Skip to content
Naked Security Naked Security

Practical IT: What you need to know about email encryption

When email was invented over 40 years ago, no one thought about how to ensure the integrity of messages. Here's what you need to know about securing email with the right kind of encryption.

7 Deadly IT Sins - Unencrypted emailIt’s surprising how many people aren’t aware how insecure email is.

They are of course aware of spam for the annoyance it causes.

Many also have a horror story about sending an email to the wrong person (or when they didn’t check who was copied on an email when they hit “Reply All”), but they don’t consider how the same underlying issues could affect their privacy.

When email was invented over 40 years ago, no one thought about how to ensure the integrity of messages. As a result, it’s very easy for someone to use deception to spoof an email, but it’s very hard to verify that it’s from who it says it’s from.

Likewise because email traverses the internet in plaintext, there is no confidentiality – the content of an email is no more private than what you write on a postcard.

Even instant messaging apps like WhatsApp and Facebook Messenger are more secure than email.

But for all their concerns about privacy, most people don’t know that their email messages are open to be read by anyone.

Encryption can solve these problems, but the technology for doing so is challenging for users who like to click and forget it.

Encryption doesn’t just happen magically. It requires a little bit of effort.

There are three different options for encryption we’ll talk about here, along with the good and the bad about each of these solutions.

A big part of security necessarily involves training users, so make sure you keep them in mind when you consider the options.

1. PGP and S/MIME

PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions) are commonly used standards for encrypting and signing email.

While PGP is fairly easy to set up, it’s not very user friendly and it doesn’t integrate well with corporate email apps like Outlook.

S/MIME is more enterprise friendly and can be easier to use once its set up. But for it to work well, every single user needs a publicly-verifiable certificate, which could end up costing a lot of money.

The difficulty with these technologies is that both sender and recipient need to support it to exchange public keys in order to encrypt and decrypt messages securely.

In the case of S/MIME you’ll only get the full benefits if the guy on the other end has also bought a certificate.

2. File encryption

A solution for when you need to transfer a bunch of files securely is to simply send sensitive files in an encrypted archive, rather than encrypt the email.

Archive encryption generally uses symmetric not asymmetric encryption, so you have to share a password with the other person somehow.

A good option is to phone the recipient, or say the password to them in person, if that’s possible. Because you’re relying on a shared password, it needs to be very strong so it’s not crackable.

When sending encrypted zip files, you need to make sure you’re using modern versions, because previous versions of the zip format had very weak encryption.

Annoyingly, neither Windows nor Mac support newer AES secure versions, so you need to use a third party tool like 7-Zip.

3. SPX encryption

The third option is called SPX (Secure PDF eXchange), which is Sophos’s email encryption technology (and obviously only available for Sophos users, so ignore this option if you’re not a customer of Sophos!).

When a user receives an SPX encrypted message, they simply open the PDF and enter their password to view attachments.

If I send you an SPX email, you get an invite to register on portal, where you choose a password. Then, every subsequent email will come as a password-protected PDF. You only need to go to a website to reply. The drawback is that you don’t have a record of your replies in your email inbox.

SPX is easy to set up, and it’s also very easy on users because the email recipient needs nothing more than the ability to open a PDF. There’s no need to share passwords. And no client software installation is required.

Getting email security right

There are more secure options than email for collaboration, such as dedicated tools that send communications over HTTPS, but that’s not always practical. You also have to trust the collaboration tool to securely handle your data!

Despite its lack of security, we keep using email because it’s become so ingrained in the way we do business, and it’s not going to be replaced any time soon.

To get email security right, you should think about all the ways email can be misused and abused.

Spam filtering is absolutely essential, not just to save wasted time from spam, but to protect against phishing.

Email clients need to be well patched, because an email client is rendering untrusted content from the internet, which carries the risk of running malware just by opening an email.

And you need data loss prevention (DLP) technology to stop people from sending data they shouldn’t be sending, based on your regional laws and compliance rules.

Email and the 7 Deadly IT Sins

Unencrypted email is one of Sophos’s 7 Deadly IT Sins. You can read more about that and the 6 other sins on our website here.


I don’t even know that it being ingrained in business is going to be the biggest barrier. I feel like the ubiquity of support options out there is really the issue. Any alternative app that offers security requires the user on the other end to use the same app, so either a standard would need to be developed that was a cooperative of the largest email providers out there, or a single product would have to become so widely adopted (and ideally open-sourced) that it could reasonably offer the same communication coverage that email does today.


I found (after several PGP-less years) that GPG4Win (GPL PGP) integrates quite nicely into Outlook, so I’d disagree here (I know you’re selling something but what the heck). I will agree it’s interesting how people just forget about security issues once they move off the mainstream news consciousness… e.g. who hears about browser plugins named after ruminants these days re public WiFi.


I also would like to disagree like JohnL.
For Outlook are three tools available. GPG4Win, Outlook privacy Plugin and gpg4o. The latest one is commercially but realy really really easy to use.


I do use both standards (S/MIME and PGP) with my Outlook 2010. In my eyes the S/MIME implementation of Outlook is not very transparent to the user. At least with the gpg4o plugin I use there is more control over the keys used by example.

One other point: If you use PGP based encryption for files it will be asymmetric as well. And: So far I never ever received Spam encrypted :)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!