Is email secure? This is a very important question. The answer will determine what information you can safely share using email. In this post we’ll explore why secure email is important.
First, lets get through a couple definitions.
E2EE – End To End Encryption
End to End Encryption (E2EE) means that only the sender and recipient can view/read the content of the email message. No one else throughout the transmission or storage chain can read that message because it’s encrypted by an asymmetric certificate and key.
TLS – Transport Layer Security
TLS is used to secure a variety of services most commonly HTTPS. Email hosts that use TLS encrypt the transmission of a message between the end user and the mail server and/or between mail servers. This is referred to as encryption of data in transit. TLS uses the same encryption techniques and methods as S/MIME, except the messages are encrypted in transit only. While the message is on the server it is decrypted and re-encrypted for the next hop. This has to occur because each server must re-encrypt the message using the subsequent server’s public key.
TLS is a good form of encryption, it’s easy to set up, it’s server side, and requires no end-user setup. But it is vulnerable to eavesdropping on compromised email servers and data manipulation.
S/MIME – Secure E2EE message encryption
This technology is used to provide End To End Encryption for email. S/MIME uses asymmetric encryption (key exchange) to encrypt the senders message before it leaves their computer. When it arrives it is decrypted by the recipient’s mail program. As the message moves through the mail system it cannot be decrypted until it arrives at it’s destination.
TLS can be used in conjunction with S/MIME or PGP but it does not have to be. S/MIME encrypted message will remain secure on systems that do not communicate with TLS.
Is my email communication secure?
As a rule, assume that it is not. Unless you’ve set up S/MIME or PGP your email is not going to be E2EE encrypted. It might be secured while in transit using TLS but the mail servers that the message transits are able to read the email.
In addition, for email encryption to work the sender of the message is the person that chooses to encrypt it. To do so, and to allow you to be able to decrypt it, they must use your certificate. If you have not provided them one, they cannot send you an encrypted message that you will be able to decode.
This sounds complicated, but not to worry. Just know that you need to turn on encryption for it to be active. Messages that are not E2EE are readable by the mail systems they transit through.
Are you using a free email provider?
The major providers do not provide S/MIME support through their web applications. In some cases they will support S/MIME using an email client. If you are using the web tools from Gmail or Outlook and you are on their free tier assume your emails are not encrypted. Infact it’s best to assume emails are unencrypted unless you have confirmation that they are encrypted.
Are you using a free email account for your business?
Any information transmitted that can cause harm if it becomes public knowledge will require E2EE.
As a business leader, you should ensure that your technicians, service providers and systems administrators follow this policy. Staff education is important as well. Sending personally identifiable information (PII) and proprietary information can mean irreparable damage to your company, liabilities and reputation damage. We strongly believe that in 2022 businesses should not use unencrypted means of communication between senders and recipients. Consequently, you should not be using a free email provider for your business.
When can I use a free email service provider?
Free email services are good if your email does not contain any information that could cause harm if it was public knowledge. Use the service but assume that the whole world can see everything you’ve sent and received.
Check out more of our How-To’s for additional great tips like this one.