Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform

[H]ard|Gawd
Jul 30, 2007
1,775
On the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks.
The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming
weeks and to any email inbox later this year. What makes the new encryption model – an alternative to the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol – stand out is that
it eliminates the need for senders or recipients to use custom software or exchange encryption certificates.


Link: https://thehackernews.com/2025/04/enterprise-gmail-users-can-now-send-end.html?_m=3n.009a.3631.fe0ao0a8e7.2npe
 
The end of spam as we know it? Probably not. Someone will come along and ruin everything, again.

I hope this technology isn't proprietary to Gmail. Email needs an overhaul from a security standpoint, and it's near impossible to get your own email server up and running with all the hoops you have to go through just to make it not seem like a source for spam. Dmarc records, AAAA records, SPF records, DKIM signatures, etc. The list goes on and it's enough to spin anyone's head.

I guess the alternative is to pay the "pros" to do it all for you. And maybe that's what Google is trying to do here? At this point, who doesn't have a Gmail account?
 
That would not be end to end encryption, if google was able to read it ;)

Absalom said:
The end of spam as we know it?
Wouldn't that make spam easier, as the server cannot filter for content anymore, I am sure I am just missing the relationship between encryption and spam ? Mass emails will cost too much to produce because of the encryption compute ?
 
LukeTbk said:
That would not be end to end encryption, if google was able to read it ;)


Wouldn't that make spam easier, as the server cannot filter for content anymore, I am sure I am just missing the relationship between encryption and spam ? Mass emails will cost too much to produce because of the encryption compute ?
I may have been overthinking what this is. E2EE means both ends have to agree on an encryption scheme, probably a previously agreed upon symmetrical public-private key pair. So just the email itself is kept away from prying eyes while in transit.

For example, DKIM only puts a digital signature in the header of the email. It does not encrypt everything if anything at all. It's just there to prevent spoofing.

Obviously, this isn't intended to replace email altogether but supplement it. You'll still get spam in your inbox, that isn't encrypted. Unless your IT sets up rules that assert only encrypted sources are allowed, reject all others.
 
A yes for email that require and handshake, but email just from contacts was already an easy enough filter to have.
 
Zarathustra[H] said:
End to end encryption, sure, but I bet Google themselves have access to a key so they can spy on the content :p
They specifically mentioned google itself can't see it if we are to believe them.

If successful, I see it as a good way to communicate securely with other entities/companies/partners which can't directly access your internal network because it is isolated without the extra effort.
 
Last edited:
sram said:
That specifically mentioned google itself can't see if we are to believe them.
The article mentions CSE, so it depends on who is the holder of the encryption keys and where they are stored (cloud was mentioned in the article). If they are stored on Google owned servers, then the claims that they can spy on you hold true. It goes without saying that Google only needs one end's key to accomplish that.

In the case of a non-Gmail recipient (e.g., Microsoft Outlook), the Google email platform sends them an invitation to view the E2EE email in a restricted version of Gmail, which can be accessed via a guest Google Workspace account to securely view and respond to the message.
So basically, if you're not using a Gmail web-client (i.e. Outlook) you're getting an email with a link that forwards you to a temporary Gmail session. From there the message is "decrypted" and presented in the web browser. This is about as "Trust me, bro" as it gets.
 
If it works the same way the 365 version does you don't actually get sent the message but a link to open the message on the sender's mail system (365 exchange) where you authenticate with your account and it lets you view, copy, forward, reply based on the access controls set by the sender and DLP controls in your browser.

I set up systems like this like 15 years ago at this point from custom email encryption vendors (typically using encrypted pdf w/password) but DoD is moving off of smime so now it's the cool thing to do I guess.

edit: Also the nice thing about solutions like this is you can integrate it into DLP style systems with content recognition so it'll automatically encrypt stuff with PII, SSN, etc. in it, that's why I set up those systems back in the day in the first place.
 
Yes it does work that way based on what I’ve seen. And the S/MIME deployments needing 3’rd party signed user certificates are a PITA to manage and easy to have go wrong. O365 has a happy middle ground utilizing tools in Intune and Perview and their canned policies for Data and Privacy Protection.

I can understand why the DoD and anybody really would want to move off S/MIME deployments, the process relies on user assigned certificates that get created automatically on demand when a user signs into a device but need to be manually revoked when the device is retired. So if a certificate isn’t retired because somebody was busy or sick or just plain forgot, large environments can quickly find themselves with a huge pile of extra certificates. It’s an administrative nightmare and a security problem waiting to happen.

It’s ultimately one of those security standards that’s great on paper but terrible in practice.
 
Lakados said:
Yes it does work that way based on what I’ve seen. And the S/MIME deployments needing 3’rd party signed user certificates are a PITA to manage and easy to have go wrong. O365 has a happy middle ground utilizing tools in Intune and Perview and their canned policies for Data and Privacy Protection.

I can understand why the DoD and anybody really would want to move off S/MIME deployments, the process relies on user assigned certificates that get created automatically on demand when a user signs into a device but need to be manually revoked when the device is retired. So if a certificate isn’t retired because somebody was busy or sick or just plain forgot, large environments can quickly find themselves with a huge pile of extra certificates. It’s an administrative nightmare and a security problem waiting to happen.

It’s ultimately one of those security standards that’s great on paper but terrible in practice.
Did the DOD switch away from smart (CAC) cards for email signing and encryption. I used to work for a contractor a decade+ ago, the setup was a PITA. Mostly because outlook made it so clunky, the Dell laptops we had then had a built in card reader, not having that anymore would make it more fun I imagine. I was lucky enough to have an army reserve center a few miles from where I lived, so getting my card renewed wasn't hard; if you didn't have one local to it was hassle.

My understanding was that the certs were created and preloaded on the card when it was issued, and not something we could tinker with after the fact.
 
In theory it could help with impersonation spam. If there's a way to Company X to signal that 100% of their email is signed with a key derived from their company cert recipients could automatically discard anything that wasn't signed.

OTOH some mail providers already are signaling that no third parties are allowed to send mail claiming to be from their domain (which mostly hurt users of old school mailing lists), I'm not sure how much of anything this would add.
 
I don’t know, if they did, but in my workings with it I can certainly understand the desire to no do it.

I’m experimenting with encoding certificates to RFID cards right now because we just installed a bunch of interactive displays. And having people type their passwords into an 82” onscreen keyboard in front of 30+ people is an absolutely awesome thing to do…. So if their staff ID was also an RFID that doubled as a sign in on authorized hardware it solves that… but likely causes a whole other set of problems I haven’t yet thought of.
 
That is what DKIM signatures are for.

In my experience the click the link style of “encrypted” emails are easier to trick people with. Just need to make it look legit enough and they will happily click that web link and enter their password without a second thought.

Long Story Short, my last phishing expedition came back with a big haul. HR was not happy about all the release time for security training it caused…

But yeah make any message that doesn’t pass DKIM, DMARC, and SPF tests go to Quarantine, not spam. And it will catch most of the bad stuff and more than enough of the sales flyer style messages that aren’t spam but should be.
 
It may depend on who is getting the CAC, etc. since a lot of gov sites use CAC certs for authentication. The new version of outlook also doesn't support S/MIME.
 
The problem with impersonation is when people get an email from webmaster@johnscoolwordpresssitewithbadplugins.com with a Bank of America header, they treat it like it's from BofA.

There's not really anything BofA can do about that. And there's not much gmail can do about it either. (Although showing the sender addresses would be nice! I don't know why all the mainstream email clients want to hide the most important part of the mail...)
 
