Emails are an easy way for people to share information and access files. However, users can sometimes share highly sensitive information, like passwords, personal documents, and confidential files, over email without considering the risks of unencrypted communication.
Contents:
Encryption helps protect sensitive data from unauthorized access and ensures your files reach their intended destination without being intercepted. Let’s learn how different types of email encryption work and how to encrypt email correspondence using your preferred service provider.
Understanding the two email encryption levels
Email security is an often-overlooked issue. Typically, an email is only protected by encryption while in transit between the sender and the recipient. However, once it lands in an inbox, all information is presented in plaintext. If cybercriminals stole the sender's or recipient’s email account login credentials, they could easily see any correspondence shared between parties.
To tackle this security gap, some users add a second layer on top of the transit encryption to protect the sensitive content of their emails. The two levels offer a layered protection for electronic correspondence, both in transit and after delivery, accounting for each method’s security gaps.
Level 1: Encryption in transit (TLS/SSL)
TLS, or Transport Layer Security, is an encryption protocol used to secure the connection between the sender’s and the recipient’s email servers. It protects emails from being intercepted during the server exchange. TLS combines symmetric and asymmetric encryption in transit to establish a secure connection and transfer the data. Prior to Transport Layer Security, users would rely on Secure Sockets Layer (SSL) encryption to protect their correspondence in transit. TLS exists as an improved version of the now-deprecated SSL.
Most email providers offer TLS encryption by default to shield email content while it’s being sent and delivered. However, the information contained in the email is typically stored in plaintext on the email provider’s server side. The content remains unprotected before it’s sent and once it’s delivered. This leaves inboxes vulnerable to unauthorized access attempts because both the sender and the recipient can view the unencrypted email content.
Level 2: End-to-end encryption (E2EE)
End-to-end encryption (E2EE) is an encryption method often used by communication apps like WhatsApp. It encrypts messages on the sender’s device and decrypts them only when they reach the recipient. No third party, including the service provider, can read the content within the messages. To apply the same level of security to email, users can rely on dedicated end-to-end encryption protocols like PGP/OpenPGP and S/MIME.
OpenPGP (Open Pretty Good Privacy) is one of the most common encryption standards used to protect emails. It uses public key cryptography to create digital signatures that verify the authenticity of a message. For the key exchange required for OpenPGP to work, both the sender and the recipient must know each other’s public keys, which are typically tied to their usernames or email addresses. Using OpenPGP requires some technical skills to ensure effective and confidential key exchange, making it relatively complex for less tech-savvy users.
S/MIME (Secure/Multipurpose Internet Mail Extensions) lets users send signed and encrypted messages. It uses a combined public and private key to create a hash and secure encrypted messages. Once encrypted, the email can’t be modified. The sender and recipient can share their public keys with each other. These keys are then used to verify the hash of the email. If the hash matches, the content is revealed to the recipient.
The two email encryption methods are incompatible, so you need to choose which suits your needs better. S/MIME is commonly used to share confidential information pertaining to business data, like legal documents or financial details. Although S/MIME is easier to implement than OpenPGP, its support is often restricted to organizations only.
How to encrypt an email
You can pick one of three routes to encrypt your emails. The first is leaving your unencrypted email provider behind and switching to a service that offers built-in encryption. Alternatively, you can use OpenPGP encryption for personal correspondence or set up automatic encryption via S/MIME for business communication.
1. Switching providers
The easiest way to secure your correspondence is to use a service provider with built-in email encryption. Some email providers offer automated end-to-end encryption dedicated to securing all content shared between senders and recipients.
Create a new account with an encrypted email provider of your choice. Once it’s set up, you can send your first encrypted email to another user within the same service. The E2EE process will run automatically, cutting out the need for a third-party encryption tool. Some encrypted email service providers also allow you to create anonymous email accounts, ensuring thorough identity protection.
However, keep in mind that for your email to be fully protected, your recipient must also use the same service provider. Otherwise, if you send an encrypted email to an unencrypted inbox, the recipient will see its content in plaintext. If your recipient isn’t using the same service provider, you may need to set up a password-protected link or file and share the password with them.
2. Using PGP/OpenPGP
Alternatively, you can set up OpenPGP to send protected content to your peers. This method requires some manual configuration:
Download an app or a browser extension for encryption.
Generate your public and private keys. Make sure you keep your private key secret and don’t share it with anyone.
Share the public key with your recipient so that they can decrypt your emails. They must share their public key with you in return for back-and-forth communication.
Compose an email and use your OpenPGP software to encrypt it with the recipient’s public key.
Send the email. The recipient will use their private key to decrypt and read the message.
Keep in mind that your recipient must also use OpenPGP email encryption for it to work.
3. Using S/MIME
If you plan to share confidential documents, business information, or your private data, you can set up S/MIME email encryption. To receive your S/MIME public key, you first need a digital certificate from a certificate authority (CA).
You can integrate the certificate into a third-party email app, allowing you to easily certify and encrypt your emails. It doesn’t require any additional software to set up or use. Once you have your digital certificate and have added it to your email client, you can start encrypting your correspondence.
How to encrypt emails on popular service providers
If you decide to use end-to-end encryption to secure your workplace correspondence, you need to ensure that you have your digital signature first. Then, you can follow the necessary steps to enable S/MIME encryption on your preferred email app. Below, you'll find instructions for setting up email encryption on Outlook, Gmail, or Mail. However, if you use a different provider, you should be able to activate a digital signature in the encryption settings.
How to encrypt an email in Outlook
You can adjust S/MIME encryption permissions on Outlook by importing your digital signature:
Follow the steps detailed by the Outlook Mail Guide to switch on encryption based on your Outlook version.
In the same settings screen as detailed in the guide, import the digital certificate you’ll use for authentication.
If you want to add a digital signature to all your emails, check the “Add a digital signature to all messages I send” box. Keep in mind that this feature may be restricted by your organization.
How to encrypt an email in Gmail
On Gmail, S/MIME encryption only works for organizational accounts under Google Workspace. To switch on S/MIME encryption for your company’s Gmail client as an administrator, you need to:
Sign in to your administrator account and access the Google Admin console.
In the menu, select “Apps” and locate “Google Workspace.” From there, select “Gmail.”
Select “User settings” and choose the organization you want to enable encryption for.
Locate and check the “Enable S/MIME encryption for sending and receiving emails” box.
Select “Save” to verify the changes.
Once you’ve switched on the S/MIME settings, it may take up to 24 hours for them to go live. All members of your organization will have to reload Gmail to access the encryption.
You can either add valid certificates yourself or have employees add them using their Gmail account settings. Ensure all employees who need to communicate directly exchange their public keys to be able to encrypt and decrypt emails.
How to encrypt an email on an iPhone (Mail)
To encrypt emails on the iOS Mail app, you need to:
Download the S/MIME certificate you plan to use on your phone.
Open your device’s settings and select “Mail.”
Tap “Accounts” and select which email account you want to add encryption to.
Select “Advanced” and, under “S/MIME,” select “Encrypt by default.”
Select the certificate you want to use for the account.
You can repeat this process manually for each email account you use.
Bottom line
An encrypted email lets you securely share highly sensitive information without the fear of it being intercepted in transit or read without your knowledge. However, even with encryption enabled, you shouldn’t leave other email security practices behind. Follow the usual email security tips, like flagging spam emails, avoiding downloading suspicious attachments, and protecting your account with both a strong password and two-factor authentication.
If you want to keep your correspondence secure and private, consider setting up a decoy email address known as an email mask. It generates a dummy email address that you can connect to the legitimate email address you use every day. Whenever you want to sign up for one-time services, register for events, or share sensitive information, use the email mask, and any outbound mail will reach your inbox without the sender finding out who you are.
Don’t forget — just because your email is encrypted doesn’t mean it’s safe to share your login details with your colleagues. Some information, like the email subject, remains in plaintext. So if you title your email “Important account password,” send it to a coworker, and stop using encryption, the information can become vulnerable in the future.
Instead, use a password manager like NordPass to share all your credentials securely. With NordPass, you can manage access permissions to autofill, view, or edit the shared credentials. You can also set a time limit, and once it’s up, the credentials will automatically unshare. NordPass’ Email Masking feature also lets you protect your email identity, allowing you to stay secure at every step of email correspondence — from composition to delivery.