We all rely on email to communicate in our professional and personal lives. From calendar events to flight confirmations and online shopping receipts, our inbox contains private data about our schedules, interests, and habits. Our reliance on email might make you surprised to learn that it was never designed to be secure in the first place.
While there are risks associated with communicating via email, you can still take steps to keep your inbox secure. This article shows you what you can do to make your email secure and compares email security standards between popular email providers.
Threats to email security
Since email is so widely used, it’s the top target for cyberattacks. Here are some common threats to your email security.
Cybercriminals use phishing emails(new window) to trick you into revealing sensitive information, such as your credit card details and online account passwords. These fake emails appear to come from a credible authority, like your bank, credit card company, or even popular online retailers, like eBay or Amazon. Some phishing emails are extremely sophisticated and convincing, which is why over 90% of data breaches(new window) happen because of phishing scams.
Malware(new window) refers to any file or code designed to gain unauthorized access to a computer or computer network. For example, you may receive an email with an attachment that appears urgent or related to you, such as the infamous ILOVEYOU worm(new window) that infected over 10 million computers in the early 2000s. When a malware attack is successful, attackers hijack computers and servers, access sensitive information, spy on user activity, and perform other malicious actions.
Spam and unwanted emails
Spam emails are one of the most common types of email threats. While most spam emails are simply a nuisance, others contain malicious links to fraudulent websites. Here are some typical spam emails you might encounter:
- Unsolicited ads
- Money scams
- Fake malware warnings
- Porn spam
- Chain letters
Unauthorized inbox access
If you don’t use a strong password to protect your inbox, it could be hacked by attackers using brute-force attacks. Equipped with a supercomputer, a brute-force attacker works through all possible combinations to guess your login credentials. Depending on the length and complexity of your password, cracking it could only take a few seconds.
Additionally, if you reuse passwords across multiple online accounts, it only takes one of these services to experience a hack or leak to put the rest of your online accounts at risk.
Spying and monitoring
Once a hacker gains access to your inbox, they could easily spy on your emails, gather private information about you, and blackmail you. A far more pervasive example of spying on your inbox is pixel trackers embedded in marketing emails(new window). These spy trackers collect information such as:
- Whether the email containing the tracker has been opened
- Date and time of opening
- Device type and operating system
- Your IP address and geographic location
This information is then sent back to the sender and used to target you with personalized ads.
How to make your email secure
Despite these threats, you can still take precautions to keep your inbox secure and mitigate the risk of a cyberattack.
Enable two-factor authentication
Whenever possible, you should always enable two-factor authentication (2FA)(new window) on your email account. Most 2FA methods require you to enter a temporary one-time code generated from an authenticator app on your phone, but you can also use hardware security keys(new window). If you have 2FA enabled, even if a hacker cracks your password, they won’t be able to gain access to your inbox unless they also have access to your 2FA device.
Using a strong password
Having a strong password is critical to keeping your inbox secure. The easiest way to create strong, unique passwords is to use an open-source password manager(new window) that generates and saves your login credentials for you. Then, all you need to remember is a strong passphrase(new window) that unlocks your password manager.
What is email encryption?
The level of security and privacy of your email also depends on the method of encryption you use to protect it. It’s the first line of defense against data theft and one of the most effective ways to prevent your email provider from reading your emails. Since your emails contain plenty of sensitive information about you, you’re less likely to be targeted for ads, spam, and malware attacks when you keep them safe. By using email encryption, you’re also protecting your emails from being modified and tampered with.
Here are the most common types of email encryption.
Transport Layer Security (TLS)(new window) is a cryptographic protocol used to secure web communications across a network. Due to its versatility, TLS is also used to connect to websites and deliver instant messages and emails. TLS is useful because it prevents third parties from eavesdropping and tampering with your messages while they’re in transit.
However, TLS alone doesn’t provide adequate security for your emails. Once your email arrives at the receiving server, it’s immediately decrypted, and it’s up to your recipient’s email provider to encrypt and secure your messages.
Zero-access encryption(new window) is an encryption method that protects your data at rest by making it inaccessible to the email provider. With zero-access encryption, when you receive an unencrypted email, your email provider will briefly have access to the message after the TLS encryption is undone. It’s then immediately encrypted using your public key. The encrypted data can only be decrypted locally on your device with your private encryption key.
Since your email provider doesn’t have access to your private encryption key, it can’t be decrypted by anyone besides you.
Compared to other encryption methods, end-to-end encryption (E2EE)(new window) ensures your online privacy and security are protected. It’s a secure method of encoding email data so that only your intended recipient can decrypt the information. Your email is encrypted locally on your device using your recipient’s public key and stays encrypted until it reaches your intended recipient’s device, where it’s decrypted using your recipient’s private key.
With E2EE, no one — not even Proton — can read your email unless they also have physical access to the device where your recipient’s private key is stored.
There are two primary encryption protocols that provide E2EE: S/MIME and PGP.
S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions. S/MIME uses a pair of mathematically related keys — a public key and a private key — to secure emails. When you send an email using a S/MIME certificate, the email is encrypted using your recipient’s public key. The recipient can only decrypt the email using the private key associated with the public key.
While S/MIME certificates encrypt your emails and prove that you wrote and sent them, only a certificate authority (CA) can issue S/MIME certificates. This means you would have to contract your own CA to validate your digital identity.
Pretty Good Privacy (PGP)(new window) is another method of implementing E2EE and is one of the world’s most widely used email encryption systems.
PGP works by first generating a random and unique session key. This key is used to encrypt the contents of your email. The session key itself is then encrypted using your recipient’s public key and sent to your recipient (along with the encrypted email). Once the email arrives, your recipient decrypts the session key using their private key. The session key can then be used to decrypt the email.
While PGP may seem complicated, it’s an extremely robust encryption protocol. When implemented properly, PGP works seamlessly while providing a high level of security, privacy, and authentication for your emails.
A look at popular email providers
It’s no secret that most popular email providers don’t provide adequate protection for your emails. Here we look at the different types of encryption used by popular email providers and how you can pick the best provider that caters to your privacy needs.
Gmail uses TLS to encrypt all emails by default. This means your message is protected while it’s in transit from your device to Gmail’s servers. However, TLS only works if your recipient’s email provider also supports TLS encryption.
While TLS provides some security for your emails, it isn’t as strong as E2EE (as it only protects emails when they’re in transit, not when they’re stored in email servers). For this reason, Gmail also offers S/MIME encryption for users who need advanced security, but only if they’re willing to pay for a Google Workspace account. But even if you encrypt your emails using Gmail’s S/MIME:
- Google still retains control of your encryption key, meaning it can decrypt and read your emails at will.
- S/MIME only works if your recipient also has S/MIME enabled.
- Unlike PGP, S/MIME relies on certificate authorities to validate all digital identities, so you’ll need to obtain your own S/MIME certificate and upload it to Gmail.
Similar to Gmail, Outlook also uses TLS to encrypt your emails. If you’re looking for added protection for emails using S/MIME, you’ll need to pay to become a Microsoft 365 Premium or Microsoft Office 365 E3 user.
Moreover, Outlook only supports S/MIME if you’re using a Windows desktop. Outlook’s S/MIME encryption isn’t available on Mac, iOS, Android, and other non-Windows devices, which greatly limits how frequently you can use the feature.
Yahoo Mail uses TLS to encrypt emails but does not offer native S/MIME or PGP support. To use E2EE with Yahoo Mail, you’ll need to use a third-party plugin.
As an email provider focused on privacy and security, keeping your data safe is our top priority, which is why we use a combination of TLS, zero-access encryption, and E2EE to secure your emails. All of Proton Mail’s encryption runs seamlessly in the background, meaning all you need to do is compose your email and hit the “send” button. And unlike other email providers, only you have control over your private key, which means we can’t access your emails or hand them over to a third party.
When you use Proton Mail, you can also enjoy these security benefits and more:
- Password-protected Emails: Send Password-protected Emails to recipients who don’t use Proton Mail. Your recipient can only read your message if they enter a previously agreed-upon password.
- Enhanced tracking protection: All spy trackers in promotional emails are automatically removed, so you can safely pre-load remote images without being tracked.
- Phishing protection(new window): Proton Mail provides anti-phishing protection a set of advanced features designed specifically to combat phishing.
- Anti-spoofing measures for custom domains: To protect you against spoofing attacks(new window), we support SPF, DKIM, and DMARC.
- Smart spam detection system: Our spam detection system automatically detects spam emails and directs them to your spam folder. For further customization, you can also add and remove email addresses from your Block List.
- Two-factor authentication (2FA) and security keys(new window): You can use 2FA to secure your Proton Mail account. We support temporary codes generated by authenticator apps, YubiKey, and other U2F/FIDO2(new window)-compliant keys.
- PGP support(new window): Send PGP-encrypted emails even to non-Proton Mail addresses.
Since we believe online privacy is a fundamental right for all, anyone can sign up for a free and secure Proton Mail account.
Other encrypted email providers
The growing number of encrypted email providers (such as Tutanota) is a promising sign that more people are taking their digital privacy seriously. However, most of these providers are still relatively small and untested. Some don’t offer mobile apps, making it difficult to send fully encrypted emails on the go.
As the world’s largest end-to-end encrypted email provider, our vision is to build an internet where privacy is the default. If that’s a future you support, join us by creating a free Proton Mail account or upgrading to a paid plan.