Proton

How secure is email?

We all rely on email to communicate in our professional and personal lives. From calendar events to flight confirmations and online shopping receipts, our inbox contains private data about our schedules, interests, and habits. Our reliance on email might make you surprised to learn that it was never designed to be secure in the first place. 

While there are risks associated with communicating via email, you can still take steps to keep your inbox secure. This article shows you what you can do to make your email secure and compares email security standards between popular email providers. 

Threats to email security
How to make your email secure
A look at popular email providers

Get Proton Mail button

Threats to email security

Since email is so widely used, it’s the top target for cyberattacks. Here are some common threats to your email security. 

Phishing

Cybercriminals use phishing emails to trick you into revealing sensitive information, such as your credit card details and online account passwords. These fake emails appear to come from a credible authority, like your bank, credit card company, or even popular online retailers, like eBay or Amazon. Some phishing emails are extremely sophisticated and convincing, which is why over 90% of data breaches(new window) happen because of phishing scams. 

Malware

Malware(new window) refers to any file or code designed to gain unauthorized access to a computer or computer network. For example, you may receive an email with an attachment that appears urgent or related to you, such as the infamous ILOVEYOU worm(new window) that infected over 10 million computers in the early 2000s. When a malware attack is successful, attackers hijack computers and servers, access sensitive information, spy on user activity, and perform other malicious actions. 

Spam and unwanted emails

Spam emails are one of the most common types of email threats. While most spam emails are simply a nuisance, others contain malicious links to fraudulent websites. Here are some typical spam emails you might encounter:

  • Unsolicited ads
  • Hoaxes
  • Money scams
  • Fake malware warnings
  • Porn spam
  • Chain letters 

Unauthorized inbox access

If you don’t use a strong password to protect your inbox, it could be hacked by attackers using brute-force attacks. Equipped with a supercomputer, a brute-force attacker works through all possible combinations to guess your login credentials. Depending on the length and complexity of your password, cracking it could only take a few seconds.

Additionally, if you reuse passwords across multiple online accounts, it only takes one of these services to experience a hack or leak to put the rest of your online accounts at risk. 

Spying and monitoring 

Once a hacker gains access to your inbox, they could easily spy on your emails, gather private information about you, and blackmail you. A far more pervasive example of spying on your inbox is pixel trackers embedded in marketing emails. These spy trackers collect information such as:

  • Whether the email containing the tracker has been opened
  • Date and time of opening
  • Device type and operating system
  • Your IP address and geographic location

This information is then sent back to the sender and used to target you with personalized ads.

How to make your email secure

Despite these threats, you can still take precautions to keep your inbox secure and mitigate the risk of a cyberattack. 

Enable two-factor authentication

Whenever possible, you should always enable two-factor authentication (2FA) on your email account. Most 2FA methods require you to enter a temporary one-time code generated from an authenticator app on your phone, but you can also use hardware security keys. If you have 2FA enabled, even if a hacker cracks your password, they won’t be able to gain access to your inbox unless they also have access to your 2FA device.

Using a strong password

Having a strong password is critical to keeping your inbox secure. The easiest way to create strong, unique passwords is to use an open-source password manager that generates and saves your login credentials for you. Then, all you need to remember is a strong passphrase that unlocks your password manager.

What is email encryption?

The level of security and privacy of your email also depends on the method of encryption you use to protect it. It’s the first line of defense against data theft and one of the most effective ways to prevent your email provider from reading your emails. Since your emails contain plenty of sensitive information about you, you’re less likely to be targeted for ads, spam, and malware attacks when you keep them safe. By using email encryption, you’re also protecting your emails from being modified and tampered with. 

Here are the most common types of email encryption. 

TLS

Transport Layer Security (TLS) is a cryptographic protocol used to secure web communications across a network. Due to its versatility, TLS is also used to connect to websites and deliver instant messages and emails. TLS is useful because it prevents third parties from eavesdropping and tampering with your messages while they’re in transit. 

However, TLS alone doesn’t provide adequate security for your emails. Once your email arrives at the receiving server, it’s immediately decrypted, and it’s up to your recipient’s email provider to encrypt and secure your messages.

Zero-access encryption

Zero-access encryption is an encryption method that protects your data at rest by making it inaccessible to the email provider. With zero-access encryption, when you receive an unencrypted email, your email provider will briefly have access to the message after the TLS encryption is undone. It’s then immediately encrypted using your public key. The encrypted data can only be decrypted locally on your device with your private encryption key. 

Since your email provider doesn’t have access to your private encryption key, it can’t be decrypted by anyone besides you. 

End-to-end encryption

Compared to other encryption methods, end-to-end encryption (E2EE) ensures your online privacy and security are protected. It’s a secure method of encoding email data so that only your intended recipient can decrypt the information. Your email is encrypted locally on your device using your recipient’s public key and stays encrypted until it reaches your intended recipient’s device, where it’s decrypted using your recipient’s private key. 

With E2EE, no one — not even Proton — can read your email unless they also have physical access to the device where your recipient’s private key is stored. 

There are two primary encryption protocols that provide E2EE: S/MIME and PGP. 

S/MIME 

S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions. S/MIME uses a pair of mathematically related keys — a public key and a private key — to secure emails. When you send an email using a S/MIME certificate, the email is encrypted using your recipient’s public key. The recipient can only decrypt the email using the private key associated with the public key. 

While S/MIME certificates encrypt your emails and prove that you wrote and sent them, only a certificate authority (CA) can issue S/MIME certificates. This means you would have to contract your own CA to validate your digital identity. 

PGP

Pretty Good Privacy (PGP) is another method of implementing E2EE and is one of the world’s most widely used email encryption systems. 

PGP works by first generating a random and unique session key. This key is used to encrypt the contents of your email. The session key itself is then encrypted using your recipient’s public key and sent to your recipient (along with the encrypted email). Once the email arrives, your recipient decrypts the session key using their private key. The session key can then be used to decrypt the email. 

While PGP may seem complicated, it’s an extremely robust encryption protocol. When implemented properly, PGP works seamlessly while providing a high level of security, privacy, and authentication for your emails.  

It’s no secret that most popular email providers don’t provide adequate protection for your emails. Here we look at the different types of encryption used by popular email providers and how you can pick the best provider that caters to your privacy needs.

Gmail

Gmail uses TLS to encrypt all emails by default. This means your message is protected while it’s in transit from your device to Gmail’s servers. However, TLS only works if your recipient’s email provider also supports TLS encryption.

While TLS provides some security for your emails, it isn’t as strong as E2EE (as it only protects emails when they’re in transit, not when they’re stored in email servers). For this reason, Gmail also offers S/MIME encryption for users who need advanced security, but only if they’re willing to pay for a Google Workspace account. But even if you encrypt your emails using Gmail’s S/MIME:

  • Google still retains control of your encryption key, meaning it can decrypt and read your emails at will.
  • S/MIME only works if your recipient also has S/MIME enabled.
  • Unlike PGP, S/MIME relies on certificate authorities to validate all digital identities, so you’ll need to obtain your own S/MIME certificate and upload it to Gmail.

Outlook

Similar to Gmail, Outlook also uses TLS to encrypt your emails. If you’re looking for added protection for emails using S/MIME, you’ll need to pay to become a Microsoft 365 Premium or Microsoft Office 365 E3 user. 

Moreover, Outlook only supports S/MIME if you’re using a Windows desktop. Outlook’s S/MIME encryption isn’t available on Mac, iOS, Android, and other non-Windows devices, which greatly limits how frequently you can use the feature.

Yahoo Mail

Yahoo Mail uses TLS to encrypt emails but does not offer native S/MIME or PGP support. To use E2EE with Yahoo Mail, you’ll need to use a third-party plugin.

Proton Mail

As an email provider focused on privacy and security, keeping your data safe is our top priority, which is why we use a combination of TLS, zero-access encryption, and E2EE to secure your emails. All of Proton Mail’s encryption runs seamlessly in the background, meaning all you need to do is compose your email and hit the “send” button. And unlike other email providers, only you have control over your private key, which means we can’t access your emails or hand them over to a third party. 

When you use Proton Mail, you can also enjoy these security benefits and more:

Since we believe online privacy is a fundamental right for all, anyone can sign up for a free and secure Proton Mail account.

Other encrypted email providers

The growing number of encrypted email providers (such as Tutanota) is a promising sign that more people are taking their digital privacy seriously. However, most of these providers are still relatively small and untested. Some don’t offer mobile apps, making it difficult to send fully encrypted emails on the go.

Final thoughts 

As the world’s largest end-to-end encrypted email provider, our vision is to build an internet where privacy is the default. If that’s a future you support, join us by creating a free Proton Mail account or upgrading to a paid plan.

Related articles

laptop showing Bitcoin price climbing
en
  • Privacy guides
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.