I wouldn't recommend emailing sensitive information. I think you better email a link (https), let the user click the link that brings to a login page that asks for password. The page then can generate the XLS on the fly if the user authenticated correctly.
The Excel password is exploitable, once you have the file. Another story is trying to exploit a secure PHP login.
https://www.google.com/search?q=recover+Excel+file+password&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=sb
Generating the XLS on the fly may mean, either dumping a prapared file (keep it outside of the document root, so it is not accessible via www) or better, read yesterday report data on the fly and dump it out as cells. At this point using CSV or Excel is your choice.
For generating Excel files (both on the fly or to save on disk) you can use the excellent PHPExcel https://phpexcel.codeplex.com/
To let the user download a file, you have to set the correct headers before any PHP output:
header('Content-Type: application/vnd.ms-excel');
header('Content-Disposition: attachment;filename=REPORT.XLS');
then output (echo) the file contents (either reading it from disk or generating on the fly) and exit. In PHPExcel to download an Excel5 doc you would:
$objWriter = PHPExcel_IOFactory::createWriter($objPHPExcel, 'Excel5');
$objWriter->save('php://output');