Skip to main content

System Status: 

Email Encryption

Learn about email encryption at UC San Diego, including UC San Diego Health.


Email encryption is a security measure to encode, or scramble, a message so that only the recipients with the key (code) can unscramble and read the message. This is a method of protecting sensitive information in transit so even if the message is intercepted, it is unreadable. Email encryption further ensures that if a malicious person obtains access to your account, the content of those messages remains unreadable to them.

Products and Features

Table of encryption products and features
Proofpoint Email Encryption Microsoft 365 Message Encryption Google Confidential Mode
Enabled with the Outlook client button or the subject line tag SECURE:

Enabled with the Outlook client button.

You can choose to only encrypt, prevent forwarding, mark confidential, or mark confidential view-only.


Select Confidential Mode at the bottom of the message you're composing. 

You can set an expiration date and passcode.

Only encrypts messages going outside of the campus network. It does not work between any * addresses.

Seamless for Microsoft Exchange senders and recipients.

Non-Exchange recipients receive a limited-time web-view link to access encrypted messages in a portal.

You can choose to protect with or without an SMS passcode. *If you choose to protect with an SMS passcode, make sure to enter the recipient's phone number, not your own.

Gmail app users can open directly, non-Gmail users get a passcode via email. 


Proofpoint Email Encryption

UC San Diego, including UC San Diego Health, deployed Proofpoint Email Protection to provide protection of sensitive information sent via email from the UC San Diego network to external recipients. For more information about how to use this system, please refer to these IT Services Support Knowledge Base articles:

Microsoft 365 Purview Message Encryption

When you need to protect the privacy of an email message, encrypt it. Encrypting an email message in Outlook means it's converted from readable plain text into scrambled cipher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key, however, sees indecipherable text.

For more information about how to use this Microsoft 365 feature, please refer to their Support documents:

Google Confidential Mode

With Gmail confidential mode, you can help protect sensitive information from unauthorized or accidental sharing. Gmail removes the message body and any attachments from the recipient copy of a confidential mode message, replacing them with a link to the content. Only the subject line and the link are sent as usual.

Confidential mode messages do not have options to forward, copy, print, or download messages or attachments. To further control access, you can:

  • Set a message expiration date
  • Revoke message access at any time
  • Require a verification code by text to open messages 

For more information about how to use this Gmail feature, please refer to this Google Support document:

Frequently Asked Questions

What sensitive information should be encrypted?

Anyone who sends sensitive information to externalrecipients (outside of UC San Diego) must use encryption.

In the course of the academic mission and day-to-day administration, UC San Diego handles large amounts of personal data. Much of this data is not sensitive and is, in fact, publicly available. However, some of it is sensitive, including personal, financial, medical, and legal information.

Prominent examples of data protected by federal and state laws, university policy, and our general recommendations follow. (Context can play a role in data sensitivity so this list is not exhaustive):

  • Do not send the following over encrypted or unencrypted email:

    • Credit card numbers
  • You must encrypt:

    • Health and Medical information that contains any of the ePHI 18 specific identifiers
    • First name or first initial and last name in combination with any one or more of the following data elements:
      • Social Security Numbers
      • Driver's license number or California identification card number
      • Account number, debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
      • Medical information
      • Health insurance information
    • A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
  • We suggest you encrypt:

    • Student record information (FERPA)
    • First name or first initial and last name in combination with any one or more of the following data elements:
      • Passport numbers
      • Foreign visa numbers
      • Mother’s maiden name
      • Birth month, day and year
      • Biometrics (fingerprint, retina scan, etc.)
    • Sensitive HR and employee information 

Is the information I send with email encryption secured on my computer?

Information and files stored on your computer and in your sent items folder are not encrypted unless you take additional action to do so. Consult with your departmental or divisional IT security personnel for advice and detail.

When does my message get encrypted?

The Proofpoint Secure Email system is designed to encrypt messages to external recipients. If you initiate an encrypted message, it will be encrypted as it leaves the UC San Diego border email gateways.

A Microsoft 365 message is encrypted either on the sender's machine, or by a central server while the message is in transit. Microsoft uses Transport Layer Security (TLS) to encrypt the connection between two servers.

In Google infrastructure, messages are encrypted at rest and while in transit between data centers. Messages transiting to third-party providers are encrypted with Transport Layer Security (TLS) when possible or required by configuration.

For assistance, contact the ITS Service Desk (858) 246-4357 (or ext. 6HELP), or the Health IS Service Desk at (619) 543-4357 (or ext. 3HELP).