Email is not secure, and it’s really hard to make it secure. It’s so hard that no solution is completely satisfactory.

By default, email is sent across the Internet without any protection. People can intercept it and read it in transit. Sending confidential business information this way is a bad idea. Is there a way to send B2B email that protects it all along the way? Well, sort of.

The Problem With Email

The SMTP protocol, which is the basis of email, is one of the oldest on the Internet. At the time its creators devised it, security wasn’t an issue. Emails go from a client to an SMTP server. It may pass through several other servers before finally being sent to the recipient’s client. Anyone who can tap a wire or control a server that the mail goes through can read it.

Security for the Web is a simpler problem and has been solved. It’s a client-server, many-to-few environment, and an HTTPS server takes care of setting up a certificate, authenticating it, and giving the browser the information it needs. Email is a peer-to-peer, many-to-many environment. There’s no central point for setting up the encryption.

To be secure, email has to be protected from end to end. This involves three main pieces:

1. First, from the sender’s client software to the sender’s mail server
2. Then from the sender’s mail server to the recipient’s server
3. And last, from the recipient’s server to the recipient’s client.

Step 1 is doable, using a TLS connection. Step 2 is harder, especially when sending mail to a different service provider. However, step 3 is the biggest problem, since the sender normally has no control over the recipient’s email setup. Achieving end-to-end security requires cooperation between the sender and the recipient.

You may also want to read: How Machine Learning Can Improve Email Marketing

Client-Level Encryption

One approach is to use matching encryption software in the sender’s and recipient’s clients. Software which follows the OpenPGP standard is the usual way to do this. The standard uses public key encryption. Each user generates a pair of keys. One is the private key, which the user has to keep secret. The other is the public key, which can be given to anyone. The sender encrypts a message using the recipient’s public key. Only the person who has the matching private key can decrypt it.

Many email applications and webmail services support OpenPGP, either natively or with an extension. Client applications that use it include:

• Outlook with Encryptomatic, Gpg4win, or gpg4o
• Thunderbird with Enigmail
• Apple Mail with GPGTools
• Android K-9 Mail with OpenKeychain
• Canary Mail for Mac and iOS

You can use PGP with webmail services using a browser extension. It will encrypt the contents of the message box in place in the browser, replacing what you wrote with mysterious characters. The most popular extension is Mailvelope, which works with Firefox and Google Chrome.

The difficulty with this approach is getting the cooperation of the people at the other end. Setting up a PGP key isn’t horribly difficult, but it takes some work. Setting up the software to work with it is another task. Encrypting and decrypting mail is an extra step. Persuading people that they need to use encrypted mail is very often difficult.

If a message is sent in encrypted form and the recipient replies in cleartext, quoting the entire original message, the whole point is lost. For client-based encryption to work, both sides have to be strongly committed to it.

Secure Email Services

A number of online secure mail services are available, and you can find a source for many of them here. They’re generally easier to use than client-side PGP, but they have various limitations. With some, you have to give your private key to the server. Some can send secure mail only to another user of the same service. Some don’t support non-text attachments.

ProtonMail, CounterMail, HushMail and MailFence are four of the best known of these services. Both the sender and the receiver need to have a secure email client on their machines. The service never sees the unencrypted messages or the encryption keys. It’s a more user-friendly environment than most PGP implementations, and recently it became interoperable with PGP-encrypted mail.

Using a Single Mail Service

Another approach is for both users to subscribe to a mail service that encrypts all its mail in transit. When mail is relayed from one provider to another, the first provider can’t keep it encrypted, since the second one wouldn’t be able to decrypt it. If the whole path from sender to receiver is on one service, then it can be encrypted in transit.

If the people exchanging messages both use webmail, it’s secure from end to end. The provider can still read all the mail, but that may not be a problem in many situations. If either participant uses a desktop or mobile client, it has to use a secure TLS or STARTTLS connection to avoid a critical gap in security. These are the same kind of protocol as the one used for HTTPS connections. TLS guarantees an encrypted connection or none, while STARTTLS will fall back on an unencrypted connection if that’s the best it can do.

Gmail provides this kind of secure connection. If both parties have Gmail accounts, then their messages will go across the Internet securely.

You may also want to read: Email Marketing Is Still The Best – Especially For SMBs

Offloading Sensitive Information

These approaches are complicated and require a high level of cooperation. A simpler approach could be to avoid putting sensitive information into emails. Instead, the message can just tell the recipient that a document is available on a password-protected server. This is similar to the ProtonMail approach but can be done using any mail service and a secure document server.

Medical offices often use this approach to send test results to patients. The patient receives a password at the doctor’s office and uses it to access the results on a secure server.

Not An Easy Problem

No matter how you look at it, sending secure messages by email isn’t easy. Both sides have to be committed to making it work, and setting up the process is hard. Other approaches, such as secure messaging applications, may be easier to work with an offer fewer chances for error. Still, if the people involved are determined to make secure email work, they can do it.

 

If you need help with your email marketing campaigns, please contact us. (It won’t be cheap, but it will be great!)

Christopher Nichols has always enjoyed using new technology advancements to scale marketing efforts. He believes in data-driven marketing and in practices it in his agency, Strictly Digital. You can tweet him @SurfsharkSecure

Featured image: Copyright: ‘https://www.123rf.com/profile_ake1150‘ / 123RF Stock Photo