Emails are still one of the most popular forms of communication in the 21st century, despite technological advancements that allow us to send and receive messages and media files in real-time, as well as chat with video enable over VoIP services.
Emailing may be mostly used by businesses to notify you about important events, send you newsletters, or ask you to confirm the creation of a new account, but they’re also used by individuals if an immediate response is not required from the recipient.
However, since they’re used to transport so much information to and from various individuals or companies, emails are also perfect targets for hackers, who use various vulnerability exploits, social engineering, and various other techniques to get their hands on them.
On the bright side, there are several methods you could use to protect your emails from falling in the wrong hands. One of the most common ways to do so is through encryption, as it renders the content of your emails unreadable unless you have the decryption key.
Encrypted email (meaning)
Encryption is a way to protect information by encoding it and locking it away with a key. That way, only those who have or know the key can decrypt the information and see it in its original form. You can probably understand why encryption can and does play a major role in sending or receiving private emails that no one but the sender and recipient can read.
Thus, if you want to send an email that can’t be deciphered by anyone between you and the recipient, you’ll need an encryption key. It goes without saying that the sender needs the key to encrypt the contents of the email, while the recipient needs the same key to unscramble it.
Without previous knowledge about encryption and the way it works, encrypting your email can seem unnecessarily complicated, but trust us, once you get the hang of it, it’s not a big deal. Imagine that you and a friend have two identical keys that open the same lock. Now you send a box of stuff over to their place and lock it with your key. Upon receiving the box, your friend uses the key that was identical to yours to open the box and enjoy its content.
Email encryption works the same way, only the box is the email, and your identical keys are actually virtual and made of complex codes. So, how can you know that you both have the same key, and even more than that, how can you be sure that nobody else has it?
How does email encryption work?
As we mentioned just above, email encryption is based on keys made of code that are generated by computers, to avoid human error and to add a random factor that humans aren’t exactly excellent at (aka avoid forming patterns). This code that the computer generates for email encryption is based on a technology called public-key cryptography.
Each email user can have a pair of keys, one of which is kept on a public server (public key), and the other stored privately on their device of choice (the one that’s used to receive emails). If you want to send an encrypted email to a recipient, you must look up their identity on the public server (also referred to as a keyserver), which will be associated with a public key and their email address.
You then use the recipient’s public key to encrypt the email. Now we know it may feel a bit confusing that all these keys are out there publicly available, which may not offer you the sense of privacy and secrecy you were looking for. However, it’s worth noting that you can’t use a public key to decrypt an email since the decryption part takes place on the recipient’s device that has the other half of the key (aka the private one), which is used for decryption.
How to send encrypted email?
So, to recap, you have a pair of keys, a public and a private one. The former is used by others to send you encrypted emails, while the latter is used by you to decrypt emails that have been encrypted with the former. Pretty simple, right?
However, and here’s when things start to feel a bit more complicated, there are several types of email encryption that are widely used, but we’ll only discuss three of them: PGP/Inline, PGP/MIME, and S/MIME. Aside from having the correct set of keys (public/private), the sender and recipient must both use the same type of encryption for sending/receiving encrypted emails to work.
Email encryption types
PGP/Inline is an approach to email encryption that is used to encrypt each component of the message separately. This means that the email body and the attachments are each encrypted and signed individually while using PGP/Inline. Although this approach may seem a bit unnecessarily complicated, it does have its fair share of bright sides.
For instance, the recipient may be using an email client that doesn’t support PGP email encryption. However, with PGP/Inline the recipient can just copy or respectively download the content of the email (email body and the attachments) and decrypt these using third-party software solutions.
On the downside, the fact that each component is encrypted separately means that the type and name of each attachment will be leaked before being decrypted, which is not a desirable trait from an encryption scheme.
Last, but not least, it’s worth mentioning that PGP/Inline doesn’t support sending HTML messages. Therefore, all messages sent using this encryption method will be sent in plain text.
The PGP/MIME encryption scheme is a newer approach that’s somewhat the opposite of PGP/Inline, as it bundles everything up, encrypts it, and signs it as a whole. As you may expect, the main advantage PGP/MIME has over its Inline counterpart is that the message structure doesn’t leak, so anyone who might be able to intercept the message won’t be able to figure out details such as attachment metadata.
Furthermore, PGP/MIME email signatures are a bit more subtle for clients that don’t support PGP. On the downside, if the recipient’s client doesn’t support PGP, they’d have to download the whole message (including attachments) to be able to decrypt it with a third party tool since, as we mentioned above, PGP/MIME bundles everything and encrypts them as a whole.
The third and the last type of encryption we’re going to focus on in our article is the S/MIME. Although not proprietary, this encryption scheme is built-in on most iOS and OSX devices. You’ve probably noticed that upon receiving an email message from an iPhone or a Mac system, the email also comes with a small attachment called “smime.p7s.”
This attachment we’ve mentioned above is just a way to verify the identity of the recipient, to ensure that they are the only ones who can decrypt and read the email, once it arrives at the destination. Although this seems a quite effective encryption system (which it is), it’s also harder to implement and not exactly free.
As opposed to the other two encryption technologies we briefly described above (PGP/Inline and PGP/MIME), S/MIME doesn’t come for free, unless you own an Apple device. If you don’t you must purchase a S/MIME certificate to be able to send and receive emails that have been encrypted using this technology. Furthermore, S/MIME is also more difficult to set up on popular mail clients such as Gmail, for instance.
How to send a secure email?
1. How to encrypt email in Outlook
Outlook only supports two encryption options, namely S/MIME and Microsoft 365 Message Encryption (Information Rights Management). For S/MIME, both the sender and the recipient must have a mail client that supports this standard, and fortunately, Outlook is among the ones that do.
Microsoft 365 Message Encryption is included in the Office 365 Enterprise E3 license. However, only the sender needs to have Microsoft 365 Message Encryption in this case, which can simplify things a bit.
It’s worth mentioning that recent modifications to Outlook made the Permissions button seemingly disappear, when in fact it was replaced by an Encrypt button. You can find it in the Options menu, but we’ll get to that in just a few moments.
The recently-added Encrypt button holds both encryption options we’ve discussed above, S/MIME and IRM (Information Rights Management), but the former is only visible if you have already configured it in Outlook.
That being said, let’s see how to configure S/MIME in Outlook and set it as your encryption method of choice.
Create digital certificate
- In Outlook, go to the File menu
- Select Options
- Click on Trust Center
- Select Trust Center Settings
- Go to Email Security
- Click the Get a Digital ID button
- Select a certification authority to create your digital ID (Comodo is a common choice)
- Check your email for the digital ID
Adding S/MIME to Outlook
- Launch Outlook
- Open the File menu
- Select Options
- Go to the Trust Center
- Select Trust Center Settings
- Go to Email Security in the left pane
- Click the Settings button in the Encrypted email section
- Click the Choose button under the Certificates and Algorithms section
- Select the S/MIME certificate you requested earlier
- Click the OK button
If you have a Microsoft 365 subscription, you may need to perform a few different operations. Namely:
- While you’re composing an email, click the Options button
- Click the Encrypt button
- Select the Encrypt with S/MIME option from the combo menu
- Finish composing your email and send it
If you’re using Outlook 2019 or 2016, you can perform the steps above, but use the Permissions button instead of the Encrypt one.
Encrypt with IRM (Microsoft 365 Message Encryption)
- While you’re composing an email message, go to the Options tab
- Click the Encrypt button in the Options section
- Choose the option that enforces the restrictions you want (e.g. Do Not Forward, Encrypt-Only, etc)
- Compose your email and send it
Note that for Outlook 2019 and 2016 users, you need to use the Permissions button instead of the Encryption one. Other than that, the process is exactly the same as for Microsoft 365 users.
Encrypt a single message
- While you’re in the message you want to send, go to the File menu
- Select Properties
- Select the Security Settings option
- Check the Encrypt message contents and attachments box
- Finish your message and send it (it will be encrypted)
Encrypt all outgoing emails
- Navigate to the File tab
- Select Options
- Go to the Trust Center option
- Select Trust Center Settings
- Go to the Email Security tab
- Check the Encrypt contents and attachments for outgoing messages box under Encrypted email
- You can use the Settings button to modify additional settings such as picking a specific certificate
Note that if you choose to encrypt all outgoing messages by default, you won’t have to encrypt your messages individually any longer. You just compose them as you would normally and send them. However, your recipients must have your digital ID in order to decipher and be able to see the content of your messages.
2. How to encrypt email in Gmail (Webmail)
Web-based email clients such as Gmail accept encryption, both S/MIME and PGP fortunately, but we find S/MIME a bit too complicated to justify the effort, so we’re going to go with PGP since it can be implemented way easier than its counterpart.
On the other hand, it’s worth noting that you’ll need to use a third-party service in the form of a browser (Chrome) extension in order to implement PGP encryption to your Gmail client and emails you send using this platform.
That being said, you can choose whichever PGP browser extension you prefer, as most of them perform the same and there’s little to no difference between them. If you need suggestions, we remind you of FlowCrypt, Mailvelope, PrivateMail, Mymail-Crypt, Digify, PGP Anywhere, GPGTools, EnigMail, and GNU Privacy Guard.
After you install your favorite extension from our list of suggestions (or not), you should access its configuration menu. We have no idea which extension you’ve installed, so we’re going to offer you some general guidelines that (hopefully) apply to your extension of choice. If you find the entire process too difficult, try using a different extension.
Alright, so back to where we were: access the extension’s configuration menu and then generate your key by typing a name, email address, and a password in the designated fields. If the extension didn’t already generate your key, you might have to press a button (e.g. Generate, Submit, Confirm) to confirm your input, so look closely and do so if you find one.
Seeing as most email encryption browser extensions come with a keyring and a key generator, creating your PGP public and private keys should be easy to perform. However, you can also create your key using a different service and try to import it. This also works if you’ve already got a key for a while now and want to keep using it with Gmail.
Now if you recall, we’ve already explained that in order for people to find your key, you must either give it to them manually or simply upload it to a keyserver, along with other identifiable details about you (such as your name and email address).
That being said, locate your extension’s Export function and try to use it to retrieve your public key in plain text format. Once you have it, copy the whole thing (including the headers) to your clipboard and try to find a keyserver that suits your needs.
MIT offers one of the most popular keyservers, so you might consider uploading yours there. All you have to do is visit the MIT PGP Keyserver, paste your key (the one you copied earlier) in the Submit field, and then hit the Submit button. That’s it! If you want to check if you did it right, just head back to the MIT PGP Keyserver’s homepage and perform a search using the name you typed in the public key.
If you did everything right, you should be able to see your public key, your name, and your email address in the keyserver. Note that there’s also a keyID parameter on the homepage, which is very useful especially when several users share the same name. It actually happens a lot, which is why you’d want to also share your keyID with contacts you want to exchange encrypted emails with.
Now that you’ve got a public key and uploaded it to a keyserver, you can receive encrypted emails from others. But what if you want to send someone a PGP-encrypted email? Well, since you’re still on the MIT keyserver website, feel free to look up the person you want to exchange encrypted emails with.
If you’re lucky enough to find it, click the keyID of the user you’re interested in. Doing so will display their public key in plain text format. You can copy the entirety of this public key to your keyboard and import it in your extension of choice to add it to your keyring. Now depending on your extension, you can start exchanging encrypted mail with your recipient straight from the extension or in a different window.
For most extensions, you can type the content of your email in a section of the extension, select the recipient from the keyring, then simply copy and paste the encrypted text into your email. Remember that you should paste the encrypted text EXACTLY as you copied it, as tampering with it could lead to failure to decrypt it, and all this work would be in vain.
Decyphering and reading encrypted email should be a piece of cake if you have a decent extension installed, seeing as most extensions will automatically detect encrypted emails and will offer to decipher them automatically for you. However, there’s also the chance that your extension has a manual decryption section where you’d have to paste the entire content of your message and decipher it manually.
Unfortunately, not all extensions provide support for encrypting attachments, but that can be easily solved by using a file encryption program or searching for an extension that features attachment encryption support. For instance, Gnu Privacy Guard can help you encrypt attachments before you upload them so that you can encrypt both the email body and attachments using the same encryption key.
3. Apple Mail (iOS)
As we’ve mentioned before, iOS devices come with built-in S/MIME support. More precisely, the default email app (Apple Mail) has built-in S/MIME support, so you won’t have to do much in order to enable this form of encryption on your iOS device and send private, secure email messages.
Here’s how you can enable S/MIME on your iOS device, or make sure it’s been enabled correctly:
- Open Apple Mail on your iPhone
- Head to the advanced settings section
- Make sure that S/MIME is switched on
- Change the Encrypt by Default option to Yes
That’s all. Now whenever you’ll compose an email message on your iPhone, you’ll be able to see a lock icon next to your recipient’s name. By default, that will depict an unlocked lock, but merely tapping it should set it to the “locked” position and encrypt your email.
Note that some recipients will have a red lock icon next to their names, which means that either you haven’t installed their certificate, or they’re not in your exchange environment (for instance working at the same company), so you can’t send them encrypted messages in this case. Not to worry, though, you can fix this nice and quickly.
In order to exchange encrypted emails with that person, you’ll need to ask them to send you an email with a digital signature attached. Attaching your digital signature to email messages requires that you toggle the option first, which can be done in the same menu as the encryption options we’ve explained above.
Once you receive that message, you’ll need to perform the following actions:
- Click the sender’s email address
- Check if a red question mark appears letting you know that the signature is not trusted
- Tap the View Certificate option
- Tap the Install button
- Tap the Done button in the top-right corner
After you perform these steps, the lock icon next to the recipient’s name will be blue, and you can tap it to set the icon to the “locked” position and send encrypted messages with this contact.
4. Mail app (Mac/OSX)
If you want to send encrypted email messages from your default mail application on your Mac (OSX), you have to meet the same requirements as for the iOS and Outlook versions above: the recipient’s digital signature must be stored on your device beforehand.
After retrieving the recipient’s digital ID, whenever you compose a message and type the contact’s email address, you’ll be able to see a checkmark that will inform you that the message will be signed. Now you shouldn’t confuse this checkmark with the lock icon we discussed in the iOS section, considering that signing and encrypting an email message are two wildly different things.
Now you should also be able to see the lock icon next to the signature checkmark. However, as opposed to iOS, where you can simply decide which contact receives encrypted emails, and which don’t, while using Mac you must have the digital certificates of all the contacts you include as recipients in your email.
Otherwise, the email won’t be encrypted, even though you had digital certificates for some of your contacts ready and available on your device. One last thing; make sure to sign email messages only after you’ve finished composing them. Performing any modification before will make the certificate show up as untrusted.
5. Android (S/MIME)
Android devices have a bit more elbow room than iOS or Mac devices, so you can rely on third-party tools that can help you encrypt your email before you send it. One such example is CipherMail, which can be used in conjunction with the Gmail app, but also works with other third-party options such as Outlook, Thunderbird, K-9, and other existing S/MIME clients.
CipherMail helps you encrypt both messages and attachments, features HTML email support, ensures that certificates are extracted automatically, supports CRLs, includes CTLs (Certificate Trust Lists) for blacklisting or whitelisting certificates, and is even capable of generating self-signed certificates to be used for private PKI.
6. Android (PGP)
As we’ve mentioned before, S/MIME may be more secure (in some regards) than PGP, but PGP is far easier to implement, is entirely free, and provides you with more flexibility regarding who you can/can’t send encrypted email messages to. However, on Android PGP is not naturally occurring, so you’ll have to help it with a tool.
OpenKeychain, for instance, is a lightweight tool that’s 100% free to use and can help you store certificates and PGP keys for others. You can use it with email clients that support PGP such as K-9 without significant efforts.
It’s very simple to operate OpenKeychain on your Android device, given that it enables you to create your own keys, both public and private ones. You just have to type your email address, along with your name and a password, and OpenKeychain will generate the pair of keys for you. You can also use OpenKeychain to import an existing key if you have one.
After generating a key, you can export it from the app so that you can use it with other applications and devices if you want to. If you need to find a public key for a certain contact, you can use OpenKeychain to look up that person and try to find their public key, so you can send them encrypted emails. OpenKeychain also saves public keys that you’ve added to your keychain so that you can use them again later without spending too much time looking around.
If you want to use OpenKeychain with your email client, you might need to go to that app’s configuration menu, locate encryption settings, and try setting OpenKeychain as your preferred or default PGP or OpenPGP provider. There are several apps that support PGP encryption, but configuration menus are different from one app to another. It’s worth mentioning that not all Android email clients support encryption.
If all the procedures we’ve discussed above sound like gibberish to you and you like keeping things straight and simple, there’s yet another solution for you: using an email service that offers strong encryption by default.
Fortunately, ProtonMail is not only a mail client that uses end-to-end encryption and zero-access encryption to secure your emails, but it’s also free to use. Truth be told, ProtonMail offers both paid and free plans, but the free plan includes 500 MBs of storage and a limit of up to 150 messages per day, which we believe is more than enough to satisfy your needs for encrypted, secure mail.
If not, then the Plus (paid) version of ProtonMail provides you with 5 GBs of storage, lets you send up to 1000 messages per day, has labels, folders, and custom filters, can send encrypted messages to external (non-ProtonMail) recipients, allows you to use your own domain, and gives you up to 5 email aliases for only €4.00 per month.
The only downside of using the free version of ProtonMail is that you won’t be able to send encrypted messages to recipients that are not using the same email client. However, if you need a quick email exchange you can persuade your recipient to create a free ProtonMail account so you can have peace of mind regarding email privacy violations.
8. Disposable email addresses (burners)
You may have heard the term burner associated with various shady dealings, but as far as protecting your privacy goes, there’s no length you shouldn’t go to protect it. Creating a disposable email address, also called burner or a temp, is one of the best ways to keep your security and privacy at optimal levels.
The best thing about a disposable email address is that it self-destructs after a certain period of time. Therefore you can use such an email address to send private messages to your recipient, log out of it and that’s the end of the story.
Alternatively, if you have to receive a private message, just have it delivered to a burner email address you can access, make sure you have enough time to read the message, then delete it and stop worrying about it, as the address will soon be turning to virtual dust.
There are a few burner email services that you may safely use, including Zmail and Guerilla Mail. The latter also includes a password manager, so that you don’t need to remember the passwords for every temporary email address you may create.
Send encrypted email – CONCLUSION
All things considered, if you suspect someone’s eavesdropping on your email exchanges with various recipients, a great way to prevent that is by encrypting your email messages and their attachments.
As we’ve discussed earlier, there are many ways to go about it, and these methods usually differ from one device/app to another. However, once you understand how encryption works and what requirements you have to meet in order to implement it, using encryption to protect your emails should feel like a walk in the park, whether you’re using S/MIME, PGP/Inline, or PGP/MIME.
If you need a VPN for a short while when traveling for example, you can get our top ranked VPN free of charge. NordVPN includes a 30-day money-back guarantee. You will need to pay for the subscription, that’s a fact, but it allows full access for 30 days and then you cancel for a full refund. Their no-questions-asked cancellation policy lives up to its name.