Authentication is not privacy
Everything so far has been about trust and delivery. None of it makes a message secret. An email can pass SPF, DKIM, and DMARC and still be read by anyone who intercepts it. Left unprotected, email faces real threats:
- Tampering by anyone with administrator access to a mail server.
- Repudiation: a sender denying they sent a message, since mail is easy to fake.
- Eavesdropping on unsecured connections.
- Privacy invasion: transmission can reveal details like IP addresses.
- Unprotected backups: plaintext copies sitting on servers and in backups.
- Identity theft: credentials captured if servers are accessed insecurely.
Three layers of protection address these, increasing in both strength and effort.
TLS: the encrypted tunnel
Transport Layer Security wraps the connection between mail servers in an encrypted tunnel, protecting the message in transit. It is the baseline: simple to set up, the recipient needs no special configuration, and it is widely supported. Its limit is that it protects the pipe, not the stored message; once delivered, the mail sits in plaintext on the server.
S/MIME and PGP: end-to-end encryption
When the content itself must be protected end to end, you need message-level encryption.
S/MIME (Secure/Multipurpose Internet Mail Extensions) uses certificates issued by a certificate authority. It is built into many mail clients, provides both encryption and digital signatures, and is popular in corporate environments. Both sender and recipient need certificates set up.
PGP (Pretty Good Privacy) uses public and private key pairs without a central authority. It offers very strong security, has a long track record, and has good open-source options. It also requires both parties to manage keys, which keeps it niche outside technical circles.
How the encryption works
Email encryption transforms readable text into ciphertext that only the right key can decode. Two types are used:
- Symmetric encryption uses the same key to encrypt and decrypt. It is fast but requires a secure way to share the key.
- Asymmetric encryption uses a public key to encrypt and a private key to decrypt, removing the need to share a secret.
Most systems combine them: asymmetric encryption to exchange a symmetric key securely, then fast symmetric encryption for the message body.
Comparing the methods
| Feature | TLS | S/MIME | PGP |
|---|---|---|---|
| Ease of use | High | Medium | Low |
| Security level | Medium | High | High |
| Recipient setup | Not required | Required | Required |
| Corporate adoption | High | High | Low |
| Protects stored message | No | Yes | Yes |
Best practices
- Use TLS for all transmissions as a baseline.
- Add S/MIME or PGP for sensitive communications needing end-to-end encryption.
- Verify digital signatures to confirm authenticity.
- Keep private keys secure and never share them.
- Use strong passwords and enable two-factor authentication.
- Keep clients and security software up to date.
- Train users on why encryption matters.