Encryption & Secure Communication

Encrypted Email

About 4 min read

Last updated: 2026-01-15

What Is Encrypted Email

Encrypted email is a technology that encrypts the body and attachments of an email so that only the sender and recipient can read the content. Regular email is sent like a postcard - anyone along the delivery route can read it.

While TLS/SSL encryption between mail servers (STARTTLS) is widespread, it only protects data in transit. On the mail server itself, emails are stored in a decrypted state. Encrypted email goes further by encrypting the message content end-to-end, so that even the email service provider cannot read it.

How PGP and S/MIME Work

  • PGP (Pretty Good Privacy) / GPG: Uses public key cryptography to encrypt email with the recipient's public key. Trust is established through the "Web of Trust" model, where users sign each other's public keys. Does not depend on a central certificate authority. Open source and widely used by individuals and communities.
  • S/MIME (Secure/Multipurpose Internet Mail Extensions): Uses certificates issued by a certificate authority (CA). Easier for corporate IT departments to manage centrally. Natively supported by major email clients (Outlook, Apple Mail, Thunderbird). Certificate acquisition may involve costs.

Both encrypt the message body and can attach digital signatures to verify the sender's identity and detect tampering. The key difference is the trust model: PGP uses a decentralized Web of Trust, while S/MIME relies on a centralized CA hierarchy.

Encrypted Email Service Options

Because setting up PGP or S/MIME can be technically challenging, email services that handle encryption automatically have emerged.

  • ProtonMail: Based in Switzerland. Emails between users are automatically E2EE. Sending to non-users is possible with password-protected encryption. Free plan available.
  • Tutanota: Based in Germany. All emails are encrypted at rest. Sending encrypted emails to external recipients is supported. Calendar and contacts are also encrypted.
  • Mailfence: Based in Belgium. Supports both PGP and S/MIME. Interoperable with existing PGP users. Includes calendar and document storage.

When choosing a service, consider the jurisdiction (privacy laws of the country), whether the source code is open, and whether independent security audits have been conducted.

Limitations and Caveats of Encrypted Email

Encrypted email has several important limitations.

  • Metadata is not encrypted: Header information such as subject, sender, recipient, and timestamp is not encrypted (in PGP). The same applies to S/MIME. Third parties can see who emailed whom.
  • Key Management Complexity: PGP requires users to manage their own keys - generating, distributing, and backing up key pairs. Losing a private key means permanently losing access to encrypted emails.
  • Interoperability Issues: PGP and S/MIME are not interoperable. If the sender uses PGP and the recipient only supports S/MIME, encrypted communication is not possible.
  • Search Limitations: Encrypted emails cannot be searched on the server side. Full-text search is only possible on the client where decryption occurs.

Getting Started with Encrypted Email

Here's how to set up PGP-based encrypted email for personal use, along with considerations for organizational deployment.

Generating a PGP Key Pair: Install GPG (GNU Privacy Guard) and generate a key pair with gpg --full-generate-key. Choose RSA 4096-bit or Ed25519 as the algorithm. Set an expiration date (1-2 years recommended) and protect the private key with a strong passphrase.

Publishing Your Public Key: Upload your public key to a key server (keys.openpgp.org) or publish it on your website. This allows others to send you encrypted emails.

Email Client Setup: Thunderbird has built-in PGP support (OpenPGP). For Outlook and Apple Mail, plugins or S/MIME certificates are needed.

Organizational Deployment: For enterprises, S/MIME with centrally managed certificates is generally easier to deploy. Integration with existing directory services (Active Directory) and automated certificate provisioning reduce the management burden.

To learn more about this topic, see Encrypted Email Services Compared: ProtonMail vs Tuta vs Mailfence.

Common Misconceptions

Gmail and Outlook are encrypted, so they are safe
Gmail and Outlook encrypt server-to-server communication with TLS, but emails are stored in a decrypted state on the server. Google and Microsoft can access email content and may use it for ad targeting or AI features.
Encrypted email is only for tech experts
Services like ProtonMail and Tutanota offer the same user experience as regular email with encryption built in. No PGP key management is required - just create an account and start using it.

PGP vs. S/MIME Comparison

PGP / GPG

Web of Trust model. Does not depend on a central CA. Open source. Suited for individuals and communities. Key distribution and management are the user's responsibility.

S/MIME

Uses certificates issued by a CA. Easier for corporate IT to manage centrally. Natively supported by major email clients. Certificate acquisition may involve costs.

Share

Related Terms

End-to-End Encryption (E2EE) An encryption method where data is encrypted on the sender's device and can only… Public Key Cryptography A cryptographic method that uses a mathematically linked pair of keys - a public… Phishing An attack method that impersonates legitimate organizations, banks, or individua… Metadata Data that describes other data, providing context about how, when, where, and by… TLS/SSL Cryptographic protocols that encrypt internet communications to ensure confident… Data Encryption The process of transforming readable plaintext data into unreadable ciphertext u…

Related Articles

Encrypted Email Services Compared: ProtonMail vs Tuta vs Mailfence Compare end-to-end encrypted email services and learn how to build a secure email environment for yo… Email Security Basics: How to Protect Yourself from Phishing Learn how to identify phishing emails, understand email encryption, and follow practical tips for sa… What Is End-to-End Encryption - How Signal, WhatsApp, and LINE Protect Messages Understand how end-to-end encryption (E2EE) works technically, compare E2EE support across major mes…
← Glossary