Online Security Basics

Email Encryption Guide: Sending Confidential Messages

By AntiPhishers Published

Email Encryption Guide: Sending Confidential Messages

Standard email is about as private as a postcard. Messages travel through multiple servers in plaintext, can be read by your email provider, and are stored unencrypted on both the sender’s and recipient’s servers. If you send sensitive information by email, including tax documents, medical records, legal correspondence, or business secrets, encryption transforms that postcard into a sealed, tamper-proof envelope.

How Email Encryption Works

Email encryption uses public-key cryptography. Each user has a key pair: a public key (shared freely) and a private key (kept secret). When you send an encrypted email, your software uses the recipient’s public key to encrypt the message. Only the recipient’s private key can decrypt it. Even if the email is intercepted in transit, stored on a compromised server, or accessed by the email provider, the contents remain unreadable without the private key.

Encryption in transit (TLS) protects emails while they move between servers. Most email providers now use opportunistic TLS, encrypting the connection between mail servers. However, TLS only protects data in transit; the email is stored unencrypted on both servers. If either server is compromised, the email is exposed.

End-to-end encryption (E2EE) encrypts the email on your device before it is sent and keeps it encrypted until the recipient decrypts it on their device. No server, provider, or intermediary can read the contents at any point.

S/MIME: Certificate-Based Encryption

S/MIME (Secure/Multipurpose Internet Mail Extensions) uses digital certificates issued by Certificate Authorities to encrypt and sign emails. It integrates natively with Outlook, Apple Mail, and Thunderbird.

To use S/MIME, you and your recipient both need S/MIME certificates. Free personal certificates are available from Actalis and Sectigo. After installing the certificate in your email client, you can sign emails (proving they came from you and were not altered) and encrypt emails to anyone whose S/MIME certificate you have.

The main limitation is that both parties need certificates, creating a chicken-and-egg problem for adoption. S/MIME works best within organizations that can deploy certificates to all employees centrally.

PGP/GPG: Web-of-Trust Encryption

PGP (Pretty Good Privacy) and its open-source implementation GPG (GNU Privacy Guard) use a decentralized trust model where users generate their own key pairs and share public keys through key servers or direct exchange.

PGP offers stronger privacy guarantees because there is no central Certificate Authority that could be compromised or compelled to issue fraudulent certificates. However, it requires more technical setup. Mailvelope is a browser extension that adds PGP encryption to webmail interfaces like Gmail and Outlook.com with a more user-friendly experience.

Encrypted Email Providers: The Easier Path

For most users, switching to an encrypted email provider is the most practical approach. These services handle key management automatically.

ProtonMail provides end-to-end encryption for emails between ProtonMail users automatically. For external recipients, you can send password-protected encrypted messages that the recipient opens through a secure web link. ProtonMail is based in Switzerland, subject to Swiss privacy laws, and cannot decrypt your stored emails even if legally compelled.

Tutanota offers similar E2EE with a focus on simplicity. It encrypts not just the email body but also subject lines and attachments, which ProtonMail does not encrypt end-to-end by default.

Skiff Mail provided decentralized encrypted email before its acquisition by Notion. The landscape of encrypted email providers continues to evolve.

When to Use Email Encryption

Encrypt emails containing: financial documents (tax returns, bank statements), medical records, legal correspondence, intellectual property, login credentials (though you should avoid emailing these at all), and any information that could enable identity theft if intercepted.

For more on overall email security beyond encryption, see our email security best practices. To understand how encryption protects data beyond email, explore our encryption basics for beginners guide.

More in Online Security Basics

Password Reuse Dangers: Why One Breach Compromises Everything Secure Online Banking: Protecting Your Financial Accounts Ad Blockers and Privacy Extensions: Browsing Protection Tools Zero Trust Security Basics: Never Trust, Always Verify

View all Online Security Basics articles →