How to Encrypt Email Attachments — and Why Most Organizations Still Get It Wrong

The fastest way to encrypt email attachments in Outlook is with an add-in like Virtru for Outlook. Once installed, you'll see a toggle in the Outlook compose window. Flip it on before you hit send, and every file attached to that message — Word docs, PDFs, spreadsheets — is encrypted with the message.

Native Microsoft 365 encryption (via Microsoft Purview) is another option. Go to New Message > Options > Encrypt, then choose an encryption policy. The limitation: this approach relies on Microsoft's key management, and recipients outside your Microsoft tenant may hit friction when opening attachments.

For organizations with stricter requirements — healthcare, legal, defense contracting — a dedicated solution like Virtru gives you persistent controls that travel with the file: you can set expiration dates, disable forwarding, and revoke access even after the email lands in the recipient's inbox.

If you've just received a file you can't open, don't worry — you almost certainly don't need to install anything. How you proceed depends on how the attachment was encrypted.

• Virtru-encrypted attachments: The sender's email will include a secure link or a protected file. Click Open with Virtru or open the file directly — you'll be prompted to authenticate (usually via Google or Microsoft sign-in, or a one-time verification code). No software installation required for recipients.
• Microsoft 365 / Purview-encrypted attachments: If you're in the same Microsoft tenant, attachments open normally. If you're external, you'll receive a message from Microsoft with a link to read the content in the browser or via a passcode. You may have to create an account or password to do so. 
• S/MIME-encrypted attachments: You need the sender's public certificate installed in your email client. Open the email in Outlook or Apple Mail — if the certificate is in place, the attachment decrypts automatically.
• PGP/GPG-encrypted files: You need a PGP-compatible tool (like Kleopatra or GPG Keychain) and the sender's public key to decrypt the attachment locally.

If an encrypted attachment won't open, the most common reasons are: you're accessing it from a different email address than the one it was sent to, the sender has already revoked access, or the attachment has passed its expiration date.

There are two approaches: password-protect the PDF itself, or encrypt it as part of the email.

Option 1: Password-Protect the PDF file directly

Adobe Acrobat lets you add password protection to a PDF before you attach it. Go to File > Protect Using Password, set a password, and save. The recipient needs the password to open it. This works across any email platform but requires you to share the password separately — ideally through a different channel.

Option 2: Encrypt the PDF as part of an encrypted email

This is the more practical approach for business use. With Virtru for Outlook or Gmail, you compose your email with the PDF attached, toggle encryption on, and send. The PDF is wrapped in a Trusted Data Format (TDF) container that enforces access policy at the point of opening — no separate password to manage, and you retain the ability to revoke access or set an expiration date.

For regulated environments (HIPAA, CMMC, ITAR), encrypting at the email level — rather than password-protecting the file — is generally preferred because it creates an audit trail and gives administrators persistent control over the document after it's shared.

It depends on the encryption method.

TLS (Transport Layer Security) — the default "encryption" in most email systems, including Gmail and Outlook — protects data in transit between mail servers. It does not encrypt the content of the email or its attachments at rest. Once the message is delivered, TLS provides no protection.

End-to-end encryption tools like Virtru encrypt both the message body and all attachments together. The protection is tied to the content, not the connection — so the files remain encrypted even after delivery, and access is controlled by policy, not by network proximity.

Microsoft Purview / Office 365 Message Encryption: Yes, attachments sent with OME are encrypted. However, the encryption is managed by Microsoft, and control is limited once the message leaves your tenant. Persistent controls like revocation are not available in standard OME configurations.

S/MIME: Encrypts the entire message including attachments, but only between parties who have exchanged certificates.

The short answer: if you want attachment encryption that persists after delivery and gives you ongoing control, you need protection that travels with the data itself — not just with the connection.

Whether an encrypted attachment can be forwarded depends on the access controls set by the sender.

With native Microsoft 365 encryption, for example, forwarding restrictions can be applied — but only if the sender selects the Do Not Forward policy. By default, recipients can forward the email and, in some cases, the attachment becomes accessible to the new recipient.

With Virtru, forwarding is governed by the sender's policy settings. You can:

• Disable forwarding entirely — the recipient cannot share the file with others
• Allow forwarding while maintaining the encryption (the new recipient still has to authenticate)
• Revoke access at any time, which instantly locks the file for all recipients, including any forwarded copies

This matters because the threat isn't always an external attacker — it's a well-intentioned employee forwarding a sensitive document to a personal account, or sending it to the wrong external contact. Persistent forward controls close that gap.

That's what "integration, not replacement" means in practice — the same Outlook workflow you already use, with persistent control over where your files end up.

Most encryption tools designed for email support all common file types. With Virtru for Outlook and Gmail, any file you can attach to an email can be encrypted — including:

• Documents: PDF, Word (.docx), Excel (.xlsx), PowerPoint (.pptx), text files
• Images: JPEG, PNG, TIFF, and other image formats
• Compressed files: ZIP, 7-Zip
• CAD and design files: DWG, DXF (common in defense and manufacturing)
• Video and audio files

The encryption wraps the file in a protected container regardless of the file format. The recipient's access policy is enforced at the moment they try to open the file — the file type itself doesn't change that.

One practical note: some file types (like ZIP archives) should be encrypted at the email level rather than relying on the ZIP's built-in password protection, since ZIP encryption standards vary in strength and don't provide audit trails or revocation capabilities.

With modern email encryption solutions like Virtru, external recipients typically do not need to install any software.

When a recipient gets a Virtru-protected attachment, they open it through a secure web reader. Authentication is handled via their existing Google or Microsoft account, or through a one-time passcode sent to their email. The experience takes about 30 seconds for first-time users.

Older encryption standards require more setup:

• S/MIME requires recipients to have the sender's certificate installed in their email client — practical for internal use or established partner relationships, but creates friction for one-off external sharing.
• PGP requires recipients to have a PGP-compatible application and manage their own key pairs, which is too complex for most business workflows.

For organizations sharing sensitive files with clients, vendors, or partners who aren't on the same email platform, a solution that removes recipient-side friction is important. High-friction encryption tends to get bypassed — users find workarounds, and the files end up unprotected.

Signs that an attachment is encrypted:

• File extension change: Virtru-protected files have a .tdf or .html extension wrapping the original file. If you see quarterly-report.xlsx.tdf, it's Virtru-encrypted.
• Password prompt on open: A PDF or ZIP that immediately asks for a password has been encrypted at the file level.
• Secure reader redirect: If clicking the attachment opens a browser window asking you to sign in before viewing, the file is encrypted (common with Virtru, Microsoft Purview, and similar tools).
• Lock icon in email client: Some email clients (Outlook, Gmail) display a lock icon next to encrypted messages or attachments.
• Microsoft OME wrapper: If you receive a message from no-reply@notify.microsoft.com with a link to "Read the message," the original email and any attachments were encrypted with Microsoft 365 encryption.

If you're the sender and want to confirm that your attachments are encrypted — not just the message body — review your email encryption tool's settings. With Virtru, the encryption status (on/off) and access controls are visible in the compose window before you send.

Want to see how this works in Outlook? Virtru for Outlook integrates directly into your compose window — no IT overhaul, no new workflow. You can request a demo to see persistent attachment controls in action.