How to Encrypt Email (And the Best Encrypted Email Services)

This in-depth guide shows you exactly how to encrypt email, while also taking a look at the best encrypted email services.

Despite being one of our oldest methods of online communication, email is still one of the most popular. Untold billions of email messages fly around the world every day, carrying personal and business messages that we depend on, making email a prime target for snoops and spies of all types.

Unfortunately, experience shows that most large email providers do not respect the privacy of your inbox. For example,

• Gmail was caught giving third parties full access to user emails and also tracking all of your purchases.
• Advertisers are allowed to scan Yahoo and AOL accounts to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
• Yahoo was also caught scanning emails in real-time for US surveillance agencies.

As you can see, email security is a big issue today. There are a lot of different ways in which your email privacy can be compromised. In this post we’ll talk about various scenarios in more detail, and I’ll show you how to encrypt your email to protect against at least some of these problems.

Why is email encryption important?

How can you protect your email messages?

This looks promising. For someone to read the message, they will need to enter the passcode. But there are a couple of drawbacks to this approach.

First is that passcode. Note the sentence circled in red, “All passcodes will be generated by Google.” In other words, Google is in control of the code that gives access to the message, not you, and not the recipient.

Second is the fact that selecting Confidential mode doesn’t hide the contents of your message from Google. Confidential mode protects your mail from everyone except Google. It doesn’t create an encrypted email message. It simply prevents someone from seeing the message unless they enter the password. A solution like this is only useful if you don’t mind your email provider continuing to have access to your email.

If we start talking about the details of various ciphers and encryption algorithms we’ll be here for a very long time… and your email may never get encrypted. So we’re going to try to keep this discussion at a high level.

To protect your email against any and all of the attackers we discussed at the top of this article, we need to use something called end-to-end encryption. This is often abbreviated as E2E encryption (or even E2EE).

Why use E2E encryption with email

E2E encryption means that you encrypt something (email in our case) on your computer or mobile device, and the recipient decrypts it on their computer or mobile device. Why is this important?

Think about how an email message gets from you to the recipient. You create the message in some email program. When you hit Send, the message passes out of your computer onto a connection controlled by your Internet Service Provider (ISP). The message then goes to your email provider, who passes it along another connection controlled by some other service, and so on. Eventually, the message arrives in the recipient’s inbox at their email provider. Then it goes through another set of connections controlled by other entities until it ends up on the recipient’s computer to be read.

That’s an awful lot of steps. At any one of those steps it is theoretically possible for someone to try to read your email.

E2EE solves this problem. Done right, no one read encrypted messages except the sender and the recipient.

If you encrypt your email before it leaves your device, and the recipient decrypts it once it arrives on their device, no one in the middle will be able to read it.

Since E2E encryption is the way to go, we’ll show you one way you can do it. But first we have to discuss…

The drawbacks of E2E encryption

While E2E encryption is the only way to protect your email from the various threats out there, it does have some real drawbacks, such as:

• It is more complicated than just sending email the old way. You’ll see what we mean in the next section.
• The people who receive encrypted emails need to know what to do with them. This too will become clear shortly.
• The powers that be don’t much like any kind of encryption. Encryption makes it harder for governments and law enforcement to spy on you, corporations to earn money from your personal data, and social media companies to censor you.

How to encrypt email

There are two ways to E2E encrypt email. On the assumption that you are not prepared to change email services right now, we are going to talk about how you can E2EE the bodies of your emails before letting providers like Gmail and company see them.

Recommended: The alternative approach is to switch to a secure email provider that respects your privacy and builds E2E encryption right into their product. For more on this approach, check out our review of the best private and secure email providers.

How email encryption works

The essence of the process is that regular readable text (also called plaintext) gets converted into encrypted text (also known as ciphertext). The “key” to the encryption process is that the algorithms use an encryption key to turn plaintext into ciphertext. Likewise, the decryption algorithm that turns ciphertext back into plaintext depends on a decryption key.

Encrypting an email message turns the body of the message into ciphertext. Some encryption approaches also encrypt additional parts of the message, possibly including the subject line and/or any attachments.

However, certain parts of the email need to remain unencrypted. For example, the email address of the recipient cannot be encrypted if you want the message to actually arrive at its destination! Other metadata is also readable, one of the key drawbacks of email in general (but we’ll discuss more secure alternatives below).

Symmetric vs asymmetric encryption

There is one more aspect of how encryption works that you need to know about before we can move forward. Remember that we said turning your message into ciphertext requires an encryption key, and turning it back into plaintext requires a decryption key.

As you can see, InfoEncrypt is a free, browser-based encryption service that lets you encrypt any text using the AES 128 encryption algorithm. You can use InfoEncrypt on any device, with any browser that supports Javascript.

Note: You probably wouldn’t want to rely on a free web service if you are trying to secure data from powerful adversaries. However, this service should be fine for protecting the contents of your email from run-of-the-mill hackers and similar snoops.

AES 128 is a symmetric-key encryption algorithm that is fast and efficient, yet secure. Because it is symmetric-key, you will need to find a secure way to share the encryption key with the recipient.

Let’s see how this works. In this example, a secret information source (the sender) will encrypt a short message using InfoEncrypt, then email it to me (the recipient). Since the sender and I have already shared the encryption key (the password), I will be able to use that key to decrypt the text of the message using InfoEncrypt.

Follow along to see how to encrypt email and decrypt it on the receiving end using InfoEncrypt:

1. The sender goes to InfoEncrypt.com, then scrolls down to the Text to encrypt (or encrypted code to decrypt) box.
2. The sender enters the text they want to encrypt, then enters a strong password into the Password and Confirm Password boxes.
   
3. The sender clicks the Encrypt button. InfoEncrypt uses AES 128 and the password to encrypt the message. It replaces the plaintext with something like the following, which is both the ciphertext generated from the plaintext and some additional information that the recipient will need to decrypt the message.
   
4. To send the encrypted message to the recipient, the sender copies the entire contents of the “Text to encrypt…” box, pastes it into the body of the email message, then sends it like any other email message to the recipient.
5. When the recipient opens the message, the body of the email will contain the contents of the “Text to encrypt…” box:
   
6. The recipient then reverses the process by copying all the text beginning with, “—–BEGIN INFOENCRYPT.COM MESSAGE—–” and ending with, “—–END INFOENCRYPT.COM MESSAGE—–” and pastes that text into InfoEncrypt.com.
7. The recipient enters the shared password into the Password field then clicks Decrypt to see the original message.

Using a tool like InfoEncrypt is clumsy, and takes more steps than you might like, but it is an easy, free, and broadly useful way to send encrypted text by email without having to install new software, change email services, or anything like that.

What are the best encrypted email services?

As noted above, we think the best solution is to switch to an email provider that offers support for end-to-end encryption. Many email services offer support for various encryption options:

1. One of the most popular encryption methods for email is PGP, which stands for Pretty Good Privacy. Support for PGP is built into most secure email providers.
2. Some email services rely on a unique encryption method, outside of PGP. One popular example of this is with the email provider Tutanota.
3. Email services also allow you to send a link to an encrypted message that can be accessed with a shared password.

If you are open to switching to a secure email service that supports built-in encryption, we’d encourage you to explore our guide on secure and private email services.

Here are the best encrypted email services:

1. Tutanota – Based in Germany; free plans; very secure and open source email with full encryption of email inbox, contacts, calendar, and subject lines. (Tutanota does not use PGP due to concerns over PGP limitations and weaknesses.)
2. ProtonMail – Based in Switzerland; free plans; secure and open source email that is based on PGP encryption
3. Mailbox.org – Secure and private email based in Germany; fully-featured, support for PGP encryption
4. Posteo – Privacy-focused email service based in Germany; anonymous payment options; no support for custom domains; strong PGP encryption standards
5. Mailfence – Secure email based in Belgium, free plans up to 500 MB, fully-featured with built-in support for PGP encryption
6. Runbox – A private email service in Norway, support for PGP encryption
7. CounterMail – Based in Sweden, this email offers strong encryption options (based on PGP).
8. CTemplar – This open source email provider in Iceland uses strong encryption standards and is very privacy-focused.
9. Kolab Now – A higher-priced email service in Switzerland, Kolab Now has some good encryption options while also being fully-featured.
10. StartMail – Based in The Netherlands, StartMail offers built-in PGP encryption support.

We have personally tested (and use) many different encrypted email services. We not only do this to write reviews, we take data privacy seriously. Below I’m testing out the feature with ProtonMail to send an encrypted message to a person who does not use ProtonMail.

If you are serious about encrypting your email, it would be wise to first start out by switching to a secure email provider. Finding the best encrypted email service is very subjective and all comes down to your own unique needs. Check out our email reviews for an in-depth look at many providers.

What about encrypted email services based in the US?

Did you notice above that none of our recommended encrypted email services are based in the United States?

There’s a reason for this. And that is concerns about privacy and data security. There are many examples of US tech companies being forced to hand over private data to US authorities. This is particularly important with email services. Here are just two examples that we know about:

1. Lavabit – Lavabit was a privacy-focused email based in the US that was forced to shut down when the owner refused to give up the encryption keys to government agents.
2. Riseup – Another US email service catering to privacy-minded users, Riseup was hit with data requests and was forced to comply.

Here’s a quote describing the Riseup situation, which could affect any US-based email service:

After exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization).

There was a “gag order” that prevented us from disclosing even the existence of these warrants until now. This was also the reason why we could not update our “Canary” [warrant canary that warns users about these events].

Recommendation: Choose an encrypted email service located in a good privacy jurisdiction. If you don’t, your data could be at risk.

Encrypted email alternatives

One of the fundamental problems with email is metadata.

Email is structured in such a way that metadata is very difficult to conceal from third parties. Email headers can reveal a lot of private data. What’s worse, PGP, the most widely-used encryption protocol, does not encrypt subject lines. This exposes further data to third parties and potential adversaries.

Another problem is that most people simply do not want to use an encrypted email service and/or encrypt messages. This isn’t an easy problem to get around — unless you use an alternative to email.

Best alternative: encrypted messaging service

We’d recommend using a good encrypted messaging service if you are really concerned about privacy and data security. Most encrypted messaging services do a very good job encrypting data, collect little (or no) metadata, and offer stronger encryption than most email services.

Some of our favorite options are Signal, Session, WickrMe, and others. Check out the best secure messaging services for more options.

Conclusion on encrypting email