
Google has officially expanded Gmail's end-to-end encryption (E2EE) capabilities, allowing enterprise users to send encrypted emails to any recipient, even those using non-Google email providers.
The new cross-platform functionality, now generally available, builds on a rollout first announced in April 2025 and removes the need for recipients to use Gmail or rely on traditional encryption setups.
The new capability is part of Gmail's Client-side Encryption (CSE) framework, which encrypts content on the sender's device before it reaches Google's servers. Until now, encrypted messages could only be sent within an organization or to other Gmail users. This update enables the secure transmission of messages to any email address, preserving the core benefits of CSE, namely that Google cannot access the message contents.
The feature was officially released yesterday, but the gradual rollout began on September 30 for both Rapid Release and Scheduled Release domains. It is available exclusively to Google Workspace Enterprise Plus customers with the Assured Controls add-on. For IT teams, it's disabled by default and can be activated at the organizational unit (OU) or group level.
Previous solutions required complex S/MIME configurations, certificate exchanges, or third-party software. In contrast, Gmail's CSE now allows users to send encrypted emails from the familiar Gmail interface, with a notification alerting them that encryption is active.

Recipients who are not using Gmail receive an email notification with a secure link to access the encrypted message. This link opens a restricted, web-based version of Gmail where they can read and respond securely using a temporary guest Workspace account. This preserves end-to-end encryption while maintaining administrative control and audit capabilities for the sending organization.

Gmail, as part of Google Workspace, serves hundreds of millions of enterprise, education, and public sector users globally. While standard Gmail already encrypts emails in transit and at rest, this CSE implementation gives organizations full ownership of encryption keys, ensuring content remains inaccessible to Google.
The April 2025 release marked the first phase of the rollout, introducing encrypted Gmail within trusted domains. The latest expansion fulfills Google's promise to support cross-platform encryption by the end of the year and aligns with its broader efforts to simplify secure communications at scale.
For organizations looking to adopt the feature, the activation process requires minimal configuration. Admins must first enable client-side encryption in the Admin Console and configure key access services (KAS) and key management services (KMS) to control key custody. Once enabled, users with access can start sending E2EE emails immediately, with no need to manage certificates or install additional tools.
Leave a Reply