From job applications to order receipts, your inbox holds plenty of sensitive data about you. Unfortunately, email was initially not designed to be secure. Hackers can try to undermine the security and privacy of your inbox in multiple ways, including sending you spam(new window), malware(new window), or phishing attempts(new window).
The best way to protect your emails is to look for a trustworthy email service that makes it easy to send encrypted emails(new window). Here we explain what email encryption is and how to easily and conveniently send an encrypted email.
What is email encryption?
An email can be sent in two ways: in an encrypted and unencrypted format. Sending an unencrypted email is similar to sending an open-faced postcard in the mail — anyone who gets a hold of it can read its contents. If a third party intercepts your unencrypted email, the message you wrote will be immediately exposed and put at risk.
On the other hand, encrypted email works by taking your plaintext email and scrambling it into unreadable ciphertext(new window) with a string of characters known as an encryption key. End-to-end encryption (E2EE)(new window) is the most secure type of email encryption. Only someone who has the right key can decrypt this scrambled data. In other words, E2EE ensures no one but the person you’re writing to can read your message.
How email encryption works
There are two main protocols used to encrypt emails:
- Transport Layer Security (TLS)(new window), used to encrypt an email while it’s in transit
- End-to-end encryption (E2EE)(new window), used to encrypt an email from the sender’s device to the recipient’s device
Most modern email providers, such as Gmail or Outlook, use TLS to secure your email as it moves from your device to your recipient’s inbox. TLS prevents cybercriminals from reading your email as it’s in transit, avoiding man-in-the-middle attacks(new window).
While TLS provides strong protection for an email in transit, your email is immediately decrypted and re-encrypted when it reaches your email provider’s servers. Unfortunately, your email provider also holds the decryption key to your emails. This means your email provider can decrypt and read your emails if it chooses to. In fact, Gmail even admits(new window) they “can access your private content”, but only when they “have your permission or are required to by law”.
To eliminate the risk of your email provider spying on your messages, E2EE is required since it protects your message from nosy third parties at every stage of the delivery. When you send an end-to-end encrypted email, your message is encrypted on your device and only decrypted when it reaches your recipient’s device. With E2EE, nobody — not even your email provider — can access your email content unless they are your intended recipient.
Why is email encryption important?
If you’re a beginner without much experience in email security, being able to easily send encrypted emails is important. But without an easy way to guarantee the integrity of your emails, you might be rightfully concerned that hackers and other malicious actors could access your messages and steal sensitive information, such as your health records or financial details.
Thankfully, if you use E2EE, you can safeguard your personal information and ensure your emails are read only by your intended recipient. E2EE also offers multiple advantages over other types of encryption, including TLS. Here are some reasons to use E2EE(new window).
E2EE keeps your information safe (even in the event of a data breach)
Since E2EE secures your message at every stage of the delivery, including when it’s stored in your email provider’s servers, it’s still safe in the event of a data breach. If a hacker gets a hold of your end-to-end encrypted emails, all they will see is indecipherable text.
E2EE preserves your privacy
E2EE mathematically ensures nobody can access your emails without your permission, and this includes your email provider. If your email provider receives a court order to reveal your messages, they will not be able to access your emails since they are fully encrypted. No matter the circumstances, your email cannot be decrypted without the right key on your recipient’s device.
E2EE keeps your emails compliant
If you’re a business or an organization dealing with sensitive information over email, chances are you’ll need to comply with local privacy regulations, such as HIPAA(new window) and the GDPR(new window). With E2EE, your emails are automatically protected, and you retain total control over your data.
E2EE ensures your emails have not been modified
E2EE not only protects your messages from being read, it also protects them from being tampered with. When you send an encrypted email, your recipient can be sure that it truly came from you and not someone else pretending to be you. E2EE is often coupled with anti-phishing tools to verify the legitimacy of a sender.
What is the easiest way to send an encrypted email?
Email encryption is tricky enough for security experts, let alone for beginners who don’t have a lot of technical knowledge. If you don’t want to configure PGP yourself, the best thing you can do is to use an encrypted email provider, such as Proton Mail.
As the world’s most popular encrypted email provider, Proton Mail is designed with your privacy and security in mind. Proton Mail protects your emails with E2EE(new window) and zero-access encryption(new window), ensuring nobody besides your intended recipient can read your message. All encryption runs automatically in the background — all you need to do is write your email and hit “send”.
When you use Proton Mail, you can benefit from:
- Strong encryption: All messages are protected with E2EE and zero-access encryption.
- No ads or tracking: As a privacy-first email service, we will never show you ads or track your email activity.
- Mobile apps: The Proton Mail mobile apps for Android(new window) and iPhone/iPad(new window) are easy to use and keep your emails safe even when you’re on the go.
- Open source and independently audited: All Proton Mail apps are open source and have been independently audited by security experts. Anyone can check our code to verify our security claims.
- Advanced security features: Besides E2EE, Proton Mail also offers advanced security features to protect your emails, such as a smart spam detection system and anti-spoofing and anti-phishing measures.
Creating a Proton Mail account
To create your first Proton Mail account:
- Visit the Proton Mail website and choose a plan.
- Follow the instructions to create your first Proton Mail account.
- Once you’ve created your account, go to your inbox and select New message at the top left to compose your email.
- Select the Send button at the bottom right of your email composer to send the email to your recipient.
That’s it! Sending an encrypted email with Proton Mail is that easy. And because we believe privacy is a fundamental right, we offer a Free plan that gives you everything you need to start sending encrypted mail.
Other ways of sending an encrypted email
The fastest and most convenient way to send an encrypted email is for both you and your recipient to use Proton Mail. Messages sent between Proton Mail accounts are automatically encrypted using PGP encryption(new window) and require zero technical expertise from you.
However, if using Proton Mail is not an option for your recipient, you can use:
- External PGP encryption(new window) with Proton Mail
- Our Password-protected Emails feature, or
- The encryption features found in popular email providers, such as Gmail
Using external PGP encryption in Proton Mail
PGP encryption(new window), short for Pretty Good Privacy, is the most widely used email encryption system in the world. Before you send and receive emails secured by PGP, you first need to manually generate two encryption keys: your public key and your private key.
To send you a fully encrypted email, your contact will use your public key to encrypt their messages to you. To decrypt their incoming messages, you need to use your private key. While you can freely share your public key, you should never share your private key.
To generate your public key in Proton Mail:
- Sign in(new window) to your Proton Mail account.
- At the top right, select Settings → All settings → Encryption and keys and scroll down to Email encryption keys.
- Click Generate key and select the encryption scheme you prefer (ECC Curve25519 or RSA 4096).
- Click Continue and enter your password to authenticate the process.
To share your public key with your contact using Proton Mail:
- Sign in(new window) to your Proton Mail account and compose a message.
- Click the ellipsis menu […] at the bottom left of the composer and select Attach public key.
You can also set up your Proton Mail account for automatic key distribution:
- Sign in(new window) to your Proton Mail account.
- At the top right, select Settings → All settings → Encryption and keys and scroll down to External PGP settings.
- Enable the Attach public key option.
As you can see, setting up external PGP encryption is tedious and requires coordination between you and your contacts. For this reason, we recommend both you and your recipient use Proton Mail and let our software take care of these complex operations for you.
With a Proton Mail account, you can also use our Password-protected Emails feature to easily send fully encrypted messages to recipients who don’t use Proton Mail or PGP.
Using Password-protected Emails in Proton Mail
When you send a password-protected email using Proton Mail, your recipient will receive an email telling them they’ve been sent a secure, encrypted message. To open the email, they need to enter a previously agreed-upon password.
Your recipient will then be taken to a Proton Mail inbox where they can read and respond to your message using E2EE. By default, all password-protected emails expire 28 days after they’re sent, but you can change this using the expiration timer.
Encrypting an email using Gmail and other email providers
Some email providers, such as Gmail(new window) and Outlook(new window), provide enhanced encryption (known as S/MIME)(new window) if you’re looking to send sensitive information over email. However, Gmail’s enhanced encryption is only aimed at enterprise customers, and you’ll need to pay for a Google Workspace account to use it.
Even if you send emails using Gmail or Outlook’s S/MIME, your messages are not as secure as they should be, since:
- Your emails are still not end-to-end encrypted, meaning Gmail or another third party could easily access them.
- S/MIME only works if your recipient also uses an email client that supports S/MIME.
Ultimately, the best way to protect your messages is to use Proton Mail. Since our launch in 2014, we’ve been committed to our mission of making privacy the default online. We believe everyone should be able to take control of their data, which is why we use a combination of E2EE and zero-access encryption to keep your emails safe. If you believe your emails should be end-to-end encrypted, sign up for a free email account or upgrade to a paid plan to enjoy the best Proton Mail has to offer.