Encrypting the email is the most secure way to do it IMHO. If you have control of the server you can install GPG and call it from the command line to encrypt the email with a secret key. The downside is the recipient will require a plugin to their email client and the public key to decrypt the message with.
A slightly less secure way but easier on your end user is to send a plain email containing a link for the person to download the XLS file. The XLS file is then stored behind a password protected area. Use HTTPS to encrypt the page and the download. Additionally you could create a one time HASH using MD5, or better, SHA256 that is generated by the PHP script and stored in a database in relation to the file. Send that as a link parameter and have it expire. That makes it much more difficult for an unintended person to access the link.
The second method also has the benefit of being available on any host that will let you do SSL. No need to have special access to the server.