An email that isn't encrypted is like a postcard: malicious actors can intercept it easily. Hence, it's necessary to encrypt emails containing confidential data to prevent any form of tampering. However, in order to avoid common fallacies and misunderstandings, it is essential to understand the basics of email encryption and how to make use of it properly.
Are Emails Really That Vulnerable?
You may have already heard of secure encrypted protocols used to transfer messages between email clients and servers or from one SMTP server to another, or something called DKIM digital signature. Transport protocols offer a high level of protection for data transmission, so that no one can see your message’s content even if they gain physical access to data being transmitted. DKIM, in turn, protects you from malicious emails trying to pose like something coming from trusted sources.
However, after the email is transmitted, it is stored in your mailbox which is in fact an ordinary file on your computer. The same is true for messages in the process of transmission, when they are kept on an SMTP server’s disk for the time it takes to deliver a message. These files are usually unencrypted and are protected only by the operating system’s own security mechanisms, which might be insufficient.
As such, your precious data may be open to malware, hacker attacks or even an evil onlooker who might happen to walk by your laptop while you are away. With all that in mind, what extra steps could you take to keep your email correspondence safe?
Email Security And Encryption Technologies
It’s important to understand the various types of encryption techniques in relation to email, and what they are used for. Let’s cover the basics.
1. Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol that encrypts network communications. It is widely used in different types of applications, including email clients and SMTP servers. These days, TLS is widely adopted by email providers, and you’ll hardly ever encounter unencrypted communications here. For more information about this protocol, see our blog article.
As stated above, secure mailing is not limited to encrypting data during the transmission process. Being an important part of the setup, TLS still must be accompanied by other means to implement full email security.
DomainKeys Identified Mail (DKIM) specification has something to do with emails being digitally signed, however it does not directly support message encryption. Instead, it provides a way to authenticate the integrity of certain email technical headers, such as the sender’s address, timestamp or subject (but not the email’s body or attachments). This allows the recipient to make sure that the email indeed comes from a person or entity it claims to be from.
While not directly providing email encryption, DKIM is still an important and almost universal part of modern email technology.
3. Secure Multipurpose Internet Mail Extension
Secure Multipurpose Internet Mail Extension (S/MIME) is a widely accepted standard for end-to-end encryption of email messages. In this specification, a cryptographic certificate must be installed on the email clients of both the sender and the recipient. When an email is sent, the sender encrypts it with the addressee’s public key and the recipient decrypts it with their private key.
S/MIME also attaches digital signatures to every email to verify that their contents haven't been tampered with. Encryption and digital signature do not depend on each other, so applications may use the two functions independently, if needed. The downside is that S/MIME is incompatible with web based email client software.
4. Pretty Good Privacy
Pretty Good Privacy (PGP) is yet another technology employed for securing the electronic mail facility. It is an open source software package, developed by Phil Zimmerman in 1991. PGP provides the basic requirements of cryptography. It uses various steps such as authentication, confidentiality, compression, e-mail compatibility, segmentation and reassembly for securing the email.
PGP and S/MIME share a lot of similar features, but PGP is lacking the ability to handle email attachments. Also, S/MIME is more efficient and is primarily aimed at industry use, whereas PGP is easier to incorporate into existing software.
Practical Ways to Encrypt Emails
So, how can an ordinary person use these fancy technologies to keep their email communications as safe as possible?
To begin with, you can make the effort to encrypt your message manually, using any external tool you like (e. g. create a password-protected archive), and add the encrypted file to a regular email along with an instruction for the addressee on how to decrypt it. (Seriously, don’t ever do that! It is both outdated and quite insecure.)
Some of the common email services provide tools that enable users to manually encrypt selected emails if needed. There isn’t one method of encrypting email for all email services. The process varies depending on the platform you’re using, but most email providers follow similar procedures.
The most convenient way of encrypting emails is by using an email service that has encryption built right into its framework, some of which we describe below. These types of services, however, tend to be a bit more difficult to use than popular email services like Gmail.
Examples of Email Encryption Services
There are quite a few email services whose main appeal is encryption. These services let users encrypt their email by default and are marketed to people who care a lot about privacy on the internet. Examples include ProtonMail, Scryptmail, Mailfence, and Posteo.
The drawback of using encryption-focused email services is that they’re more difficult to set up and use than common email providers like Gmail or Yahoo. Another drawback is that malicious actors also tend to use these encryption-focused services, so certain websites decided to block their domain names. For instance, you can’t use a ProtonMail address to sign up on Instagram.
Even at that, some of these encrypted email services are more complex to use than others. ProtonMail is among the most popular ones because it's easier to use than most rivals.
This is the most popular end-to-end encrypted email service. The company’s servers are hosted in Switzerland. It uses client-side encryption to secure users' messages before they get to the platform's mail servers. Your contacts are also encrypted, so one can tamper with your contacts or see any details. With this service, you are even able to send a password-protected email to anyone who isn’t on ProtonMail.
Mailfence is a Belgium based end-to-end encrypted platform that uses the OpenPGP encryption protocol. You get full control of your encryption keys and access to additional features like secure document and calendar sharing. The service offers a variety of ways to connect to your mailbox, including SMTP, POP, IMAP, and HTTP.
Posteo is a German email service that offers solid privacy and security. It encrypts email messages using the S/MIME or OpenPGP protocol. The platform also has a very sophisticated spam and virus filtering system to protect users.