E-mail is one of the primary modes of communication in use today, and as with any other form of communication confidentiality may be key factor at times.
This article will help its audience discern whether any additional steps are needed to ensure the information they are sending via e-mail isn’t compromised in transit.
Before we go into the details of what’s needed to ensure the e-mails we send are secure, let’s briefly expound more on key wording mentioned in the title, namely “encrypted e-mail”.
What is an encrypted e-mail?
An encrypted e-mail is an e-mail communication that’s sent over the internet in such a way that anyone else who may be “sniffing” for internet traffic between you and your recipient will not be able to readily comprehend.
In most cases you compose this e-mail as your normally would, send the e-mail to your recipient, and the recipient receives the e-mail to their inbox and is able to read it just the way you sent it.
The encryption usually happens behind the scenes after it’s sent and is invisible both to the sender and recipient. Typically, this is done at the network level via TLS for most major e-mail carriers such as G-Mail, Yahoo!, iCloud, and others.
In other instances, as we’ll see later, there may be times when we have to take a more proactive approach to encrypting e-mail messages and securing our e-mail communications from prying eyes.
However, the need to do this may be RARE. But in certain scenarios as in the fields of health care, the need to take additional steps to secure an e-mail from being compromised may be absolutely NECESSARY for compliance, regardless of how rarely it needs to be done.
Isn’t all email communication already secure?
As mentioned in the two preceding paragraphs there are rare instances where we have to take measures to send an e-mail securely, because if we send such an e-mail “the normal way” it would NOT be secured on the way to the recipient.
It’s been estimated that about 80% of all e-mail communication is secured.
The other estimated 20% of e-mail communication is NOT secured with TLS. This may be more common among e-mail domain owners that are either hosting their own e-mail server or are not using a 3rd party hosting solution that provides this encryption by default.
The important thing is that we know whether or not the party to whom we are sending has a secure inbound connection to their inbox that supports TLS so we can SEND e-mail securely to them.
In addition to that, it’s also beneficial to know whether our own inbox is secured with TLS so we can RECEIVE e-mails securely from others.
How can we tell if inbound communication to an e-mail address is secure?
As mentioned before most major e-mail providers (such as Google, Yahoo!, and iCloud) provide encryption for their recipients by default, so if you or your recipient’s inbox is from one of the major e-mail hosting providers inbound email communication is likely already secure.
If you or your recipient’s e-mail address has a domain name that’s not common and you don’t know whether or not the e-mail hosting provider is a trusted name like GoDaddy, Network Solutions, or Microsoft, you may want to check whether or not the inbox in question is secure.
This can be done pretty quickly using a tool provided by Paubox (a company specializing in helping companies achieve 100% end-to-end e-mail encryption for HIPAA compliance) here: https://www.paubox.com/secure-email-check
Here’s how it works: you simply type in the email address that you’d like to inspect, and click “check now”. The tool will take a matter of seconds to render a verdict and tell you whether or not inbound communication to that inbox is secure.
Is it REALLY necessary to send an encrypted e-mail to inboxes that aren’t secure?
Well, that depends on how sensitive the information contained in the e-mail message is...If you’re sending an e-mail to a mailing list regarding the latest update to a service your company is offering (that would otherwise be “public” knowledge), don’t bother!!
On the other hand, if you’re sending some sort of sensitive data about yourself, someone else [such as social security numbers, DOBs, credit card information, etc.], a “private” business matter, etc., you’ll definitely want to make sure this data is kept safe by taking additional steps to secure it.
When it is necessary to send a secure e-mail, how can it be done?
There are a few different ways an e-mail can be encrypted if needed. Let’s consider a few below:
Send a secure e-mail using an e-mail client
Some e-mail clients have the ability to send an encrypted e-mail to a recipient built right in to the client interface such as Microsoft Outlook. With this option, sending encrypted e-mails is just an extra click or so away depending on the abilities of your e-mail client and e-mail hosting provider.
You may want to consult your e-mail client support knowledge base or user manual to find out if your e-mail client has a function that allows sending encrypted messages from within the e-mail client itself.
Send secure e-mails using an additional service from your e-mail provider
Some e-mail providers have a service that they offer for adding additional security to e-mail messages. This type of service is usually provided as an add-on and may cost extra.
For these types of services, you generally specify on the web interface of your e-mail address account login that you want to send a new message encrypted. The recipient will usually have to sign in to a portal on their end to check their secure e-mail message they’ve received from you.
True, this route creates an extra step for the end user you’re sending to, but if you’re having to send an e-mail in this way the reality is that since the recipient’s inbound communication to their e-mail address isn’t secure, they’ve created an entire extra process for you!
There are similar services that are available for FREE that achieve the same result, such as SendInc. On these platforms there is usually a limit to how many secured e-mails you can send for free, so if you’re not needing to do this frequently, this route may be for you.
The only secure e-mail service provider that offers zero-step encryption for sending secure e-mails is Paubox, mentioned earlier in this post.
Manually via PGP encryption
PGP (Pretty Good Privacy) encryption setup involves having or acquiring some knowledge of how public and private encryption keys work and setting these up not only on the sender side, but also on the recipient side as well.
USER BEWARE!! PGP has a known vulnerability called EFAIL that allows an attacker to compromise the contents of the message if the recipient has no other inbound encryption to their inbox!
Why would we recommend a solution that has a known vulnerability?!??!!!
Well, because there is a way to send a message via PGP encryption that’s still pretty secure. This involves avoiding sending an e-mail encrypted in this way with HTML code in the message being delivered.
This can be done by sending the message plain text with the PGP encrypted message inline.
Unsure as to which way to go about all of this?
Some of the methods to secure an e-mail mentioned above may seem pretty advanced for some users, but help is available! Don’t be afraid to reach out to your e-mail hosting provider or a trusted friend for help on how to send secure e-mails when necessary.
If you’re in a profession where sending highly sensitive e-mails is mission critical, consider getting with you IT team to figure out the best way to send these e-mail messages safely.
In Conclusion
Remember, not all e-mails need additional security to be considered “safe to send”. In fact, according to the statistics mentioned earlier most e-mail communication is safe already.
However, when it is necessary to use any of the security measures mentioned here, it is critical to find out what works best for you or your organization to accomplish the desired result and if it works for you, stick with it!!
That about wraps it up for this article, thanks for spending some time on our blog!! We hope what’s been considered here has proved helpful. As always, feel free to share.
Comments