Is Email Encrypted? Sometimes… Here’s How You Can Tell

Is Email Encrypted? Sometimes… Here’s How You Can Tell

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)

Although encryption is the go-to standard for Internet data security, not all service providers offer email encryption as an option. Here’s what to know about email encryption and how to tell whether an email is encrypted

Encryption is an essential component of internet and email security. In part, it’s what helps protect your communications against unauthorized users and their nefarious purposes by scrambling data into an unreadable format. This way, only an authorized individual (i.e., someone with a secret key) can read your emails.

We’ve talked previously about how you can send documents securely via email using an email signing certificate (S/MIME certificate). In this scenario, an email client uses public key cryptography to:

  • Secure the message content and attachments (i.e., secure data at rest) using an S/MIME certificate
  • Send messages via a secure communication channel (i.e., secure data in transit) using transport layer security (TLS) encryption

Now, it’s time to explore whether all emails are encrypted and how you can identify encrypted messages.

Is Email Encrypted? Not Always…

In general, messages transmit via the simple mail transport protocol, or what’s known as SMTP. This is an insecure transfer protocol, meaning that data can be intercepted in transit. To make the connection more secure, it requires enabling TLS to add another layer of security.

So, emails can be encrypted, but that doesn’t mean that all emails you send or receive are encrypted. This is because not all email providers support TLS; thankfully, the big ones (Gmail, Yahoo, Apple Mail, etc.) do. And this is good news because many industry regulations (HIPAA, PCI DSS, etc.) require the use of encryption to protect sensitive data. Unfortunately, some email providers opt to use SMTP on its own, which is open to man-in-the-middle (MitM) attacks (i.e., in-transit data interception attacks).

This is bad news all around. Sending data unencrypted is akin to sending your message on a postcard because the data is open to being intercepted a read by virtually anyone. This means that when you send your message, it transmits in plaintext (i.e., a readable format) instead of in a string of random characters and letters.

A graphic illustrating the concept of how sending an unencrypted message is like sending a postcard: virtually anyone who comes across the postcard can read the message because it's openly available
Image caption: Sending an unencrypted email is like writing a secret message on the back of a postcard. An attacker can intercept the communication and read its plaintext contents.

But if the message is encrypted, such as by pairing STMP with the mail transfer agent strict transport security (MTA-STS) or TLS, the attacker won’t be able to read the contents. When someone who doesn’t have access to the key tries to read the message, it would look like this to them:

A graphic illustrating the concept of how sending an encrypted message is more secure because it takes that readable text and converts it into something incomprehensible if you don't have the right key to decrypt it. This helps to ensure that only the intended recipient can read the message.
Image caption: A example of what it looks like when you send an encrypted email. An attacker can see that a message was sent but can’t read any of the message’s contents.

3 Types of Email Encryption

There are three main types of encryption that can be used to secure email communications worth mentioning:

  • Transport layer security (TLS) — This secure protocol protects your data in transit by encrypting the communication channel you use to send the data. This is often added to SMTP to make the latter more secure and prevent MitM attacks.
  • Secure/Multipurpose internet mail extension (S/MIME) certificate — This requires the use of an email signing certificate (which is issued by a trusted public certificate authority like Sectigo) and secures the message itself by encrypting the email’s contents and attachments.
  • Pretty Good Privacy (PGP) — This decentralized form of encryption aims to protect data at rest. It also requires a third-party tool and you have to create a code (which may or may not be secure).

Often, people will use S/MIME encryption in combination with TLS to create end-to-end encryption. This means that the email and the channel it transmits through are secured via public key encryption.

Imagine that you work in the IT department at a local hospital: you want to ensure that any data transmitted by your employees is as secure as possible. Your best bet is to instruct them to avoid sending sensitive information via email. However, seeing as how email is a common communication tool nowadays, it’s likely that some sensitive information will need to be emailed. In this case, you’ll need to ensure that it’s encrypted first to prevent prying eyes from seeing your sensitive data. We’ll quickly walk you through how to do that later in the article.

What Email Encryption Does

Email encryption involves applying a public (known) cryptographic key to data that you want to keep secret to make it unreadable. This involves applying complex math to that data that turns your readable message into a string of gibberish. Now, it’s important to note that every public key is created with a corresponding private key; together, they form a public-private key pair. So, when a message is encrypted, it means that it can only be decrypted using the corresponding private key.  

Now, we’re not going to dive into the nitty-gritty of how encryption works in this article. But the important takeaway here is that it helps to secure your sensitive data against access by unauthorized users by using public key cryptography.

Both Parties Have to Support Encryption to Use It

Email encryption isn’t something that can facilitated on one end; it has to be supported by both the sender and recipient’s email clients and servers. If only one party supports encryption, then a secure connection can’t be established; this means the message can still be sent via SMTP but it’ll be insecure.

In general, email is encrypted if the sending and receiving email service providers both support transport layer security (TLS). This enables you to secure data in transit (i.e., when it moves from one party to the other).

In order for emails to be encrypted before being sent — meaning that they’re still unreadable to unauthorized users once they’re sitting on the recipient’s email server — both parties must:

  • Use the same email encryption service (such as ProtonMail) or integrate a third-party tool for PGP, or
  • Use email signing certificates (S/MIME certificates). This is because the sender would need to use the recipient’s public key to encrypt the message before sending it so only the recipient has the private key that decrypts it.

How Do You Know Whether an Email Is Encrypted?

Alright, now that we know what encryption is and what it does, let’s look at how you can identify encrypted email messages. The most obvious sign is when your email client displays some kind of security-related icon. Let’s take a quick look at what you see when a message is encrypted using TLS encryption only and then move on to what it looks like when a message is encrypted using an S/MIME email signing certificate.

TLS Encryption in Gmail

According to Google’s Transparency Report, 89% of outbound and 93% of inbound emails in Gmail have been encrypted thus far in 2022 (measured Jan. 1-Oct. 18, 2022). When you use TLS encryption for email, you’re securing the communication channel that the data will be sent through to the recipient. You’re not encrypting the email itself. But what does this look like? In Gmail, you’ll see a grey security padlock for messages sent using the secure TLS protocol:

A screenshot of an encrypted email message in Gmail as it displays on an Apple iPhone.
Image caption: A screenshot of an email I’d received that displays the standard TLS encryption was used to securely send the message to my email server. This was accessed via the Gmail mobile app for an iPhone.

If a message is sent via an unencrypted protocol, then you’ll instead see a red padlock icon with a slash through it. If it’s encrypted using an S/MIME email encryption certificate, then you’ll see a green icon with a plus sign in the middle:

Two graphics that illustrate the concepts of insecure and secure connections
Original graphics’ source: Gmail’s Support Forum. A side-by-side set of screenshots we created using two icon graphics from Gmail that show how the security icons for unencrypted (left) and encrypted (right) messages display.

End-to-End Encryption Using an S/MIME Certificate in Outlook

Now, let’s explore what it looks like when you sign the message itself using an email signing certificate. This process encrypts the message so it’s secure while sitting on the recipient’s server after you hit “send.”

When you receive an encrypted message while using Outlook on a Windows device, you’ll see a yellow padlock as shown below:

A screenshot of a test encrypted email to show how an encrypted message displays in Outlook on a Windows device when the sender uses your public key to sign the message
Image caption: A screenshot of how an encrypted message displays in the Outlook email client on a Windows computer.

In Outlook on a Mac, you’ll see the following grey padlock when you receive an encrypted email:

A screenshot of a test encrypted email to show how an encrypted message displays in Outlook on a Mac when the sender uses your public key to sign the message
Image caption: A screenshot of how an encrypted message displays in the Outlook email client on an Apple computer.

All of this is great, right? But you may wonder how you can tell whether the encryption is legitimate. This is another advantage of using these digital certificates: they help you assert your digital identity in a verifiable way.

When you click on the padlock icon when using Outlook on Windows, you’ll see a new window popup that displays the message’s security properties information. (Basically, this is information regarding the S/MIME email signing certificate that was used to sign the message.) Here’s a quick progression of the information you can see when you click through the different encryption and digital signature layers:

A view of the different message security layers of an encrypted and digitally signed email
Image caption: A screenshot of the Message Security Properties window when you flip through the individual security layers of the digitally signed and encrypted email.

Sending an Email Using S/MIME Is an Easy Process

Sending an email using an S/MIME certificate is easy once you have it installed in your email client. We’ll use Outlook as an example. Simply have the recipient send you a digitally signed email; this will give you their public key. Once you have that, then you can use it to digitally sign and encrypt your email.

Simple create a new email, add all of your content and any attachments. Next, select Options > Encrypt > Encrypt with S/MIME in your top navigation bar:

A screen that illustrates how to encrypt an email in Outlook using an S/MIME certificate
Image caption: A screenshot illustrating how to encrypt an email in Outlook on a Windows computer using an S/MIME email certificate.

After that, simply send the email and it’ll be encrypted automatically. Yup, it’s really that simple. Now, your message is encrypted and can only be opened by the recipient who has the private key.

Final Thoughts on Email Encryption

As you’ve learned, not all emails are automatically encrypted (even though they should be). The good news, though, is that most major email service providers do use TLS encryption to secure their customers’ messages in transit. But if you need another layer of security to send sensitive data, then you need a little something extra to secure your messages while they’re sitting on the email server. A common way of achieving this outcome is to use an S/MIME certificate.

When you talk about encrypting emails, it sounds like it would be a highly complicated and involved process. But as you’ve learned, it’s really not; virtually anyone can do it when they have the right tools (such as an email signing certificate) in place. 

About the author

Casey is a writer and editor with a background in journalism, marketing, PR and communications. She has written about cyber security and information technology for several industry publications, including InfoSec Insights, Hashed Out, Experfy, HackerNoon, and Cybercrime Magazine.