipient each use a certificate from a certificate authority to encrypt your Gmail messages end to end. To send them an encrypted email, you need their public key, and they need your public key to send secure messages to you. To read the messages, each of you uses your own private key associated with the public key to decrypt the contents.

Gmail supports S/MIME directly, but only for paid Google Workspaces, and the Workspace Admin needs to enable it. You can't use Gmail's S/MIME support on your personal Gmail account, and that's where a private S/MIME certificate comes into play. In the iOS Mail app, it's easy to set up S/MIME as long as you have the personal certificate for your email address.

Note that this example uses personal Gmail addresses for both the sender and recipient. In an Exchange environment, things will be different unless communicating with people that aren't using Exchange.

Step 1: Get an S/MIME Certificate for Your Gmail Address

To use S/MIME, you need an S/MIME certificate from a certificate authority. Generally, S/MIME certificates cost money, but some companies will issue demos or free ones that last for a limited time. If you like how it works, you can pay for a subscription. For example, GlobalSign's personal S/MIME certificate costs $59 per year, but it offers a demo to try it out.

For this guide, I'm using Actalis because it's one of the few CAs that offers a free one-year certificate for personal use. You could even reapply for a new certificate after the one year is up, according to its policy:

9.1 Fees

Certificates issued according to this policy are provided for free (that is, at no charge). However, not more than 1 certificate request per year is accepted for each unique email address.

Other CAs you can check out include SSL ($20–$30 per year) and Sectigo ($13.99–$39.99 per year). You may be able to get a free trial or a free limited certificate upon request.

Step 2: Install the S/MIME Certificate on Your iPhone

After you sign up for a personal S/MIME certificate, the company should give you a password for the certificate and send you via email the PFX file, also known as PKCS #12, or a ZIP file containing the PFX. The PFX file is a password-protected certificate archive containing the full certificate with public and private keys. Save this to your iPhone in the Files app for safe-keeping.

Then, unzip the file if necessary, and tap on the PFX file, which will download the certificate as a profile on your iPhone. Tap "Close" on the Profile Downloaded prompt. Then, open Settings and tap "Profile Downloaded" at the top. (You can also find it via Settings –> General –> VPN & Device Management.)

Next, tap "Install," enter your iPhone's passcode, and hit "Install" again.

Now hit "Install" on the prompt. However, before you can install it, you'll need to enter the password the certificate authority gave you when you signed up for the certificate. Hit "Next," then "Done." You should now see your email address listed as a configuration profile in the VPN & Device Management settings.

• Don't Miss: Remove Unnecessary Profiles & Certificates on Your iPhone to Protect Your Privacy & Security

Step 3: Enable S/MIME for Your Gmail Address

You can now activate the certificate for your Gmail email address with the certificate downloaded. Navigate to Settings –> Mail –> Accounts and select your Gmail account. Then, tap your account email address at the top and choose "Advanced."

Here, you'll want to go to both "Sign" and "Encrypt by Default" and toggle them on. The first will add a verified signature to your email so that the recipient knows it's coming from you and no one else. The second will apply encryption when possible to all outgoing emails from the Gmail address in your Mail app. If you just want to let recipients know that the email is definitely from you, use the signature but disable encryption.

Back in the Advanced settings for the Gmail account, it should say "Yes" for both options, or at least one or the other, depending on what you want to get out of it.

Step 4: Have the Recipient Complete Steps 1–3

It's a two-way street, so you'll never be able to use end-to-end encryption unless the person you're in communication with also has a certificate. Once they have one, you both need to swap public keys because they will encrypt the messages. The private key then decrypts and reads incoming messages from the associated public key.

Step 5: Swap Public Keys

Have the person you want to use end-to-end encryption with send you an email once they've set up their certificate in the Mail app. On the received email, tap their name in the From field, which should now have a blue checkmark symbol next to it to let you know their signature is valid. On their contact page, tap "View Certificate," then "Install," followed by "Done."

Afterward, send them an email and have them do the same thing to add your public key to their device. If you see "Unable to Encrypt" with a cross-out red lock, you'll have to tap "Send Anyway" after you try to send it. You can also tap the same lock icon to disable encryption, which will send it as a standard email with your public key certificate.

Step 6: Send and Receive Encrypted Emails

Whenever you want to send an end-to-end encrypted message to the recipient, start a new draft and add their name in the To field. You should see a blue lock icon next to their name now, indicating that encryption is enabled, and it should say "Encrypted" at the top of the window.

If you want to send a regular message, simply tap the blue lock icon on the right side of the To field, and encryption will be disabled this one time. You'll know because "Encrypted" will disappear from the top, and the lock icon will be crossed out.

You'll know encryption was successful for received messages if you see the lock icon next to their name in the From field. If you just see the checkmark, that means it was signed but not encrypted. Replies will also be encrypted unless disabled per message.

You can check the status of the email by tapping the other person's name in the To or From field of the message, and you'll see Signed, Encrypted, both, or neither on their certificate.

Step 7: Install the Certificates on Other Devices (Optional)

If you want to read your encrypted Gmail emails from Mail on your iPad or Mac, you won't be able to because they can't be decrypted. You need to install the private key on all the devices you use with Mail, which decodes the emails. For iPadOS, the process is the same as above. MacOS is a little different but pretty intuitive to set up.

You can also use S/MIME certificates for non-Gmail email addresses like Outlook, Yahoo, AOL, etc., so you're not limited to secure Gmail-to-Gmail communications.