From your online shopping receipts to financial statements, your emails contain a great deal of sensitive information about your life, interests, and daily schedule. If you’re concerned about your online privacy, it’s therefore vital to keep your inbox and messages secure. As with all online content, the best way to protect your emails from third parties is to encrypt them with the gold standard of email encryption: end-to-end encryption (E2EE).
Unlike other types of encryption, E2EE ensures only you and your intended recipient can read your messages. No one, not even your email provider, can access your messages without your knowledge. In this article, we show you how to encrypt your emails and which method is best for email encryption.
How to encrypt your emails
Use a private and secure email provider
Setting up end-to-end encryption for emails is tricky, even for security experts. This is why if you’re a beginner without much experience with email security, the easiest way to encrypt an email is to use a private and secure email provider, such as Proton Mail.
Unlike popular email providers that only use TLS to encrypt your emails while they’re in transit (for example, Gmail and Outlook), Proton Mail uses E2EE by default to protect your messages. E2EE works by scrambling your email into indecipherable text, ensuring only your recipient can reassemble it again with the right private key. Your email is encrypted on your device and decrypted only after arriving in your recipient’s inbox, meaning no one in between can read its content.
With Proton Mail, this encryption happens automatically behind the scenes — all you need to do is compose your email and send it to your recipient. We also use zero-access encryption to protect your data stored on our servers. With zero-access encryption, even if a hacker breaches Proton Mail’s servers, they won’t be able to decrypt your messages.
Set up PGP yourself
If you have some technical expertise, you can also set up PGP on your own. PGP is an acronym for Pretty Good Privacy, one of the most widely used E2EE systems in the world. PGP allows you to digitally sign and encrypt messages, ensuring they cannot be tampered with.
Using a PGP client
You can set up PGP on your own by using a PGP email application, such as OpenPGP(new window). When you use a PGP client, you first need to generate a key pair: your public key and your private key. You can share your public key with your contacts but your private key should always be kept secret.
To send you a fully encrypted email, your contact will need to use your public key to encrypt their messages to you. To decrypt their incoming messages, you need to use your private key.
However, sending fully encrypted emails with your own PGP client is more challenging than it sounds. Both you and your recipient must use compatible versions of PGP for the encryption to work. And if you don’t share or store your key pair properly, you might accidentally create vulnerabilities in your security defenses. To prevent this, you could use a trusted E2EE email provider to handle the complex operations of email encryption for you. Alternatively, third-party plugins may do the job as well.
Using a third-party PGP plugin
Third-party PGP plugins, such as Mailvelope(new window), help make encryption simple and straightforward. They are browser extensions that build PGP directly into your webmail, so you can easily send fully encrypted emails in an environment that’s already familiar to you. All encryption and decryption are handled locally on your computer, and your email provider does not have access to your private key.
While a third-party PGP plugin simplifies E2EE, it’s far from being a perfect system:
- Most third-party PGP plugins don’t offer email client support, meaning if you send emails via Thunderbird or Apple Mail, you won’t be able to encrypt your emails.
- These plugins don’t work in browsers on mobile devices.
- Your attachments must be encrypted separately from your emails.
Using Gmail or Outlook’s enhanced encryption (paid feature)
If you’re a Gmail or Outlook user, you can also encrypt your emails with their paid encryption feature. Gmail provides enhanced encryption (known as S/MIME) for enterprise customers, so you’ll need to pay for a Google Workspace account to use it. But Gmail still retains control of your encryption keys, so it can decrypt your messages at will.
Similarly, Outlook offers S/MIME encryption if you’re willing to pay for a premium Microsoft Enterprise subscription. It’s not a simple solution to set up and you’ll need an administrator to manage it.
Compared to PGP, Gmail and Outlook’s S/MIME encryption has several drawbacks:
- S/MIME only works if you and your recipient enable it correctly. Otherwise, your email will fall back to weaker TLS encryption, potentially putting your email exchange at risk.
- S/MIME relies on a centralized system of certificate authorities (CA) to verify your digital identity, which means you’ll need to contract your own CA to obtain a certificate. This can be complex and costly to properly set up.
The best way to encrypt your emails
If you’re looking for a hassle-free way to encrypt your emails, you need to find a trustworthy encrypted email provider like Proton Mail. As the world’s largest encrypted email provider, one of our goals is to make sending fully encrypted emails as easy as possible. This is why we’ve made our email encryption automatic.
All emails sent between Proton Mail addresses are fully protected with E2EE and zero-access encryption, so no one other than you and your recipient can read your messages. And if you’re sending emails to non-Proton Mail addresses, you can use our Password-protected Emails feature. Your recipient can only read your email after they enter the correct password, and can easily reply with guaranteed E2EE.
We also offer the following advanced security features:
- End-to-end encryption: All messages sent between Proton Mail addresses are automatically end-to-end encrypted.
- Zero-access encryption: Your emails are stored with zero-access encryption on Proton Mail’s servers, meaning nobody (not even Proton) can read or access them.
- Message expiration: Set a timer on your email so it’s automatically deleted from your recipient’s inbox after the time runs out.
- Enhanced tracking protection: Proton Mail automatically blocks all spy pixels in the marketing emails you receive, so you can safely read your emails and load images without being tracked.
- Sender verification: Proton Mail’s sender verification proves that an email has not been tampered with and comes from a trusted sender.
- Encrypted contacts: Securely store your contacts’ details in your inbox, such as their phone number, address, birthday, and personal notes.
- Spam detection: Our smart spam detection system automatically filters unwanted emails to your spam folder. You can also block senders you no longer want to receive emails from.
Besides our intuitive and easy-to-use web app, you can also download Proton Mail on your mobile device (iOS(new window) and Android(new window)) to send encrypted emails even when you’re on the go. If you’d like to support our mission of building a better internet, consider signing up for a free account or upgrade to a paid Proton Mail plan for the most comprehensive email security features.