What is email encryption?
Email encryption is when the content of an email is encrypted, or disguised, to make it unreadable to anybody except the intended receiver. Encrypted emails look like gibberish to any unauthorized person who tries to read them. Email encryption means that both the sender and receiver have a key (digital code) so that the email is encrypted when sent and then decrypted when opened by the intended recipient.
Data encryption can use symmetric and/or asymmetric cryptography. Symmetric cryptography involves one private key that is used to encrypt and decrypt the message. Asymmetric encryption involves two keys: one public and one private. The public key is used to encrypt the message and the private key is used to decrypt it. Asymmetric encryption is more secure.
Encrypting your sensitive emails is essential to safeguard important data like credit card details, passwords, and bank account numbers. When it comes to keeping your digital identity secure, email encryption is a must.
Popular email providers like Gmail and Outlook have email encryption capabilities, but there are some caveats. Sometimes they have to be set up manually, and other times encryption isn’t possible because the receiver wouldn’t be able to decrypt the email.
Why is email encryption important?
Encrypting emails eliminates the risk of exposing sensitive information. If someone can read an important email you send, they could use it to hack into your bank account or blackmail you, depending on the contents of the email.
A data breach can even uncover emails you sent months ago. All the messages add up, so there might be enough exposed data up until a breach to compromise your security. You should encrypt your emails as soon as possible and encrypt as many as possible.
Encrypting your emails comes with the following benefits:
-
Additional privacy and security. Encrypted emails protect your information, including the content and attachments.
-
Communication protection. With encryption, you’ll know that your messages are being read only by the intended recipient.
-
Personal data security. Cybercriminals can use all sorts of information shared in emails to steal your identity or commit fraud.
-
Authentication and verification. One of the most effective security benefits of encrypted emails is that only the sender and receiver have the correct digital keys to verify who they are.
Even if you have to pay for an email encryption service, you stand to lose a lot more financially should you fall victim to a hack. It’s not just money at stake, but your reputation too. Paying a little bit a month on an encrypted email service may be more cost effective, while giving you peace of mind.
You can also boost your online security for free by using a secure browser. While a lot of browsers have an incognito mode option, they don’t do everything that AVG Secure Browser does. AVG Secure Browser encrypts your connection to any site you visit, provides antivirus protection, and disables trackers. That ensures that your online activity stays private.
How to send a secure email
There are different types of email encryption technologies, offering varying levels of security. No matter which encryption protocol you use, an email service or third-party tool will encrypt your email for you. You may just have to choose your level of encryption before sending.
Public Key Infrastructure (PKI) plays a fundamental role in the email encryption process. This is where a public and private key are generated before sending off a certificate request to a Certificate Authority (CA). The certificate allows the sender to digitally sign emails, verifying their identity and ensuring that the email hasn’t been tampered with. This process is called end-to-end encryption, the most secure option.
You know an email is encrypted when you can see a padlock symbol. You can click the symbol for more information, and the best email services will be very clear when something isn’t encrypted.
The best encrypted email providers
The best encrypted email service providers will offer end-to-end encryption so your emails are protected through the entire process. Some email providers specialize in this service and have this functionality built-in, like ProtonMail and Virtru.
While the most popular email providers have encryption built-in, it’s not always clear how encrypted they really are. Typically, their default encryption is set up so that emails can’t be intercepted in transit but you’ll have to set up end-to-end encryption manually. You can do this by enabling Pretty Good Privacy (PGP) or Secure/Multipurpose Internet Mail Extensions (S/MIME), depending on the email provider.
Usually, you’ll need to change the settings or add a third-party tool. Note that S/MIME requires you to obtain and install a certificate from a Certificate Authority (CA) before it can work. The other person you’d like to correspond with will also need to install one.
Outlook
Outlook is the preferred email client for many organizations, which will typically manage Outlook email encryption via an IT administrator. Outlook is compatible with S/MIME, which means that encrypted emails have maximum security once you set this up. Let’s look at how to encrypt email in Outlook.
You’ll usually have to request a certificate from the IT administrator, who sets it up for employees. Just ask them to enable S/MIME for your email account, and you’ll be granted access to S/MIME settings in Settings > Email > S/MIME.
You can choose various options in Outlook’s S/MIME settings:
-
Encrypt contents and attachments for all messages I send.
-
Add a digital signature to all messages I send.
-
Automatically choose the best certificate for digital signing.
This enables S/MIME for all emails you send within your organization. Addressees outside the organization will need to configure S/MIME themselves, otherwise, you’ll have to send them messages without this level of encryption.
Gmail
By default, Gmail doesn’t encrypt email on their server, meaning it’s visible to Google as well, not just to the sender and the recipient. Gmail enables S/MIME with a tweak in the settings — both the sender and receiver must have it turned on for it to work. But, it can only be used in a Google Workspace domain (for businesses) and only a super administrator can set it up, rendering it unavailable for regular Gmail users.
Here’s how to send an encrypted email in Gmail (in a Google Workspace domain):
-
Enable S/MIME in Gmail User settings.
-
Reload Gmail and a lock icon will be visible in the subject line of emails.
-
Upload a trusted certificate.
-
Send an S/MIME signed email to your intended recipient.
Gmail shows the level of encryption for each message with a different-colored padlock icon:
-
Green: Information is protected by S/MIME encryption and can only be decrypted with a private key.
-
Gray: The email is protected with TLS (Transport Layer Security), which only works if both sender and recipient have TLS capabilities.
-
Red: The email has no encryption security.
Emails sent from Gmail are usually encrypted with TLS, but that’s not enough if you’re sending particularly sensitive information. Once you have the green padlock set up for both sender and recipient, there’s no chance that the information is visible anywhere except within those two email accounts. It’s the best email encryption for Gmail users.
If you don’t have Google Workspace and can’t enable S/MIME, there are browser extensions you can use. For example, Mailvelope will give you end-to-end encryption with PGP.
iOS
iOS has S/MIME support built-in by default, but you still have to install a certificate. This is necessary to encrypt and decrypt the messages in a way that both parties can read.
Once you’ve installed a certificate, you can enable message encryption on your iPhone or iPad:
-
Open Settings.
-
Go to Mail, then Accounts.
-
Select the relevant account.
-
Tap Account, then Advanced.
-
Choose Encrypt by Default, then turn it on.
When you compose a message, a lock icon will appear in the address field if the recipient is in the same exchange environment. If the padlock is open it won’t be encrypted. You can tap this and the lock icon will close, meaning your email will be encrypted.
Email providers that need third-party encryption tools
Some email providers and devices don’t offer email encryption out of the box, but a simple plugin or third-party tool can be used to allow S/MIME or PGP protocols. Depending on the program, you may not have to install a certificate.
Yahoo
Yahoo uses SSL (Secure Sockets Layer) to protect your account, but it requires third-party services to encrypt with S/MIME or PGP. The same is true for AOL, which is now under the Yahoo umbrella. To have the most secure login to your AOL or Yahoo mail, use an encryption plugin like Mailvelope.
Here’s how to encrypt Yahoo emails with Mailvelope:
-
Download Mailvelope and configure it.
-
Open a new message in Yahoo Mail and click the Mailvelope icon.
-
Write your email and click Encrypt before sending.
Android
Email encryption for Android requires a third-party app whether you want to use S/MIME or PGP. This would require two apps: OpenKeychain for generating a PGP key and K-9 Mail for sending the emails.
Alternative providers
There are other email providers where end-to-end encryption is the standard option. Some of the most popular are Virtru, ProtonMail, SecureMyEmail, and Trustifi.
These providers are serious about security, so they aren’t set up for casual use like Gmail is. In other words, it won’t be so easy to regain access if you forget your password. They’re best used for special correspondences or for companies.
Some of these email providers are free for personal use, and there’s an array of pricing structures for those who want to use one of these services privately or for their company:
-
Virtru offers starter, business, or enterprise pricing packages (no free option).
-
ProtonMail offers Proton Free or Proton Unlimited.
-
SecureMyEmail has a free plan for one email address or a paid option (per month/per year/lifetime offer).
-
Trustifi offers a free-forever trial, a basic plan, a pro plan, or an enterprise plan
A specialized email provider like Virtru is safe as long as you know what you’re doing. The danger lies in forgetting your password and losing access to any information that exists only in that email account.
Best email security encryption tools
There are other ways to send encrypted messages or protected documents over the internet. These are ideal if you don’t want to bother installing S/MIME on your email. Use these tools with a secure browser for enhanced security. And don’t forget to create strong and unique passwords.
Encrypted PDFs and other attachments
You can encrypt PDF, Zip, or Office files, and it’s a great way to send documents securely if you can’t make emails safe. Email encryption prevents anyone from intercepting and using the information in the email, and a well-encrypted PDF will be just as hard to crack. Encrypting PDFs and other docs means they reach their destinations intact, hidden from prying eyes. An encrypted PDF can also be viewed offline, on any device.
Web portal encryption
With web portal encryption, users have to log into a web page to read the encrypted email, which is secured by a shared key before it goes to the web portal. The encrypted email goes straight from the sender’s email client, such as Outlook, to the web portal. Only someone with the website’s login credentials can read the email.
This type of encrypted email service is very secure as it limits the number of people who can access the emails. Web portal encryption prevents hackers from getting their hands on sensitive information sent over the internet.
Types of email encryption
There are two main protocols used to encrypt emails: end-to-end encryption and transport layer security (TLS). End-to-end encryption is the most secure because the sender encrypts the message before sending it, and it’s only decrypted at the receiver’s end. By contrast, TLS encrypts emails only in transit.
Most email services have basic encryption that uses TLS, which is fine for most daily correspondence. S/MIME is usually only necessary for the most sensitive data, and it’s the best way to send a secure email. S/MIME removes the possibility that Google (or whichever provider you’re using) can read the email.
Let’s take a closer look at the different types of email encryption so you can get the most out of your email security.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
S/MIME is an Internet Engineering Task Force (IETF) standard used to deliver public-key encryption and digital signatures. It was developed by RSA Data Security and uses a centralized trust model that relies on a centralized authority to pick the encryption algorithm.
S/MIME requires users to obtain keys directly from a specific Certificate Authority. Each individual user has to do some manual setup before it works. It makes sense — if you want complete control over access to a message, you should have to sign off on it personally. That’s what you’re doing when you install the certificate required to make S/MIME work. It’s not done by a stranger or an unknown corporation.
S/MIME is built into most macOS and iOS devices and is a good way to encrypt email on an iPhone beyond the standard TLS protocol. Popular email services that use S/MIME include Microsoft Outlook and Gmail.
Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP) email encryption uses digital signatures and file encryption techniques. In contrast to S/MIME, PGP uses a decentralized trust model that doesn’t require a centralized authority to verify the public key signature. When a user sends a message using their public key, PGP encrypts the data and decrypts it when the recipient unlocks it with their private key.
PGP was one of the first free public key cryptography options available to secure online communications like emails and text messages. PGP now enjoys widespread use among individuals and businesses.
All you have to do is install a third-party plugin to use PGP with Gmail (or any other email service where it’s not built in). You don’t need to refer to a CA to make PGP work properly, which is part of its appeal. Popular providers that use PGP are Yahoo, AOL, and Android. Both the sender and receiver must have PGP set up in order for the messages to be encrypted. That’s why it’s advised for the transfer of sensitive information, rather than daily email use.
Transport Layer Security (TLS)
TLS is a cryptographic protocol that encrypts the channel through which emails pass, but the emails themselves aren’t encrypted. Unless TLS has something added to it to protect the messages further, it keeps messages visible to all who have access to that communication line.
TLS uses the STARTTLS command to request further email encoding. It negotiates a secure connection between two email accounts so the email is protected in transit. While STARTTLS literally means ‘Start TLS,’ the command also works with the SSL protocol, the predecessor to TLS.
While TLS email encryption eliminates the risk of a man-in-the-middle-attack, regular TLS doesn’t stop the server host from reading the message. While TLS is the most common encryption method if you’re using Gmail, it may not be the best way to secure your email. If you’re sending sensitive information, you should use another type of email encryption, like S/MIME or PGP.
Secure your data with AVG Secure Browser
Email encryption can get quite complicated, but its security benefits mean it’s essential when sending sensitive data. And thankfully there are other, easier ways to improve your online security. AVG Secure Browser automatically secures your data with HTTPS encryption, blocks ads, and protects against viruses and unsafe websites. Install AVG Secure Browser today to get airtight online privacy.