Is Email Secure Still? How To Use Message Encryption


With large-scale breaches regularly making headlines, email security is a contentious topic nowadays. Most emails are stored “in the clear,” making them vulnerable. It’s astonishing that many people still ask: Is email still secure? 

Email is not a secure way to communicate. While data transmission is usually encrypted, users’ sensitive information is stored unencrypted on email servers. Mail services can data-mine email accounts. It is best to choose a secure email provider with a private-by-design email client and mobile app.

This guide has rounded up a variety of aspects that make sending emails unsafe and a collection of solutions that are very easy to use, secure and reliable.

Man drinking coffee while logging into secure email.

Minimal Attention To Security By Most Email Services

Most popular email providers like Gmail, Yahoo, and Outlook do not take your inbox’s privacy seriously. The primary goal of these companies is to understand their users, namely through access to their content

Most email services only offer transport security where email messages are encrypted only during transmission. Once stored (or at rest), these big tech companies can read and mine your inbox. Data mining is primarily for advertisement and to help make their services more useful.

For instance, Gmail was caught sharing user emails with third parties and tracking purchases made by their users.

Yahoo and AOL, on the other hand, allowed advertisers to scan accounts to try and identify potential clients by following up on their past purchases as well as contextual buying signals. Yahoo has also been accused of scanning emails for government surveillance agencies. Data collection is at the core of their primary business models.

This is the cost of a free-of-charge email service; they get to use your data.

There’s also a legal aspect at work. Like most US corporations, Google is required to comply with regulations, stating it can release your messages to government agencies if compelled by legal court order. The privacy of your communication is held consistently at risk when using the service.

While most email providers implement decent login systems to prevent unauthorized access, email is a way to access all of your other online accounts. Most online services offer customers a “forgot your password” option to send a password reset link. This means without 2FA, anyone who has access to your inbox can use it to access any of your online accounts. 

Also, keep in mind that corporate or work email addresses and phones can be mined and monitored by your employer and should never be used for personal use. During work interactions, giving your work phone number or email keeps your personal contacts out of corporate databases and away from data leaks. It is a great way to keep your personal digital life private.

Seriously: Get a separate work phone and email.

Before You Send

Don’t rely 100% on email carriers to guard your personal data. They also have corporate and business interests to protect. 

That said, there are a few things you can do to keep your emails genuinely private before you hit send. Ask yourself, is there a better, more secure way to transmit a would-be email text or attachments? 

  • Could you use a postal service?
  • Would it be safer to hand over documents in person? 
  • Does your recipient have the same email provider as you (e.g., you’re both using @gmail.com addresses) 
  • Could you send text and file attachments over a secure messenger?

Here’s a complete list of secure messenger apps to choose from.

If you decide to use email as your communication channel, then choose a provider designed around security.

Which Email Service Is The Most Secure & Private?

Although email communications were not designed with privacy and security in mind initially, modern services offer end-to-end encryption and other robust security features. I’ve personally used each of these secure email providers and arranged them according to my recommendation.

Protonmail web page.

ProtonMail

Based in Canton Geneva, ProtonMail is the most secure free email account provider. It has servers in two different locations in Switzerland and is governed by tight Swiss privacy laws.

All messages that go through the servers are secured with end-to-end encryption, meaning that even the employees of ProtonMail cannot read them. 

The company designed its service around client privacy. To create a new account, users are not required to submit any confidential information. The firm does not store any technical logs linked to your email account use.

Every ProtonMail account comes with free ProtonVPN access to their VPN intermediary servers to add another protection layer to all your traffic.

When it comes to physical security, their IT infrastructure is located below 1000m of granite rock, and your information doesn’t go to the cloud at any time. The source code, encryption algorithms, mobile app, and web client source code are open-source for transparency and rapid security or bug fix mitigation.

Users can also enable two-factor authentication, so attackers cannot access your account without a second layer of security.

We have a complete guide on getting and setting up two-factor authentication.

Pros:

  • Open source since 2015
  • Reliable: Backed by a 99.95% service level agreement.
  • No-logs policy: They keep no session usage logs of what you do online and do not log metadata that can compromise your privacy.
  • Jurisdiction Switzerland; tighter privacy regulations than EU
  • Zero-knowledge, end-to-end encryption: Prevents governments and even protons themselves from snooping around your emails.
  • App on F-droid (and the Google Play and Apple Store)
  • Not part of the 5 Eyes: does not mandate any sort of data logging or encryption access.
  • Self-destructing emails
  • Over 20 account languages

Cons:

  • It is not a full-featured replacement for Google or Microsoft
  • Mobile app does not have full-text searching

Note:

For those using my favorite Brave browser, Protonmail has a Tor or .onion address – a quick way to secure your connection with this email provider, even off VPN. Brave gives users a browsing mode that protects their privacy on devices and over any network. Remember that the private or incognito browser window does not protect you from Internet Service Providers or Wi-Fi network operators.

Here’s how to do a truly private internet search.

Tutanota

Tutanota is a Germany-based end-to-end encrypted email service provider.  

The company’s open-source web and mobile clients encrypt your email before it leaves your device, ensuring that your data and contacts remain private. The source code is licensed under the GPL v3 and hosted on Github. This transparency allows for third-party auditing of the applications.

I also like their stand-out approach to sending secure emails to non-secure recipients. Tutanota creates an inbox in the recipient’s browser, instantly giving them a link to view and reply to messages through a familiar interface.

The service also comes with a full-text search feature of the encrypted mailbox. It is, however, limited to around 4 weeks in the free version because of the heavy server load caused by the enhanced encrypted search feature. Learn here how you can improve your search results.

Search is done locally through an encrypted search index to guarantee the privacy and security of your data and search queries. Read here how the innovative full-text search on encrypted data works.

Pros

  • Based in Germany known for its high reputation for privacy
  • Found on F-android: Does not require Google or Apple Store
  • Open-source
  • Strong security policies
  • Licensed under GPL v3.

Cons

Mailfence

Mailfence is an encrypted secure email service provider that offers digital signatures and OpenPGP-based end-to-end encryption. The company benefits from the strict Belgian privacy laws, and it doesn’t use any marketing trackers or third-party advertising.

Though Belgium enforces some mandatory data retention rules and is part of the 14 Eyes agreement, the directives are stringent and only allow agencies to access user data with a warrant.

Also, the service “maintains an up-to-date warrant canary and transparency report listing” that allows users to check if the company has been compromised.

Mailfence has a DANE and MTA-STS protocol that ensures other servers send emails through encrypted channels. This makes it almost impossible for cybercriminals to intercept emails between Mailfence accounts.

This ad-free service is supported by revenue from premium plans and financial donations. The premium plan has an increased storage quota but the same level of security as the free version.

Pros:

  • Accepts cryptocurrencies: Anonymous payments allow users to sign up and be truly anonymous.
  • Jurisdiction: Belgium has great privacy history in the EU
  • End-to-end encryption
  • Strips IP address from sent emails
  • Two-Factor authentication: adds an extra layer of security and makes it harder to access your devices or online accounts if they do not have your phone.
  • Digital signatures: provide authenticity and ensure that the signature is verified.
  • Synchronization with third-party apps, which could also be considered a Con.

Cons:

  • Not open source
  • Based under the jurisdiction of 14 Eyes.

Other Email Providers To Checkout

If you are looking for other email providers to compare, check out these which have a high reputation in the privacy community:

  • Disroot: A complete communications and productivity platform promoting open-source and ethical internet practices
  • StartMail: From the makers of StartPage, this email provider offers unlimited aliases and top-class security practices. I love the Dutch.
  • Lockbin: This is a free web app for sending emails and private files.
  • Enigmail: An extension to Seamonkey and Mozilla Thunderbird. It allows users to receive or send secure messages encrypted or signed with the OpenPGP standard.
  • Hushmail: A web-based free email service that adds powerful encryption to emails
  • Sendinc: Encrypts your emails from when you hit send to when the intended recipient opens them.
Person logging into gmail.

Sending Secure Email From Gmail

Is Gmail Confidential Mode secure? Gmail’s Confidential Mode does not prevent the company from seeing your emails.

This feature only attempts to prevent your email recipients from downloading, printing, forwarding, or copying the content. Still, it is not as secure as it seems. Messages are not end-to-end encrypted, and Google can access the content, regardless of whether you utilize the expiration feature or not. There’s also a screenshot loophole whereby your recipient can simply take screenshots of the message and attachments.

Luckily, there are more secure tools that can help make your emails more secure they include:

Mailvelope

The service offers email encryption for browser-based email. It is a browser extension enhancing the webmail experience for:

Encryption and decryption functionality is added to these providers making secure emailing easy to use and accessible for average users. Only you and the recipient can read your messages.

It offers public/private encryption key management and is based on the OpenPGP, an industry-standard in encrypting and decrypting. It is an excellent add-on for your browser if you are worried about email privacy but do not want to switch to a secure provider. 

I used this extension before leaving Gmail, Google Calendar, Contacts, and Tasks.

PrivateBin

Use PrivateBin to quickly send sensitive data. It has a zero-knowledge policy, which means both the server and operator won’t know the content of what you shared. All your pastes are encrypted with a 256bit AES encryption algorithm.

I use this tool to securely send text and files with expiration dates and/or click limits. This prevents the information from being accessed at a later date.

[Hint: You can also use this to send old school SMS text messages that disappear.]

Similarly, it is possible to set a password on the encrypted message. Send this password via a second channel, making it an extremely secure way to prevent access to your messages.

The PrivateBin software is federated or decentralized, meaning anyone can volunteer to run an instance. This prevents a single government from infiltrating or closing this secure email alternative. Here is the directory list. Choose one located in a country with good privacy laws.

Other features include:

  • Anonymous discussions or with nicknames
  • Expiration times with the “forever” or “burn after reading” option
  • Syntax highlighting for source code using prettify.js,
  • Translation system and automatic browser language detection (if enabled in the browser)
  • QR code generation of URL, to easily transfer pastes over to mobile apps

Is Outlook More Secure Than Gmail?

Outlook is considered more secure than Gmail. Microsoft, the owner of Outlook.com email, is heavily invested in providing email for other companies. Messages are not end-to-end encrypted by the mail service, but their practices are more privacy-oriented than Google’s personal mail.

In terms of spam filters, both companies do a great job. They use advanced spam filters that filter out phishing attacks and detect malicious attachments. While Outlook’s filter sometimes malfunctions and blocks legitimate emails, it is better to be safe than sorry when it comes to sensitive email data. 

Outlook’s privacy terms are also more straightforward than Gmail’s. That’s perhaps because Gmail was designed to be a consumer email service. In contrast, Outlook email grew out of Microsoft’s enterprise-class email customers. 

That doesn’t mean Outlook is totally secure. Actually, nearly all Microsoft-365-customers have suffered email data breaches before.

Is Yahoo More Secure Than Gmail?

Yahoo is less secure than Gmail due to waning popularity and reduced company investment into the email offering compared to Google’s. 

Gmail’s reputation is also not bad. In 2016, when there was an attempt to compromise their accounts, only half were affected. On the other hand, Yahoo had all its accounts hacked.

Though most email providers have some level of protection, private email services keep your emails messages and attachments hidden from everyone except the sender and recipient. These services will improve the privacy of your communication over the Big Tech email services like Gmail, Outlook, or Yahoo.

Mike Chu

Mike is a web developer and content writer living as a digital nomad. With more than 20 years of devops experience, he brings his "programmer with people skills" approach to help explain technology to the average user. Check out his full author bio by clicking here.

Recent Posts