Skip to content
Home » Blog » Paranoid Email: End-to-End Encryption Primer

Paranoid Email: End-to-End Encryption Primer

  • by

Over the previous decade, Twilio SendGrid has embraced Transport Layer Security (TLS) encryption as a solution to defend outbound emails as these journey between servers.

In a digital world rife with cyberattacks, implementing true end-to-end email encryption for delicate emails has change into more and more needed.

But what precisely does this imply? This submit gives an outline of what end-to-end encryption is and the kinds of surveillance it protects customers from.

Bulk vs. focused surveillance

Simple Mail Transfer Protocol (SMTP) with TLS protects “data in motion.” So if you submit an email to SendGrid utilizing TLS, we encrypt it because it travels out of your mail server to our mail servers. We then try to ship it to your recipients over a TLS-encrypted connection. If their mail server helps TLS, we’ll ship an encrypted model of your email, guaranteeing that passive surveillance gadgets will solely see ciphertext.

This methodology is efficient in opposition to passive bulk surveillance methods—just like the National Security Agency tap at AT&T’s backbone facility. However, a decided attacker who has the technical means might carry out a focused “man in the middle” attack on the TLS connection. With their very own certificates and key, the hacker can decrypt the ciphertext and seize the content material earlier than reencrypting it and forwarding it to the authentic vacation spot server.

As cyber attackers proceed to evolve their strategies, it’s essential to develop options that counter their extra aggressive approaches—whether or not via Java-encrypted email or different methods. 

End-to-end email encryption

To defeat energetic assaults in opposition to SSL and TLS, customers can implement end-to-end or “data at rest” email encryption utilizing languages like PHP or Java. 

Public key encryption options for email have been round for the reason that Nineties. The first profitable implementation was Pretty Good Privacy (PGP), created by Boulderite Phil Zimmerman again in 1991. 

PGP was the focus of the crypto wars (that’s quick for “encryption,” not “cryptocurrency”). At one level, Zimmerman famously printed the supply code as a hardback e-book by way of MIT press and distributed it underneath First Amendment protections. However, PGP by no means actually noticed business success, maybe as a result of the expertise was too hard to use. GNU Privacy Guard (GPG) is an alternative choice to PGP out there underneath General Public License.

Another sort of end-to-end encryption is Secure/Multipurpose Internet Mail Extensions (S/MIME), a normal for public key encryption developed in 2004. S/MIME leverages X.509 certificates as a substitute of PGP keys. While comparatively obscure, in style mail shoppers like Outlook,, and Thunderbird have supported it for years—so long as you will have the correct third-party plugins put in, that’s. Apple has additionally supported S/MIME encrypted email on iPhones/iPads since 2012, with the discharge of iOS 5.

One main critique of S/MIME is that its safety mannequin is dependent upon trusting public certificates authorities, which have suffered critical compromises that undermine the entire system. In truth, the general public key infrastructure (PKI) on which your complete web relies upon is just as sturdy as its weakest hyperlink.

Although this matter might transcend the scope of this weblog submit, it’s essential to notice your browser is dependent upon the general public PKI. So, for most individuals, S/MIME and publicly trusted certificates ought to present affordable safety. 

If you consider that you’re topic to focused surveillance and wish end-to-end email encryption, you possibly can nonetheless realistically use S/MIME with self-signed certificates. However, you need to confirm the certificates fingerprints for the events you talk with out of band, identical to you’d confirm PGP key fingerprints.

Read extra in regards to the several types of encryption in our email encryption FAQ.

Google and end-to-end encryption

It’s essential to notice that, regardless of including sections to its Transparency Report to handle email safety issues, Google doesn’t offer true end-to-end email encryption. Google’s TLS encryption ensures that nobody’s taking a look at your email en route from level A to level B; nonetheless, it doesn’t assure that the message will stay personal as soon as it reaches the vacation spot server. In truth, Google itself scans your inbox to energy its sensible options and flag suspected spam. 

Additionally, Google solely helps S/MIME encryption if the sender and receiver use paid Google Workspace Suite accounts and trade safety keys throughout preliminary configuration. While Google has talked about end-to-end encryption since 2014, it has made little progress to this point. Currently, the one solution to get that degree of safety is to depend upon third-party service suppliers to bridge the hole.

Send safe emails with Twilio SendGrid

Now that you understand a bit about PGP/GPG and S/MIME, which one would you select? As we talked about above, Outlook, Thunderbird,, and iPhone/iPad have native assist for S/MIME. We can stroll you thru the setup course of in our submit, End-To-End Encryption with S/MIME

To study extra about securing your outbound emails, try How to Send a Secure Email for Access and Delivery. If you’re prepared to begin sending safe emails, attempt SendGrid without spending a dime.

Leave a Reply

Your email address will not be published. Required fields are marked *