ghostlog

Understanding Email Encryption and How to Use It

Written by

ddeki

💡 Most emails are sent as plain text across the internet — email encryption is the only real way to keep sensitive information from being intercepted, and it’s easier to set up than most people think.

Your Email Is Basically a Postcard (And That’s a Problem)

Here’s something most people don’t realize: when you send a regular email, it travels across multiple servers before reaching the recipient. Any one of those servers — or anyone with access to them — can technically read what you wrote.

That’s not paranoia. That’s just how the protocol works.

Email encryption changes that. Instead of sending a postcard anyone can read, you’re sending a sealed envelope that only the intended recipient can open. For everyday messages about weekend plans? Probably fine either way. For tax documents, medical records, legal contracts, or anything involving account credentials? The difference matters enormously.

So how does it actually work — and more importantly, how do you use it without a computer science degree?

flowchart TD
    A[You Write Email] --> B{Encryption Enabled?}
    B -- No --> C[Plain Text Sent Across Servers]
    C --> D[Anyone with Server Access Can Read It]
    B -- Yes --> E[Message Encrypted Before Sending]
    E --> F[Only Recipient's Key Can Decrypt]
    F --> G[Secure Delivery]

The Two Types of Email Encryption You Actually Need to Know

💡 Transport encryption protects your email in transit; end-to-end encryption protects it at every step — including on the provider’s own servers.

Most major email providers — Gmail, Outlook, Yahoo — use something called TLS (Transport Layer Security). It encrypts your message while it’s moving between servers. That’s better than nothing, but here’s the catch: the email provider itself can still read your messages. Their servers store the decrypted content.

End-to-end encryption (E2EE) is a different animal entirely. With E2EE, the message is encrypted on your device before it ever leaves, and it can only be decrypted by the recipient’s private key. Not even the email provider can read it.

There are two main ways to get this:

  • Use a dedicated encrypted email service like ProtonMail or Tutanota. These platforms handle the encryption automatically when both sender and recipient are on the same service.
  • Use PGP (Pretty Good Privacy) — a standard that lets you encrypt emails across any platform, but requires both parties to exchange public keys first.

A colleague of mine — mid-40s, works in compliance at a financial firm — spent years just attaching password-protected ZIP files to regular emails and calling it “secure.” When I explained that the email body itself describing the contents was still unencrypted, he went quiet for a second. Switched to ProtonMail for external client communications within the week.

Method Ease of Use Who It Protects Against Best For
TLS (standard) Automatic Network interception General use
ProtonMail (E2EE) Very easy ISPs, hackers, even ProtonMail Sensitive personal/professional emails
PGP encryption Technical setup required Everyone, including any server High-security professional use
S/MIME Moderate (needs certificate) Network + provider access Corporate environments

The Math Behind Why Encryption Works

💡 Modern 256-bit AES encryption would take longer than the age of the universe to brute-force — understanding that number helps you trust the technology.

Here’s a quick calculation that puts it in perspective. A 256-bit encryption key has 2²⁵⁶ possible combinations. That’s roughly 1.15 × 10⁷⁷ possibilities. Even if you had a computer that could check one trillion keys per second, cracking a single 256-bit key would take approximately 3.67 × 10⁵⁵ years. The observable universe is only about 1.38 × 10¹⁰ years old.

Honestly, when I first ran that number myself, I had to double-check it. Seemed too extreme.

The point is: email encryption isn’t a matter of “making it harder.” Done right, it makes interception computationally impossible with any technology that exists or is likely to exist.

The weak links aren’t in the math — they’re in how people use (or don’t use) it.

How to Actually Start Using Email Encryption Today

The biggest barrier isn’t technical. It’s this: email encryption only fully works when both parties support it.

Here’s the thing — that’s not as limiting as it sounds. If you’re sending sensitive documents to a lawyer, accountant, or business partner, you can simply ask them to set up a ProtonMail account first. Takes about 3 minutes. Both of you get end-to-end encryption for free, automatically, with zero configuration.

For situations where you can’t control what the recipient uses, ProtonMail even lets you send encrypted messages to non-ProtonMail users by password-protecting them. The recipient gets a link and needs the password to decrypt it — you share the password through a separate channel like a phone call.

Before sending any confidential email, run through this quick check:

  1. Does the recipient use an encrypted email service? If yes — send directly.
  2. Does your email client support S/MIME or PGP? If yes — use that.
  3. Neither? Use ProtonMail’s password-protected external message feature, or a secure file transfer service for the actual documents.

One more thing that gets overlooked: check your current email client’s settings right now. Gmail, for instance, has a “Confidential Mode” — it’s not true end-to-end encryption, but it does prevent forwarding and allows message expiration. Outlook has S/MIME support built in for enterprise accounts. These aren’t perfect, but enabling whatever’s available in your existing client is still better than doing nothing.

Has anyone else noticed how rarely this gets mentioned in standard workplace security training? It’s almost always about passwords and phishing, never about the actual content of the emails themselves.

mindmap
  root((Email Encryption))
    fa:fa-lock End-to-End
      ProtonMail
      Tutanota
      PGP / GPG
    fa:fa-shield Transport Layer
      TLS Standard
      Gmail Default
      Outlook Default
    fa:fa-building Enterprise
      S/MIME
      Corporate Certificates
    fa:fa-user-secret Best Practices
      Verify recipient support
      Separate channel for passwords
      Never send credentials unencrypted

Bottom line: email encryption isn’t just for hackers, whistleblowers, or IT professionals. If you’ve ever attached a tax return, a medical record, or a contract to an email — and sent it through a regular platform without encryption — that information traveled across the internet in a format that was, technically, readable.

The fix is straightforward. The tools are free. The only thing left is deciding to use them.

Related Articles

Back to Complete Guide: Email Security Tips: How to Spot Phishing and Protect Your Account

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts