In the early days of the internet, the communication between email servers was done in plaintext only. That was a huge security risk as anyone with a packet sniffer could see email contents. As a solution, several security mechanisms were added to make it more private and safer against interceptions.
Encryption is one solution against interceptors who want to read private messages. It scrambles the data and makes it readable only to those who have the encryption keys. The whole process isn’t as simple as it sounds, and it can mean several different things.
Short in time? Jump to:
- How to encrypt email in Gmail?
- How to encrypt email in Outlook?
- How to encrypt emails in Yahoo Mail?
- How to encrypt emails on iPhone?
- How to encrypt emails on Android?
- How to encrypt emails on Mac?
How does email encryption work?
Generally speaking, encryption is possible at the transport level or end-to-end. Here’s how they differ:
- Transport level encryption only protects the sending channel. It means that the email is still composed and sent as plain text, but the moment it leaves your mailbox, it’s protected with a layer of encryption. When it arrives at its destination, the email client decrypts it and stores it in plaintext for you to read.
- End-to-end encryption makes sure that the email is safe at all stages of the communication. This data can be read-only by the intended sender and remain encrypted throughout the exchange process.
In both cases, it makes the data inaccessible but at different channels.
This type uses Transport Layer Security (TLS), or its predecessor Secure Sockets Layer (SSL) as cryptographic protocols encrypting the plain text messages only during server-to-server exchanges.
When you send an email, your client contacts the server to check whether it supports the requested protocol. The server shares a digital certificate confirming its identity. When it checks out, the two parties generate a unique exchange key used to encrypt and decrypt the messages.
With end-to-end encryption, the message is encrypted and decrypted only at the endpoints. The message is decrypted only at the final stage of arriving at the destination. It stays private from hackers and service providers alike. Some email services even have it built-in.
End-to-end email encryption requires both the sender and the recipient to have a pair of cryptographic keys. The process is as follows:
- Both the sender and the recipient generate their public keys and exchange them with each other, the private keys they keep only to themselves. When registering with an encrypted email service you also get a public key.
- The sender composes a message, encrypts it using the receiver’s public key, and sends it.
- The receiver gets an encrypted message, which he decrypts using his private key.
This way, the encryption and decryption happen on the user’s device. It prevents any intermediary, including even the email service provider from ever finding out what the content of the message was.
Protocols used for email encryption
Some of the protocols used for end-to-end encryption include:
- GNU Privacy Guard (GPG). GPG, also known as GnuPG, allows you to encrypt and sign your data and communications. As a free software replacement for Symantec’s PGP cryptographic standard, it features a robust key management system with access modules of many open public key directories. Easy integration with other applications like email is also a big plus.
- Pretty Good Privacy (PGP). A popular algorithm used to encrypt and decrypt messages over email and add digital signatures to messages and files. It follows OpenPGP standard (RFC 4880) for PGP encryption. PGP involves a combination of hashing, data compression, and symmetric and asymmetric cryptography.
- Secure/Multipurpose Internet Mail Extensions (S/MIME). A protocol for sending encrypted and digitally signed messages. For the receiver, this confirms that the message was not altered in transit. All of this only works if both parties have it set up on their email clients.
Ways to encrypt your emails
If you want to encrypt your email, there’s an easy way to do it, and there’s the DIY approach. You could just opt-in for end-to-end encrypted email service or set up encryption protocol on your current mailbox. Keep in mind that for the latter approach to work, you’ll need the sender and the recipient to be with matching setups. Some of the services also have built-in protocols for encryption.
Here’s how to send encrypted emails if you don’t want to use third-party solutions.
S/MIME protocol is already built-in within the Gmail infrastructure, but it’s not enabled for all users. If your account isn’t business or education (G Suite), then you will not be able to use the feature. Even if your account has a G suite plan, you will still need to ask your administrator to enable it in the console. Only then you will be able to turn on encryption as a user.
If S/MIME is enabled a lock icon will appear near the name of the recipient when composing new emails. You can choose the encryption status of the message from there: Red (means the email isn’t encrypted), Gray (means that the email is secured via TLS, this will work only if your recipients’ client also supports TLS, otherwise you won’t be able to verify the encryption status), Green (means that S/MIME is on and your message will be secured with a private key).
By default, Gmail uses TLS encryption when communicating with most other provider’s servers. If you want additional privacy, you can also use a third-party browser extension like FlowCrypt, which adds a Secure Compose button to the regular interface. However, your recipient will also have to use this extension installed or another PGP system to see your message.
Adding S/MIME to your Outlook account isn’t the easiest of tasks, but chances are you won’t be doing this yourself. As with Gmail G suite, S/MIME compatibility is reserved for administrative users who can enable it on organization accounts following the official Outlook guidelines.
Once that is done, all there’s left for you to do is to go to your Outlook app, click on the gear icon to select S/MIME settings. You can choose what you want to encrypt: contents, attachments, or add a digital signature to all the messages sent.
You can encrypt individual messages selecting More options > Message options and clicking Encrypt this message (S/MIME).
Keep in mind that this will only work if the receiving party has also S/MIME set up, or else they won’t be able to read the message.
If you’re looking for ways to encrypt yahoo email, you’re trying to solve a problem by ignoring another one. In general, your email provider should be the one that is going toe to toe with prominent cybersecurity challenges. Data breaches in the past have crippled Yahoo authority as a secure provider, so before you go through with the encryption setup, evaluate if that will improve anything?
Having that said, Yahoo uses SSL by default. S/MIME or PGP protocols aren’t built-in and you will need to install third-party applications like Virtru to use them. As of writing this article, there were no plans to integrate S/MIME or PGP encryption for common users.
How to encrypt emails on your device
If you’d rather use email clients on your devices, then meddle with web clients, here’s where you should start.
S/MIME support is included with all Apple Devices. iOS is no exsception and it’s very easy to toggle even for common users:
- Go to Settings and tap Accounts & Passwords
- Select the email account that you want to encrypt
- In the next windows tap Advanced
- Scroll down and locate S/MIME and switch the slider on
- Change Encrypt by Default to Yes
- When you want to send encrypted email, the lock icon will appear next to the recipient. If you click it, you will enable encryption. Blue lock means that the email can be encrypted, and the red lock is an indication the recipient needs to toggle S/MIME in their settings.
If you have an Android phone, you can add an encryption layer to your emails, but you will also need third-party apps. When installed, you will need to give the apps permissions and exchange your public keys with the recipient. For example, apps like ChipherMail add an option to set up S/MIME encryption to your existing email clients. We can only hope, that the next Android version will include built-in encryption solutions for your emails.
Apple’s mail supports S/MIME out of the box. Here’s how to set it up:
- Go to Finder > Applications > Utilities and then double-click on Keychain Access
- Find Certificate Assistant and click Create a Certificate
- Name your certificate and click Create and Continue
- Go to Keychain Access again to locate your certificate and right-click the file. Then, click New Identity Preference
- Enter your email address in the box and click Add
- Allow access from your Mailbox account to the Keychain Certificate
- Now you can send your certificate to a recipient to start encrypted conversations by clicking on a padlock near the name of your contact’s address bar.
Why is email encryption necessary?
When sending confidential information, no matter the degree of sensitivity, you should always be cautious. There’s quite a lot of things that the attacker could do if they got ahold of your private information, so why risk it?
Here’s how it could be beneficial to you:
1. Your private information remains private
Email encryption will protect your confidential information like your bank account number, social security number, etc. If stolen, this data is invaluable to cybercriminals. To avoid such leaks, encryption is a must.
2. Avoid your message being re-sent
Not only can your sent message be altered, but the attackers can later use it at their will. It’s easy to save a message, alter it, and re-send it. Generally, the cybercriminals might get a foot in the door with an altered genuine message, following up with spoofed emails.
3. Avoid identity theft
Sensitive information that you send through email is also the information that you use to confirm your identity. In other words, email vulnerabilities are one of the easiest ways for attackers to obtain this private information, which immensely helps when stealing your identity.
4. Confirm that the claimed sender sent the message
Forging genuine-looking messages is far too easy. Digital signatures added to encrypted email messages can help to confirm the identity of the sender.
Are email encryption apps secure?
Most apps used to share and exchange private keys are pretty secure. Just make sure that the app is actively maintained and regularly receives updates. Since by nature most of them are open-source it’s easy verify by going to GitHub and looking at the data of latest versions.
If you don’t want to set up Symantec Encryption Management Server to use PGP your best bet are encryption apps. You can try Android Privacy Guard, OpenKeychain, oPenGP. It’s also possible to use lightweight addons like Mailvelope, but make sure that the receiving party also uses matching setup so that the exchange could be possible.
Best encrypted email providers
If you aren’t satisfied with DIY solutions and you need to be extra sure that your communications are private, why not opt for a secure email service? These services will provide a more natural way to manage your email, with built-in encryption measures that you won’t have to set up by yourself.
ProtonMail is one of the most popular options for privacy-minded individuals. This is mainly because it uses end-to-end encryption, which applies to non-Proton users. So, you can have safer communications without forcing everyone around you to change their email provider.
Your emails will have an IP address stripped from your header. If you need a little bit more than default safety, you can set up PGP because the service supports it. When it comes to safety, the service is as good as it gets.
Although they don’t offer a desktop version, there is support for mobile apps. The web client works well, too. They can feel a bit dated from the UI perspective, but after a while, you’ll scarcely notice a difference. Plus, the options to categorize messages in folders are much better in ProtonMail.
If you’re sticking to a free version, it allows 500 MB storage and 150 messages per day.
Tutanota is an open-source variant, which many consider even safer than ProtonMail. Instead of PGP, it uses AES and RSA using symmetric and asymmetric encryption simultaneously. If you need additional account safety, you can protect your account with two-factor authentication.
When it comes to privacy, the service erases IP addresses from each sent email’s metadata to prevent oversharing your details. Plus, the sender’s and receiver’s names with subject lines get encrypted when the emails are stored.
You can download Tutanota apps for desktop as well as mobile. Not only are they intuitive to use, but they also come with additional features like calendar. Unlike in Gmail, it’s encrypted, so your schedule is safe, as well as your communications.
If you’re a free user, you get 1 GB of storage, so it’s a bit more than you get with other secure email providers. Plus, they’re using several methods to compress your emails to send space, so your mileage should be better than you expect.
CounterMail is heavily outdated when it comes to their web page, but they’re one of the best in terms of security. If you’re very privacy-conscious, you’ll be delighted to know that they’re using RAM-only servers. So, after every session, your data gets purged.
Another benefit is that they’re the only provider that guarantees protection against SSL-Man-In-The-Middle attacks. If you need, you can also add two-factor authentication to make your account even safer.
There are even options to take your privacy one step further using cryptocurrency payments. Having that said, keep in mind that they’re still operating out of Fourteen Eyes country. It may cause some problems in the long run.
It’s easy to integrate the service with other IMAP/SMTP clients. Plus, they have mobile apps for your smartphone.
If you’re curious about what’s on offer here, you can try the service with a 7-day free trial.
How can I encrypt an email for free?
The easiest way to make your email encrypted is by using a secure email service that has encryption built-in the framework. Otherwise, if your email service supports it, you can use various clients and addons to send emails in encrypted forms using PGP or other methods.
When should you manually encrypt an email?
If you want to exchange very sensitive data, you should consider adding additional measures to make your communication safer. Keep in mind that proper end-to-end encryption will require a matching setup on both ends. Otherwise, the receiver won’t be able to read the message.
Does Gmail automatically encrypt emails?
No, Gmail only uses encryption when the emails are in transition. However, when they arrive in the inbox, they are decrypted and stored in plain text form. This puts your privacy at the mercy of your email service provider – Google.
Does a VPN protect your email?
VPN makes it hard for your Internet Service Provider to track what you’re doing online. However, email technology is very outdated, so if you’re logged on to your email via VPN, your provider will not know what is being sent. However, your email service provider will have full access to its contents if it’s stored in an unencrypted form.